diff --git a/policy-F15.patch b/policy-F15.patch index 33a544e..b1073c0 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -786,10 +786,25 @@ index 4f7bd3c..3405a10 100644 ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..ce5af6e 100644 +index 7090dae..90e22f4 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -119,14 +119,10 @@ seutil_dontaudit_read_config(logrotate_t) +@@ -105,6 +105,9 @@ files_getattr_generic_locks(logrotate_t) + + # cjp: why is this needed? + init_domtrans_script(logrotate_t) ++# bug 704844 ++init_stream_connect_script(logrotate_t) ++files_write_generic_pid_socket(logrotate_t) + + logging_manage_all_logs(logrotate_t) + logging_send_syslog_msg(logrotate_t) +@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t) + + seutil_dontaudit_read_config(logrotate_t) + ++systemd_exec_systemctl(logrotate_t) ++ userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -806,7 +821,7 @@ index 7090dae..ce5af6e 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -166,6 +162,11 @@ optional_policy(` +@@ -166,6 +167,11 @@ optional_policy(` ') optional_policy(` @@ -818,7 +833,7 @@ index 7090dae..ce5af6e 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +204,6 @@ optional_policy(` +@@ -203,7 +209,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -826,7 +841,7 @@ index 7090dae..ce5af6e 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +228,14 @@ optional_policy(` +@@ -228,3 +233,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -1362,10 +1377,18 @@ index c633aea..c489eec 100644 optional_policy(` seutil_use_newrole_fds(gcc_config_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..2abb1a0 100644 +index af55369..4e0088d 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te -@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) +@@ -18,6 +18,7 @@ type prelink_cron_system_t; + type prelink_cron_system_exec_t; + domain_type(prelink_cron_system_t) + domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) ++domain_obj_id_change_exemption(prelink_cron_system_t) + + type prelink_log_t; + logging_log_file(prelink_log_t) +@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t) # Local policy # @@ -1374,7 +1397,7 @@ index af55369..2abb1a0 100644 allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; -@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) @@ -1387,7 +1410,7 @@ index af55369..2abb1a0 100644 kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) -@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t) +@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) @@ -1395,7 +1418,7 @@ index af55369..2abb1a0 100644 files_list_all(prelink_t) files_getattr_all_files(prelink_t) -@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t) +@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -1404,7 +1427,7 @@ index af55369..2abb1a0 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -99,6 +103,8 @@ libs_delete_lib_symlinks(prelink_t) +@@ -99,6 +104,8 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) @@ -1413,7 +1436,7 @@ index af55369..2abb1a0 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +115,14 @@ optional_policy(` +@@ -109,6 +116,14 @@ optional_policy(` ') optional_policy(` @@ -1428,7 +1451,7 @@ index af55369..2abb1a0 100644 rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +143,7 @@ optional_policy(` +@@ -129,6 +144,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1436,7 +1459,7 @@ index af55369..2abb1a0 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +163,28 @@ optional_policy(` +@@ -148,17 +164,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -2103,7 +2126,7 @@ index 0948921..f198119 100644 admin_pattern($1, shorewall_tmp_t) ') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te -index c17b6a6..d412305 100644 +index c17b6a6..8ff5a96 100644 --- a/policy/modules/admin/shorewall.te +++ b/policy/modules/admin/shorewall.te @@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) @@ -2116,7 +2139,7 @@ index c17b6a6..d412305 100644 kernel_read_kernel_sysctls(shorewall_t) kernel_read_network_state(shorewall_t) -@@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t) +@@ -80,13 +83,20 @@ fs_getattr_all_fs(shorewall_t) init_rw_utmp(shorewall_t) @@ -2128,6 +2151,8 @@ index c17b6a6..d412305 100644 sysnet_domtrans_ifconfig(shorewall_t) -userdom_dontaudit_list_user_home_dirs(shorewall_t) ++userdom_use_inherited_user_ttys(shorewall_t) ++userdom_use_inherited_user_ptys(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) + +optional_policy(` @@ -4525,7 +4550,7 @@ index f5afe78..4c9bd12 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..95f89db 100644 +index 2505654..43eb452 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) @@ -4600,7 +4625,7 @@ index 2505654..95f89db 100644 ############################## # # Local Policy -@@ -75,3 +110,165 @@ optional_policy(` +@@ -75,3 +110,167 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -4675,6 +4700,8 @@ index 2505654..95f89db 100644 +files_read_etc_files(gnomesystemmm_t) +files_read_usr_files(gnomesystemmm_t) + ++fs_getattr_xattr_fs(gnomesystemmm_t) ++ +miscfiles_read_localization(gnomesystemmm_t) + +userdom_read_all_users_state(gnomesystemmm_t) @@ -5824,7 +5851,7 @@ index 9a6d67d..19de023 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..584c255 100644 +index 2a91fa8..1ddd82a 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5906,7 +5933,7 @@ index 2a91fa8..584c255 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,194 @@ optional_policy(` +@@ -266,3 +291,198 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -6082,6 +6109,10 @@ index 2a91fa8..584c255 100644 +') + +optional_policy(` ++ pcscd_stream_connect(mozilla_plugin_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) @@ -6799,10 +6830,10 @@ index 0000000..4f9cb05 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..3ce0256 +index 0000000..7e5b628 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,327 @@ +@@ -0,0 +1,332 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -6998,6 +7029,10 @@ index 0000000..3ce0256 +') + +optional_policy(` ++ gpm_getattr_gpmctl(nsplugin_t) ++') ++ ++optional_policy(` + mozilla_execute_user_home_files(nsplugin_t) + mozilla_read_user_home_files(nsplugin_t) + mozilla_write_user_home_files(nsplugin_t) @@ -7044,6 +7079,7 @@ index 0000000..3ce0256 +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + ++dev_search_sysfs(nsplugin_config_t) +dev_read_urand(nsplugin_config_t) +dev_dontaudit_read_rand(nsplugin_config_t) +dev_dontaudit_rw_dri(nsplugin_config_t) @@ -8160,10 +8196,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..dd6c327 +index 0000000..b0cc5df --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,483 @@ +@@ -0,0 +1,484 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8224,6 +8260,7 @@ index 0000000..dd6c327 +fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_dontaudit_request_load_module(sandbox_xserver_t) ++kernel_read_system_state(sandbox_xserver_t) + +corecmd_exec_bin(sandbox_xserver_t) +corecmd_exec_shell(sandbox_xserver_t) @@ -8241,7 +8278,9 @@ index 0000000..dd6c327 +corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) +corenet_sendrecv_all_client_packets(sandbox_xserver_t) + ++dev_search_sysfs(sandbox_xserver_t) +dev_rwx_zero(sandbox_xserver_t) ++dev_read_urand(sandbox_xserver_t) + +files_read_config_files(sandbox_xserver_t) +files_read_usr_files(sandbox_xserver_t) @@ -8253,8 +8292,6 @@ index 0000000..dd6c327 +miscfiles_read_fonts(sandbox_xserver_t) +miscfiles_read_localization(sandbox_xserver_t) + -+kernel_read_system_state(sandbox_xserver_t) -+ +selinux_validate_context(sandbox_xserver_t) +selinux_compute_access_vector(sandbox_xserver_t) +selinux_compute_create_context(sandbox_xserver_t) @@ -8308,6 +8345,10 @@ index 0000000..dd6c327 + attribute exec_type, configfile; +') + ++kernel_dontaudit_read_system_state(sandbox_domain) ++ ++corecmd_exec_all_executables(sandbox_domain) ++ +files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) +files_entrypoint_all_files(sandbox_domain) + @@ -8318,9 +8359,6 @@ index 0000000..dd6c327 + +miscfiles_read_localization(sandbox_domain) + -+kernel_dontaudit_read_system_state(sandbox_domain) -+corecmd_exec_all_executables(sandbox_domain) -+ +userdom_dontaudit_use_user_terminals(sandbox_domain) + +mta_dontaudit_read_spool_symlinks(sandbox_domain) @@ -8360,21 +8398,20 @@ index 0000000..dd6c327 +manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +dontaudit sandbox_x_domain sandbox_file_t:dir mounton; + -+domain_dontaudit_read_all_domains_state(sandbox_x_domain) -+ -+files_search_home(sandbox_x_domain) -+files_dontaudit_list_all_mountpoints(sandbox_x_domain) -+ +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) + ++domain_dontaudit_read_all_domains_state(sandbox_x_domain) ++ +corecmd_exec_all_executables(sandbox_x_domain) + +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) +dev_read_sysfs(sandbox_x_domain) + ++files_search_home(sandbox_x_domain) ++files_dontaudit_list_all_mountpoints(sandbox_x_domain) +files_entrypoint_all_files(sandbox_x_domain) +files_read_config_files(sandbox_x_domain) +files_read_usr_files(sandbox_x_domain) @@ -9599,10 +9636,10 @@ index ced285a..2e50976 100644 + ') +') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te -index 13b2cea..45731eb 100644 +index 13b2cea..bf46ac1 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te -@@ -6,9 +6,61 @@ policy_module(userhelper, 1.6.0) +@@ -6,9 +6,63 @@ policy_module(userhelper, 1.6.0) # attribute userhelper_type; @@ -9639,6 +9676,8 @@ index 13b2cea..45731eb 100644 + +corecmd_exec_bin(consolehelper_domain) + ++dev_getattr_all_chr_files(consolehelper_domain) ++ +files_read_config_files(consolehelper_domain) +files_read_usr_files(consolehelper_domain) + @@ -10415,7 +10454,7 @@ index 6cf8784..5a6e602 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..255c5bb 100644 +index e9313fb..74456ed 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -10570,7 +10609,15 @@ index e9313fb..255c5bb 100644 ') ######################################## -@@ -1178,6 +1233,42 @@ interface(`dev_create_all_chr_files',` +@@ -1006,6 +1061,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` + interface(`dev_getattr_all_chr_files',` + gen_require(` + attribute device_node; ++ type device_t; + ') + + getattr_chr_files_pattern($1, device_t, device_node) +@@ -1178,6 +1234,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -10613,7 +10660,7 @@ index e9313fb..255c5bb 100644 ## Delete all block device files. ## ## -@@ -3192,24 +3283,6 @@ interface(`dev_rw_printer',` +@@ -3192,24 +3284,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -10638,7 +10685,7 @@ index e9313fb..255c5bb 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3793,6 +3866,24 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3793,6 +3867,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -10663,7 +10710,7 @@ index e9313fb..255c5bb 100644 ## Search the sysfs directories. ## ## -@@ -3884,25 +3975,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3884,25 +3976,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -10689,7 +10736,7 @@ index e9313fb..255c5bb 100644 ## Read hardware state information. ## ## -@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',` +@@ -3954,6 +4027,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -10732,7 +10779,7 @@ index e9313fb..255c5bb 100644 ## Read and write the TPM device. ## ## -@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',` +@@ -4514,6 +4623,24 @@ interface(`dev_rwx_vmware',` ######################################## ## @@ -10757,7 +10804,7 @@ index e9313fb..255c5bb 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4874,22 @@ interface(`dev_unconfined',` +@@ -4748,3 +4875,22 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -11235,7 +11282,7 @@ index 16108f6..a02d2cc 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..0d32093 100644 +index 958ca84..5631fb1 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -12145,7 +12192,32 @@ index 958ca84..0d32093 100644 ######################################## ## ## Do not audit attempts to search -@@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5410,6 +6033,24 @@ interface(`files_write_generic_pid_pipes',` + allow $1 var_run_t:fifo_file write; + ') + ++###################################### ++## ++## Write named generic sock file in /var/run. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_socket',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:sock_file write; ++') ++ + ######################################## + ## + ## Create an object in the process ID directory, with a private type. +@@ -5542,6 +6183,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12208,7 +12280,7 @@ index 958ca84..0d32093 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6238,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6256,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -12253,7 +12325,7 @@ index 958ca84..0d32093 100644 ') ######################################## -@@ -5844,3 +6561,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6579,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -21373,7 +21445,7 @@ index 1cf6c4e..e4bac67 100644 -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if -index 293e08d..82306eb 100644 +index 293e08d..24f7736 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -1,12 +1,12 @@ @@ -21472,15 +21544,17 @@ index 293e08d..82306eb 100644 files_search_var_lib($1) ') -@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',` +@@ -118,7 +120,9 @@ interface(`cobbler_read_lib_files',` + type cobbler_var_lib_t; ') ++ allow $1 cobbler_var_lib_t:dir list_dir_perms; read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_var_lib($1) ') -@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',` +@@ -137,12 +141,33 @@ interface(`cobbler_manage_lib_files',` type cobbler_var_lib_t; ') @@ -21514,7 +21588,7 @@ index 293e08d..82306eb 100644 ## All of the rules required to administrate ## an cobblerd environment ## -@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',` +@@ -161,25 +186,34 @@ interface(`cobbler_manage_lib_files',` interface(`cobblerd_admin',` gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; @@ -21862,10 +21936,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..7aa11b6 +index 0000000..17e1cf3 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,111 @@ +policy_module(colord,1.0.0) + +######################################## @@ -21893,8 +21967,8 @@ index 0000000..7aa11b6 +# colord local policy +# + ++allow colord_t self:capability { dac_read_search dac_override }; +allow colord_t self:process signal; -+ +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:udp_socket create_socket_perms; @@ -21929,6 +22003,7 @@ index 0000000..7aa11b6 +dev_read_urand(colord_t) +dev_list_sysfs(colord_t) +dev_rw_generic_usb_dev(colord_t) ++storage_getattr_fixed_disk_dev(colord_t) +storage_read_scsi_generic(colord_t) +storage_write_scsi_generic(colord_t) + @@ -23509,7 +23584,7 @@ index a8b93c0..831ce70 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..d2d4d9d 100644 +index 0d5711c..fd9938d 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -23699,7 +23774,7 @@ index 0d5711c..d2d4d9d 100644 ') ######################################## -@@ -431,14 +479,28 @@ interface(`dbus_system_domain',` +@@ -431,14 +479,29 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -23710,7 +23785,8 @@ index 0d5711c..d2d4d9d 100644 + init_stream_connect($1) + init_dgram_send($1) -+ ++ init_use_fds($1) ++ ps_process_pattern(system_dbusd_t, $1) + userdom_dontaudit_search_admin_dir($1) @@ -23729,7 +23805,7 @@ index 0d5711c..d2d4d9d 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +559,23 @@ interface(`dbus_unconfined',` +@@ -497,3 +560,23 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -27362,7 +27438,7 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..6ee7b93 100644 +index 4fde46b..4417f4e 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te @@ -9,24 +9,31 @@ type gnomeclock_t; @@ -27400,7 +27476,7 @@ index 4fde46b..6ee7b93 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +42,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -27445,6 +27521,7 @@ index 4fde46b..6ee7b93 100644 +# needed by systemctl +init_stream_connect(gnomeclock_systemctl_t) +init_read_state(gnomeclock_systemctl_t) ++init_list_pid_dirs(gnomeclock_systemctl_t) + +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) + @@ -28145,10 +28222,21 @@ index 9fab1dc..dc7dd01 100644 mta_send_mail(innd_t) diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te -index 9aeeaf9..e0ed328 100644 +index 9aeeaf9..4ad06ac 100644 --- a/policy/modules/services/irqbalance.te +++ b/policy/modules/services/irqbalance.te -@@ -47,6 +47,11 @@ miscfiles_read_localization(irqbalance_t) +@@ -19,6 +19,10 @@ files_pid_file(irqbalance_var_run_t) + + allow irqbalance_t self:capability { setpcap net_admin }; + dontaudit irqbalance_t self:capability sys_tty_config; ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit irqbalance_t self:capability sys_module; ++') + allow irqbalance_t self:process { getcap setcap signal_perms }; + allow irqbalance_t self:udp_socket create_socket_perms; + +@@ -47,6 +51,11 @@ miscfiles_read_localization(irqbalance_t) userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_user_home_dirs(irqbalance_t) @@ -36650,7 +36738,7 @@ index bc329d1..0589f97 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..312e537 100644 +index d4000e0..f1e983e 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -36662,6 +36750,15 @@ index d4000e0..312e537 100644 type psad_initrc_exec_t; init_script_file(psad_initrc_exec_t) +@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t) + + allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; + dontaudit psad_t self:capability sys_tty_config; +-allow psad_t self:process signull; ++allow psad_t self:process { signal signull }; + allow psad_t self:fifo_file rw_fifo_file_perms; + allow psad_t self:rawip_socket create_socket_perms; + @@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) @@ -37932,10 +38029,31 @@ index 852840b..1244ab2 100644 + ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index 0a76027..7083808 100644 +index 0a76027..150548c 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te -@@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t) +@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t) + auth_login_pgm_domain(remote_login_t) + auth_login_entry_type(remote_login_t) + +-type remote_login_tmp_t; +-files_tmp_file(remote_login_tmp_t) +- + ######################################## + # + # Remote login remote policy +@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms; + allow remote_login_t self:msg { send receive }; + allow remote_login_t self:key write; + +-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) +- + kernel_read_system_state(remote_login_t) + kernel_read_kernel_sysctls(remote_login_t) + +@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t) fs_search_auto_mountpoints(remote_login_t) term_relabel_all_ptys(remote_login_t) @@ -37944,7 +38062,7 @@ index 0a76027..7083808 100644 auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) -@@ -77,7 +79,7 @@ files_list_mnt(remote_login_t) +@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t) # for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) @@ -37953,7 +38071,7 @@ index 0a76027..7083808 100644 miscfiles_read_localization(remote_login_t) -@@ -87,9 +89,8 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,9 +82,10 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) @@ -37961,11 +38079,13 @@ index 0a76027..7083808 100644 -# Search for mail spool file. -mta_getattr_spool(remote_login_t) +userdom_use_user_ptys(remote_login_t) -+userdom_rw_user_tmp_files(remote_login_t) ++userdom_manage_user_tmp_dirs(remote_login_t) ++userdom_manage_user_tmp_files(remote_login_t) ++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) -@@ -106,15 +107,15 @@ optional_policy(` +@@ -106,15 +102,15 @@ optional_policy(` ') optional_policy(` @@ -39108,7 +39228,7 @@ index 63e78c6..ffa4f37 100644 ## # diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te -index 779fa44..13556c1 100644 +index 779fa44..4bcaacc 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -39148,7 +39268,7 @@ index 779fa44..13556c1 100644 files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,9 +88,9 @@ seutil_read_config(rlogind_t) +@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -39158,10 +39278,11 @@ index 779fa44..13556c1 100644 +userdom_search_admin_dir(rlogind_t) +userdom_manage_user_tmp_files(rlogind_t) +userdom_tmp_filetrans_user_tmp(rlogind_t, file) ++userdom_use_user_terminals(rlogind_t) rlogin_read_home_content(rlogind_t) -@@ -112,5 +112,10 @@ optional_policy(` +@@ -112,5 +113,10 @@ optional_policy(` ') optional_policy(` @@ -40703,10 +40824,10 @@ index adea9f9..d5b2d93 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 606a098..8b74d10 100644 +index 606a098..14535da 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te -@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t) +@@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t) files_read_usr_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) @@ -40728,6 +40849,11 @@ index 606a098..8b74d10 100644 term_dontaudit_search_ptys(fsdaemon_t) ++init_read_utmp(fsdaemon_t) ++ + libs_exec_ld_so(fsdaemon_t) + libs_exec_lib_files(fsdaemon_t) + diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 740994a..a92ba26 100644 --- a/policy/modules/services/smokeping.te @@ -40742,16 +40868,17 @@ index 740994a..a92ba26 100644 allow smokeping_t self:udp_socket create_socket_perms; allow smokeping_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc -index 623c8fa..ac10740 100644 +index 623c8fa..0a802f7 100644 --- a/policy/modules/services/snmp.fc +++ b/policy/modules/services/snmp.fc -@@ -18,7 +18,7 @@ +@@ -18,7 +18,8 @@ /var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if @@ -44018,7 +44145,7 @@ index 7c5d8d8..b961fd7 100644 + allow $1 virt_tmpfs_type:file manage_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..9d3bc6d 100644 +index 3eca020..1d39c1b 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,66 @@ policy_module(virt, 1.4.0) @@ -44171,7 +44298,17 @@ index 3eca020..9d3bc6d 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t) +@@ -120,6 +140,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t) + dontaudit svirt_t virt_content_t:file write_file_perms; + dontaudit svirt_t virt_content_t:dir write; + ++# virt will attempt to us another virtualizations pubsaudio tmpfs_t, ignore error ++dontaudit svirt_t svirt_tmpfs_t:file { read write }; ++ + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) +@@ -133,6 +156,8 @@ dev_list_sysfs(svirt_t) userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) @@ -44180,7 +44317,7 @@ index 3eca020..9d3bc6d 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +172,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -44196,7 +44333,7 @@ index 3eca020..9d3bc6d 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +189,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -44219,7 +44356,7 @@ index 3eca020..9d3bc6d 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +211,33 @@ optional_policy(` +@@ -174,21 +214,33 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -44257,7 +44394,7 @@ index 3eca020..9d3bc6d 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +252,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -44274,7 +44411,7 @@ index 3eca020..9d3bc6d 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -44282,7 +44419,7 @@ index 3eca020..9d3bc6d 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -44315,7 +44452,7 @@ index 3eca020..9d3bc6d 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -44334,7 +44471,7 @@ index 3eca020..9d3bc6d 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +365,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -44365,7 +44502,7 @@ index 3eca020..9d3bc6d 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +404,10 @@ optional_policy(` +@@ -313,6 +407,10 @@ optional_policy(` ') optional_policy(` @@ -44376,7 +44513,7 @@ index 3eca020..9d3bc6d 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,6 +424,10 @@ optional_policy(` +@@ -329,6 +427,10 @@ optional_policy(` ') optional_policy(` @@ -44387,7 +44524,7 @@ index 3eca020..9d3bc6d 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +464,8 @@ optional_policy(` +@@ -365,6 +467,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -44396,7 +44533,7 @@ index 3eca020..9d3bc6d 100644 ') optional_policy(` -@@ -394,14 +495,26 @@ optional_policy(` +@@ -394,14 +498,26 @@ optional_policy(` # virtual domains common policy # @@ -44425,7 +44562,7 @@ index 3eca020..9d3bc6d 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +535,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +538,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -44433,7 +44570,7 @@ index 3eca020..9d3bc6d 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +543,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +546,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -44446,7 +44583,7 @@ index 3eca020..9d3bc6d 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +556,14 @@ files_search_all(virt_domain) +@@ -440,6 +559,14 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -44461,7 +44598,7 @@ index 3eca020..9d3bc6d 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +581,117 @@ optional_policy(` +@@ -457,8 +584,117 @@ optional_policy(` ') optional_policy(` @@ -48687,7 +48824,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..55a53e0 100644 +index cc83689..569ce8d 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,41 @@ interface(`init_script_domain',` @@ -49024,7 +49161,7 @@ index cc83689..55a53e0 100644 ') ') -@@ -800,23 +962,45 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -49047,11 +49184,11 @@ index cc83689..55a53e0 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -49064,16 +49201,12 @@ index cc83689..55a53e0 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## + ') + + ######################################## @@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` @@ -49216,7 +49349,7 @@ index cc83689..55a53e0 100644 ') ######################################## -@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1975,92 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -49235,6 +49368,24 @@ index cc83689..55a53e0 100644 + type init_var_run_t; + ') + ++ allow $1 init_var_run_t:dir search_dir_perms; ++') ++ ++###################################### ++## ++## Allow listing of the /run/systemd directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_list_pid_dirs',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ + allow $1 init_var_run_t:dir list_dir_perms; +') + @@ -49291,7 +49442,7 @@ index cc83689..55a53e0 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2095,139 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -52277,10 +52428,10 @@ index a0eef20..75e256f 100644 dev_rw_xserver_misc(insmod_t) diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index 72c746e..9f9124f 100644 +index 72c746e..704d2d7 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc -@@ -1,4 +1,15 @@ +@@ -1,4 +1,16 @@ +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -52297,6 +52448,7 @@ index 72c746e..9f9124f 100644 + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 8b5c196..6dc92dd 100644 --- a/policy/modules/system/mount.if @@ -56114,7 +56266,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..b7339b1 100644 +index 28b88de..b5bbbf5 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -56128,7 +56280,7 @@ index 28b88de..b7339b1 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,101 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,103 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -56259,8 +56411,7 @@ index 28b88de..b7339b1 100644 + storage_rw_fuse($1_usertype) + + auth_use_nsswitch($1_usertype) - -- libs_exec_ld_so($1_t) ++ + init_stream_connect($1_usertype) + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. @@ -56268,6 +56419,9 @@ index 28b88de..b7339b1 100644 + + libs_exec_ld_so($1_usertype) +- libs_exec_ld_so($1_t) ++ logging_send_audit_msgs($1_t) + miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) @@ -56279,7 +56433,7 @@ index 28b88de..b7339b1 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +149,17 @@ template(`userdom_base_user_template',` +@@ -116,6 +151,17 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -56297,7 +56451,7 @@ index 28b88de..b7339b1 100644 ') ####################################### -@@ -149,6 +193,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +195,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -56306,7 +56460,7 @@ index 28b88de..b7339b1 100644 ############################## # # Domain access to home dir -@@ -166,27 +212,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +214,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -56334,7 +56488,7 @@ index 28b88de..b7339b1 100644 ') ####################################### -@@ -218,8 +243,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +245,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -56346,7 +56500,7 @@ index 28b88de..b7339b1 100644 ############################## # # Domain access to home dir -@@ -228,17 +256,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +258,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -56378,7 +56532,7 @@ index 28b88de..b7339b1 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +278,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +280,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -56408,7 +56562,7 @@ index 28b88de..b7339b1 100644 ') ') -@@ -289,6 +319,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +321,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -56417,7 +56571,7 @@ index 28b88de..b7339b1 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +329,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +331,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -56463,7 +56617,7 @@ index 28b88de..b7339b1 100644 ') ####################################### -@@ -316,6 +387,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +389,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -56471,7 +56625,7 @@ index 28b88de..b7339b1 100644 files_search_tmp($1) ') -@@ -350,6 +422,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +424,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -56480,7 +56634,7 @@ index 28b88de..b7339b1 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +434,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +436,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -56549,7 +56703,7 @@ index 28b88de..b7339b1 100644 ') ####################################### -@@ -430,6 +499,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +501,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -56557,7 +56711,7 @@ index 28b88de..b7339b1 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +560,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +562,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -56566,7 +56720,7 @@ index 28b88de..b7339b1 100644 ############################## # -@@ -500,73 +570,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +572,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -56687,7 +56841,7 @@ index 28b88de..b7339b1 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +652,122 @@ template(`userdom_common_user_template',` +@@ -574,67 +654,122 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -56701,23 +56855,23 @@ index 28b88de..b7339b1 100644 # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ canna_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ canna_stream_connect($1_usertype) ++ colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ chrome_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ colord_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -56733,44 +56887,44 @@ index 28b88de..b7339b1 100644 + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) - ') -+ -+ optional_policy(` -+ kde_dbus_chat_backlighthelper($1_usertype) -+ ') -+ -+ optional_policy(` + modemmanager_dbus_chat($1_usertype) -+ ') + ') + + optional_policy(` + networkmanager_dbus_chat($1_usertype) @@ -56815,20 +56969,20 @@ index 28b88de..b7339b1 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ ') ++ ++ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -650,41 +783,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +785,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -56860,51 +57014,51 @@ index 28b88de..b7339b1 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ seunshare_role_template($1, $1_r, $1_t) - ') -+ -+ optional_policy(` + slrnpull_search_spool($1_usertype) -+ ') + ') + ') ####################################### -@@ -712,13 +854,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +856,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -56922,7 +57076,7 @@ index 28b88de..b7339b1 100644 userdom_change_password_template($1) -@@ -736,72 +891,70 @@ template(`userdom_login_user_template', ` +@@ -736,72 +893,70 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -56992,45 +57146,45 @@ index 28b88de..b7339b1 100644 - seutil_read_config($1_t) + seutil_read_config($1_usertype) -+ -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ kerberos_use($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ kerberos_use($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +988,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -57040,7 +57194,7 @@ index 28b88de..b7339b1 100644 ############################## # # Local policy -@@ -874,45 +1030,116 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1032,116 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -57114,40 +57268,40 @@ index 28b88de..b7339b1 100644 + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat($1_t) -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) - ') ++ ') + + optional_policy(` ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ++ ') + + optional_policy(` +- consolekit_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat($1_t) + fprintd_dbus_chat($1_t) -+ ') + ') + ') + + optional_policy(` +- java_role($1_r, $1_t) ++ openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` -+ openoffice_role_template($1, $1_r, $1_usertype) ++ policykit_role($1_r, $1_usertype) + ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) + pulseaudio_role($1_r, $1_usertype) + ') + @@ -57168,7 +57322,7 @@ index 28b88de..b7339b1 100644 ') ') -@@ -947,7 +1174,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1176,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -57177,7 +57331,7 @@ index 28b88de..b7339b1 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1183,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1185,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -57247,16 +57401,13 @@ index 28b88de..b7339b1 100644 + + optional_policy(` + gpg_role($1_r, $1_usertype) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) ++ ') ++ ++ optional_policy(` + gnomeclock_dbus_chat($1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + gpm_stream_connect($1_usertype) + ') + @@ -57275,13 +57426,16 @@ index 28b88de..b7339b1 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + postfix_run_postdrop($1_t, $1_r) + ') + @@ -57291,7 +57445,7 @@ index 28b88de..b7339b1 100644 ') ') -@@ -1039,7 +1295,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1297,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -57300,7 +57454,7 @@ index 28b88de..b7339b1 100644 ') ############################## -@@ -1066,6 +1322,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1324,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -57308,7 +57462,7 @@ index 28b88de..b7339b1 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1331,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1333,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -57318,7 +57472,7 @@ index 28b88de..b7339b1 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1348,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1350,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -57326,7 +57480,7 @@ index 28b88de..b7339b1 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1366,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1368,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -57340,7 +57494,7 @@ index 28b88de..b7339b1 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,15 +1383,19 @@ template(`userdom_admin_user_template',` +@@ -1119,15 +1385,19 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -57360,7 +57514,7 @@ index 28b88de..b7339b1 100644 term_use_all_terms($1_t) -@@ -1141,7 +1409,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1411,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -57372,7 +57526,7 @@ index 28b88de..b7339b1 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1481,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1483,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -57381,7 +57535,7 @@ index 28b88de..b7339b1 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1495,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1497,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -57389,7 +57543,7 @@ index 28b88de..b7339b1 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1511,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1513,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -57397,7 +57551,7 @@ index 28b88de..b7339b1 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1554,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1556,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -57435,7 +57589,7 @@ index 28b88de..b7339b1 100644 ubac_constrained($1) ') -@@ -1395,6 +1696,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1698,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -57443,7 +57597,7 @@ index 28b88de..b7339b1 100644 files_search_home($1) ') -@@ -1441,6 +1743,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1745,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -57458,7 +57612,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -1456,9 +1766,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1768,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -57470,7 +57624,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -1515,10 +1827,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1829,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -57483,7 +57637,7 @@ index 28b88de..b7339b1 100644 ## ## ## -@@ -1526,21 +1838,57 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,18 +1840,54 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -57502,10 +57656,8 @@ index 28b88de..b7339b1 100644 ## -## Do a domain transition to the specified -## domain when executing a program in the --## user home directory. +## Relabel user home files. - ## --## ++## +## +## +## Domain allowed access. @@ -57543,13 +57695,10 @@ index 28b88de..b7339b1 100644 +## +## Do a domain transition to the specified +## domain when executing a program in the -+## user home directory. -+## -+## - ##

- ## Do a domain transition to the specified - ## domain when executing a program in the -@@ -1589,6 +1937,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ## user home directory. + ##

+ ## +@@ -1589,6 +1939,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -57558,7 +57707,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -1603,10 +1953,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1955,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -57573,7 +57722,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -1649,6 +2001,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2003,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -57599,7 +57748,7 @@ index 28b88de..b7339b1 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2071,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2073,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -57632,7 +57781,7 @@ index 28b88de..b7339b1 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2107,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2109,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -57650,7 +57799,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -1779,6 +2173,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2175,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -57675,7 +57824,7 @@ index 28b88de..b7339b1 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2222,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2224,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -57685,7 +57834,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -1827,20 +2238,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2240,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -57710,7 +57859,7 @@ index 28b88de..b7339b1 100644 ######################################## ## -@@ -2008,7 +2413,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2415,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -57719,7 +57868,7 @@ index 28b88de..b7339b1 100644 files_search_home($1) ') -@@ -2182,7 +2587,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2589,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -57728,7 +57877,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -2435,13 +2840,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2842,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -57744,7 +57893,7 @@ index 28b88de..b7339b1 100644 ## ## ## -@@ -2462,26 +2868,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2870,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -57771,7 +57920,57 @@ index 28b88de..b7339b1 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3201,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2570,6 +2958,24 @@ interface(`userdom_use_user_ttys',` + allow $1 user_tty_device_t:chr_file rw_term_perms; + ') + ++####################################### ++## ++## Read and write inherited user domain tty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_inherited_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file { getattr read write append ioctl }; ++') ++ + ######################################## + ## + ## Read and write a user domain pty. +@@ -2588,6 +2994,24 @@ interface(`userdom_use_user_ptys',` + allow $1 user_devpts_t:chr_file rw_term_perms; + ') + ++####################################### ++## ++## Read and write inherited user domain pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_inherited_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file { getattr read write append ioctl }; ++') ++ + ######################################## + ## + ## Read and write a user TTYs and PTYs. +@@ -2815,7 +3239,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -57780,7 +57979,7 @@ index 28b88de..b7339b1 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3217,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3255,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -57796,7 +57995,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -2917,7 +3305,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3343,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -57805,7 +58004,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -2972,7 +3360,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3398,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -57852,7 +58051,7 @@ index 28b88de..b7339b1 100644 ') ######################################## -@@ -3009,6 +3435,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3473,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -57860,7 +58059,7 @@ index 28b88de..b7339b1 100644 kernel_search_proc($1) ') -@@ -3087,6 +3514,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3552,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -57885,7 +58084,7 @@ index 28b88de..b7339b1 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3584,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3622,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index a22ada4..8e46c93 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,23 @@ exit 0 %endif %changelog +* Tue May 17 2011 Miroslav Grepl 3.9.16-24 +- Allow logrotate to connect to init script using unix domain stream socket +- Allow shorewall read and write inherited user domain pty/tty +- virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error +- Allow colord to get the attributes of fixed disk device nodes +- Allow nsplugin_t to getattr on gpmctl +- Allow mozilla_plugin to connect to pcscd over an unix stream socket +- Allow logrotate to execute systemctl +- colord wants to read files in users homedir +- Remote login should create user_tmp_t content not its own tmp files +- Allow psad signal +- Fix cobbler_read_lib_files interface +- Allow rlogind to r/w user terminals +- Allow prelink_cron_system_t to relabel content and ignore obj_id +- Allow gnomeclock_systemctl_t to list init_var_run_t +- Dbus domains will inherit fds from the init system + * Fri May 6 2011 Miroslav Grepl 3.9.16-23 - Add label for /lib/upstart/init - Allow colord to getattr on /proc/scsi/scsi