diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 4497b28..930ffa4 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -8419,7 +8419,7 @@ index 6a1e4d1..c691385 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..e8e2506 100644 +index cf04cb5..29e6b5c 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8518,16 +8518,17 @@ index cf04cb5..e8e2506 100644 ') optional_policy(` -@@ -133,6 +188,8 @@ optional_policy(` +@@ -133,6 +188,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_append_xdm_home_files(domain) + xserver_dontaudit_write_log(domain) ++ xserver_dontaudit_xdm_rw_stream_sockets(domain) ') ######################################## -@@ -147,12 +204,18 @@ optional_policy(` +@@ -147,12 +205,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -8547,7 +8548,7 @@ index cf04cb5..e8e2506 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -20153,7 +20154,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..994eec2 100644 +index 5fc0391..3448145 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20263,11 +20264,13 @@ index 5fc0391..994eec2 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +120,39 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) ++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file) ++userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh") +userdom_read_all_users_keys(ssh_t) +userdom_stream_connect(ssh_t) +userdom_search_admin_dir(sshd_t) @@ -20308,7 +20311,7 @@ index 5fc0391..994eec2 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t) +@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) @@ -20370,7 +20373,7 @@ index 5fc0391..994eec2 100644 ') optional_policy(` -@@ -195,6 +218,7 @@ optional_policy(` +@@ -195,6 +220,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -20378,7 +20381,7 @@ index 5fc0391..994eec2 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -20386,7 +20389,7 @@ index 5fc0391..994eec2 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +248,53 @@ optional_policy(` +@@ -223,33 +250,54 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20413,6 +20416,7 @@ index 5fc0391..994eec2 100644 # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) ++corenet_tcp_bind_vnc_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +auth_exec_login_program(sshd_t) @@ -20449,7 +20453,7 @@ index 5fc0391..994eec2 100644 ') optional_policy(` -@@ -257,11 +302,24 @@ optional_policy(` +@@ -257,11 +305,24 @@ optional_policy(` ') optional_policy(` @@ -20475,7 +20479,7 @@ index 5fc0391..994eec2 100644 ') optional_policy(` -@@ -269,6 +327,10 @@ optional_policy(` +@@ -269,6 +330,10 @@ optional_policy(` ') optional_policy(` @@ -20486,7 +20490,7 @@ index 5fc0391..994eec2 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +341,69 @@ optional_policy(` +@@ -279,13 +344,69 @@ optional_policy(` ') optional_policy(` @@ -20556,7 +20560,7 @@ index 5fc0391..994eec2 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +412,26 @@ optional_policy(` +@@ -294,19 +415,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20584,7 +20588,7 @@ index 5fc0391..994eec2 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20597,7 +20601,7 @@ index 5fc0391..994eec2 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +462,138 @@ optional_policy(` +@@ -331,3 +465,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -31454,7 +31458,7 @@ index e8c59a5..d2df072 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..a70c055 100644 +index 9fe8e01..83acb32 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -31473,7 +31477,7 @@ index 9fe8e01..a70c055 100644 ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,14 +39,10 @@ ifdef(`distro_redhat',` +@@ -37,24 +39,20 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31485,19 +31489,25 @@ index 9fe8e01..a70c055 100644 /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +-/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -53,6 +51,7 @@ ifdef(`distro_redhat',` - /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) - /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) - -+/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) + /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) +-/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) +- ++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) ++/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) ++/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) + + /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -77,7 +76,7 @@ ifdef(`distro_redhat',` +@@ -77,7 +75,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -31506,7 +31516,7 @@ index 9fe8e01..a70c055 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +89,7 @@ ifdef(`distro_debian',` +@@ -90,6 +88,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -31741,10 +31751,10 @@ index d6293de..8f8d80d 100644 # # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc -index 9933677..b155a0d 100644 +index 9933677..ca14c17 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc -@@ -23,3 +23,13 @@ ifdef(`distro_gentoo',` +@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',` /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) @@ -31758,6 +31768,8 @@ index 9933677..b155a0d 100644 +/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) + +/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) ++ ++/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 7449974..6375786 100644 --- a/policy/modules/system/modutils.if @@ -31864,7 +31876,7 @@ index 7449974..6375786 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a49e28..de1dcdd 100644 +index 7a49e28..82004c9 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) @@ -31876,13 +31888,16 @@ index 7a49e28..de1dcdd 100644 type depmod_t; type depmod_exec_t; -@@ -16,11 +16,12 @@ type insmod_t; +@@ -16,11 +16,15 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) +mls_process_write_down(insmod_t) role system_r types insmod_t; ++type insmod_var_run_t; ++files_pid_file(insmod_var_run_t) ++ # module loading config type modules_conf_t; -files_type(modules_conf_t) @@ -31890,7 +31905,7 @@ index 7a49e28..de1dcdd 100644 # module dependencies type modules_dep_t; -@@ -29,12 +30,16 @@ files_type(modules_dep_t) +@@ -29,12 +33,16 @@ files_type(modules_dep_t) type update_modules_t; type update_modules_exec_t; init_system_domain(update_modules_t, update_modules_exec_t) @@ -31909,7 +31924,7 @@ index 7a49e28..de1dcdd 100644 ######################################## # # depmod local policy -@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t) +@@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -31925,7 +31940,7 @@ index 7a49e28..de1dcdd 100644 fs_getattr_xattr_fs(depmod_t) -@@ -69,10 +77,12 @@ init_use_fds(depmod_t) +@@ -69,10 +80,12 @@ init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) @@ -31939,7 +31954,7 @@ index 7a49e28..de1dcdd 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',` +@@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',` ') ') @@ -31954,7 +31969,7 @@ index 7a49e28..de1dcdd 100644 ') optional_policy(` -@@ -94,7 +100,6 @@ optional_policy(` +@@ -94,7 +103,6 @@ optional_policy(` ') optional_policy(` @@ -31962,7 +31977,7 @@ index 7a49e28..de1dcdd 100644 unconfined_domain(depmod_t) ') -@@ -103,11 +108,12 @@ optional_policy(` +@@ -103,11 +111,12 @@ optional_policy(` # insmod local policy # @@ -31976,8 +31991,14 @@ index 7a49e28..de1dcdd 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -117,14 +123,18 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) + list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) + read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) ++manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) ++manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) ++files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file }) ++ can_exec(insmod_t, insmod_exec_t) +manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) @@ -31996,7 +32017,7 @@ index 7a49e28..de1dcdd 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t) +@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -32004,7 +32025,7 @@ index 7a49e28..de1dcdd 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t) +@@ -151,30 +169,38 @@ files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) @@ -32047,7 +32068,7 @@ index 7a49e28..de1dcdd 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +203,33 @@ optional_policy(` +@@ -184,28 +210,33 @@ optional_policy(` ') optional_policy(` @@ -32071,24 +32092,24 @@ index 7a49e28..de1dcdd 100644 optional_policy(` - mount_domtrans(insmod_t) + hal_write_log(insmod_t) ++') ++ ++optional_policy(` ++ hotplug_search_config(insmod_t) ') optional_policy(` - nis_use_ypbind(insmod_t) -+ hotplug_search_config(insmod_t) ++ kdump_manage_kdumpctl_tmp_files(insmod_t) ') optional_policy(` - nscd_use(insmod_t) -+ kdump_manage_kdumpctl_tmp_files(insmod_t) -+') -+ -+optional_policy(` + mount_domtrans(insmod_t) ') optional_policy(` -@@ -225,6 +249,7 @@ optional_policy(` +@@ -225,6 +256,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -32096,7 +32117,7 @@ index 7a49e28..de1dcdd 100644 ') optional_policy(` -@@ -233,6 +258,10 @@ optional_policy(` +@@ -233,6 +265,10 @@ optional_policy(` ') optional_policy(` @@ -32107,7 +32128,7 @@ index 7a49e28..de1dcdd 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +327,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -35200,10 +35221,10 @@ index 0000000..2cd29ba +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..1a254f8 +index 0000000..78eb081 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1286 @@ +@@ -0,0 +1,1287 @@ +## SELinux policy for systemd components + +###################################### @@ -36104,6 +36125,7 @@ index 0000000..1a254f8 + allow $1 hostname_etc_t:file read_file_perms; +') + ++ +####################################### +## +## Create objects in /run/systemd/generator directory @@ -36492,7 +36514,7 @@ index 0000000..1a254f8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..13712f9 +index 0000000..6379489 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,661 @@ @@ -36785,8 +36807,8 @@ index 0000000..13712f9 +dev_relabel_all_sysfs(systemd_tmpfiles_t) +dev_relabel_cpu_online(systemd_tmpfiles_t) +dev_read_cpu_online(systemd_tmpfiles_t) -+dev_manage_printer(systemd_tmpfiles_t) -+dev_relabel_printer(systemd_tmpfiles_t) ++dev_manage_all_dev_nodes(systemd_tmpfiles_t) ++dev_relabel_all_dev_nodes(systemd_tmpfiles_t) + +domain_obj_id_change_exemption(systemd_tmpfiles_t) + @@ -38537,7 +38559,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..33a39dc 100644 +index 3c5dba7..89012c2 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -41221,7 +41243,7 @@ index 3c5dba7..33a39dc 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4214,1455 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4214,1454 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -42582,9 +42604,8 @@ index 3c5dba7..33a39dc 100644 + gen_require(` + attribute userdom_home_manager_type; + ') -+ typeattribute $1 userdom_home_manager_type; + -+ userdom_filetrans_home_content($1) ++ typeattribute $1 userdom_home_manager_type; +') + +######################################## diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index da225f8..40fdab0 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -9350,7 +9350,7 @@ index 1b22262..bf0cefa 100644 + ') ') diff --git a/bugzilla.te b/bugzilla.te -index 41f8251..464107b 100644 +index 41f8251..57f094e 100644 --- a/bugzilla.te +++ b/bugzilla.te @@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4) @@ -9371,7 +9371,7 @@ index 41f8251..464107b 100644 corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -@@ -27,11 +29,19 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) +@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) @@ -9384,6 +9384,8 @@ index 41f8251..464107b 100644 -sysnet_dns_name_resolve(httpd_bugzilla_script_t) +auth_read_passwd(httpd_bugzilla_script_t) + ++dev_read_sysfs(httpd_bugzilla_script_t) ++ +sysnet_read_config(httpd_bugzilla_script_t) sysnet_use_ldap(httpd_bugzilla_script_t) @@ -13076,7 +13078,7 @@ index 3fe3cb8..b8e08c6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..c0501e0 100644 +index 3f2b672..49efe00 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -13089,7 +13091,7 @@ index 3f2b672..c0501e0 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -57,10 +60,14 @@ condor_domain_template(startd) +@@ -57,10 +60,15 @@ condor_domain_template(startd) # Global local policy # @@ -13103,10 +13105,11 @@ index 3f2b672..c0501e0 100644 +allow condor_domain self:tcp_socket create_stream_socket_perms; +allow condor_domain self:udp_socket create_socket_perms; +allow condor_domain self:unix_stream_socket create_stream_socket_perms; ++allow condor_domain self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) append_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +@@ -86,13 +94,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -13120,7 +13123,7 @@ index 3f2b672..c0501e0 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +110,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +111,7 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -13131,7 +13134,7 @@ index 3f2b672..c0501e0 100644 tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +127,7 @@ optional_policy(` +@@ -125,7 +128,7 @@ optional_policy(` # Master local policy # @@ -13140,7 +13143,7 @@ index 3f2b672..c0501e0 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +136,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -13151,7 +13154,7 @@ index 3f2b672..c0501e0 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) +@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) domain_read_all_domains_state(condor_master_t) @@ -13160,7 +13163,7 @@ index 3f2b672..c0501e0 100644 optional_policy(` mta_send_mail(condor_master_t) -@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13169,7 +13172,7 @@ index 3f2b672..c0501e0 100644 ##################################### # # Negotiator local policy -@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13178,7 +13181,7 @@ index 3f2b672..c0501e0 100644 ###################################### # # Procd local policy -@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13187,7 +13190,7 @@ index 3f2b672..c0501e0 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13196,7 +13199,7 @@ index 3f2b672..c0501e0 100644 ##################################### # # Startd local policy -@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13209,7 +13212,7 @@ index 3f2b672..c0501e0 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +262,7 @@ optional_policy(` +@@ -249,3 +263,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -15272,7 +15275,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..0c0f4f2 100644 +index 28e1b86..bf91ba9 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -15887,7 +15890,7 @@ index 28e1b86..0c0f4f2 100644 init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -15895,6 +15898,9 @@ index 28e1b86..0c0f4f2 100644 - seutil_read_config(system_cronjob_t) ++userdom_manage_tmpfs_files(system_cronjob_t, file) ++userdom_tmpfs_filetrans(system_cronjob_t, file) ++ ifdef(`distro_redhat',` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + allow crond_t system_cron_spool_t:file manage_file_perms; @@ -15914,7 +15920,7 @@ index 28e1b86..0c0f4f2 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -15932,7 +15938,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -546,10 +534,6 @@ optional_policy(` +@@ -546,10 +537,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -15943,7 +15949,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -581,6 +565,7 @@ optional_policy(` +@@ -581,6 +568,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -15951,7 +15957,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -588,15 +573,19 @@ optional_policy(` +@@ -588,15 +576,19 @@ optional_policy(` ') optional_policy(` @@ -15973,7 +15979,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -606,6 +595,7 @@ optional_policy(` +@@ -606,6 +598,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15981,7 +15987,7 @@ index 28e1b86..0c0f4f2 100644 ') optional_policy(` -@@ -613,12 +603,24 @@ optional_policy(` +@@ -613,12 +606,24 @@ optional_policy(` ') optional_policy(` @@ -16008,7 +16014,7 @@ index 28e1b86..0c0f4f2 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -16042,7 +16048,7 @@ index 28e1b86..0c0f4f2 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +661,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -21639,7 +21645,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..fe94a6c 100644 +index a7bfaf0..4ebb0ad 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -21892,7 +21898,7 @@ index a7bfaf0..fe94a6c 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +213,61 @@ optional_policy(` +@@ -221,46 +213,63 @@ optional_policy(` ######################################## # @@ -21941,14 +21947,16 @@ index a7bfaf0..fe94a6c 100644 +files_read_usr_symlinks(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) +files_search_tmp(dovecot_auth_t) -+ -+fs_getattr_xattr_fs(dovecot_auth_t) -seutil_dontaudit_search_config(dovecot_auth_t) ++fs_getattr_xattr_fs(dovecot_auth_t) ++ +init_rw_utmp(dovecot_auth_t) sysnet_use_ldap(dovecot_auth_t) ++userdom_getattr_user_home_dirs(dovecot_auth_t) ++ optional_policy(` + kerberos_use(dovecot_auth_t) + @@ -21963,7 +21971,7 @@ index a7bfaf0..fe94a6c 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -271,15 +278,30 @@ optional_policy(` +@@ -271,15 +280,30 @@ optional_policy(` ') optional_policy(` @@ -21995,7 +22003,7 @@ index a7bfaf0..fe94a6c 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +311,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22055,7 +22063,7 @@ index a7bfaf0..fe94a6c 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +355,6 @@ optional_policy(` +@@ -326,5 +357,6 @@ optional_policy(` ') optional_policy(` @@ -38112,7 +38120,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..97e35b2 100644 +index 6194b80..35b2b47 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38279,10 +38287,10 @@ index 6194b80..97e35b2 100644 - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- -- can_exec($2, mozilla_plugin_rw_t) + mozilla_filetrans_home_content($2) +- can_exec($2, mozilla_plugin_rw_t) +- - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') @@ -38428,7 +38436,7 @@ index 6194b80..97e35b2 100644 ') ######################################## -@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',` +@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',` type mozilla_t, mozilla_exec_t; ') @@ -38516,8 +38524,8 @@ index 6194b80..97e35b2 100644 mozilla_domtrans_plugin($1) roleattribute $2 mozilla_plugin_roles; +-') + roleattribute $2 mozilla_plugin_config_roles; - ') -######################################## -## @@ -38533,12 +38541,14 @@ index 6194b80..97e35b2 100644 -interface(`mozilla_domtrans_plugin_config',` - gen_require(` - type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; -- ') ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 mozilla_plugin_t:process ptrace; + ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) --') -- + ') + -######################################## +####################################### ## @@ -38579,7 +38589,7 @@ index 6194b80..97e35b2 100644 ') ######################################## -@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -38589,7 +38599,7 @@ index 6194b80..97e35b2 100644 ## ## ## -@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -38727,7 +38737,7 @@ index 6194b80..97e35b2 100644 ## ## ## -@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -38752,7 +38762,7 @@ index 6194b80..97e35b2 100644 ## ## ## -@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -52539,35 +52549,38 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..2f407d6 100644 +index dfd46e4..6667b8a 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,16 @@ +@@ -1,15 +1,20 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) --/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) -- ++ ++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) + -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) ++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -+/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - - /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -+ +#openlmi agents +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) + +-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52669,7 +52682,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..04b62f4 100644 +index 7bcf327..71ab12b 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52693,13 +52706,20 @@ index 7bcf327..04b62f4 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,115 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,196 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers +pegasus_openlmi_domain_template(account) +pegasus_openlmi_domain_template(logicalfile) ++pegasus_openlmi_domain_template(networking) ++pegasus_openlmi_domain_template(service) ++ ++pegasus_openlmi_domain_template(storage) ++type pegasus_openlmi_storage_tmp_t; ++files_tmp_file(pegasus_openlmi_storage_tmp_t) ++ +pegasus_openlmi_domain_template(unconfined) + +####################################### @@ -52707,12 +52727,17 @@ index 7bcf327..04b62f4 100644 +# pegasus openlmi providers local policy +# + ++allow pegasus_openlmi_domain self:capability { setuid setgid }; ++ +allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; + +list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) -+read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) + +corecmd_exec_bin(pegasus_openlmi_domain) ++corecmd_exec_shell(pegasus_openlmi_domain) ++ ++auth_read_passwd(pegasus_openlmi_domain) + +sysnet_read_config(pegasus_openlmi_domain) + @@ -52725,7 +52750,7 @@ index 7bcf327..04b62f4 100644 +# pegasus openlmi account local policy +# + -+allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override }; ++allow pegasus_openlmi_account_t self:capability { chown dac_override }; +allow pegasus_openlmi_account_t self:process setfscreate; + +auth_manage_passwd(pegasus_openlmi_account_t) @@ -52756,7 +52781,7 @@ index 7bcf327..04b62f4 100644 +# pegasus openlmi logicalfile local policy +# + -+allow pegasus_openlmi_logicalfile_t self:capability { setuid setgid dac_override }; ++allow pegasus_openlmi_logicalfile_t self:capability { dac_override }; +files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) +files_manage_non_security_files(pegasus_openlmi_logicalfile_t) + @@ -52784,6 +52809,75 @@ index 7bcf327..04b62f4 100644 + +###################################### +# ++# pegasus openlmi networking local policy ++# ++ ++allow pegasus_openlmi_networking_t self:capability { net_admin }; ++ ++allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;; ++allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms; ++ ++dev_rw_sysfs(pegasus_openlmi_networking_t) ++dev_read_urand(pegasus_openlmi_networking_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_networking_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(pegasus_openlmi_networking_t) ++ ') ++') ++ ++###################################### ++# ++# pegasus openlmi service local policy ++# ++ ++ ++init_disable_services(pegasus_openlmi_service_t) ++init_enable_services(pegasus_openlmi_service_t) ++init_reload_services(pegasus_openlmi_service_t) ++init_exec(pegasus_openlmi_service_t) ++ ++systemd_config_all_services(pegasus_openlmi_service_t) ++systemd_manage_all_unit_files(pegasus_openlmi_service_t) ++systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t) ++ ++allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_service_t) ++') ++ ++###################################### ++# ++# pegasus openlmi storage local policy ++# ++ ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) ++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) ++files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) ++ ++storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t) ++ ++modutils_domtrans_insmod(pegasus_openlmi_storage_t) ++ ++udev_domtrans(pegasus_openlmi_storage_t) ++ ++optional_policy(` ++ lvm_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ mount_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ raid_domtrans_mdadm(pegasus_openlmi_storage_t) ++') ++ ++###################################### ++# +# pegasus openlmi unconfined local policy +# + @@ -52814,7 +52908,7 @@ index 7bcf327..04b62f4 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +148,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +229,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -52845,7 +52939,7 @@ index 7bcf327..04b62f4 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +174,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +255,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -52878,7 +52972,7 @@ index 7bcf327..04b62f4 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +202,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +283,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -52886,7 +52980,7 @@ index 7bcf327..04b62f4 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +217,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +298,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -52918,7 +53012,7 @@ index 7bcf327..04b62f4 100644 ') optional_policy(` -@@ -151,16 +247,24 @@ optional_policy(` +@@ -151,16 +328,24 @@ optional_policy(` ') optional_policy(` @@ -52939,7 +53033,7 @@ index 7bcf327..04b62f4 100644 +') + +optional_policy(` -+ rpm_exec(pegasus_t) ++ rpm_domtrans(pegasus_t) +') + +optional_policy(` @@ -52947,7 +53041,7 @@ index 7bcf327..04b62f4 100644 ') optional_policy(` -@@ -168,7 +272,7 @@ optional_policy(` +@@ -168,7 +353,7 @@ optional_policy(` ') optional_policy(` @@ -71478,10 +71572,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..1609333 100644 +index ebe91fc..6392cad 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,71 @@ +@@ -1,61 +1,72 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -71510,6 +71604,7 @@ index ebe91fc..1609333 100644 /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 100ca13..0ef0be5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 66%{?dist} +Release: 67%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 26 2013 Miroslav Grepl 3.12.1-67 +- Add support for cmpiLMI_Service-cimprovagt +- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t +- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t +- Add support for pycmpiLMI_Storage-cimprovagt +- Add support for cmpiLMI_Networking-cimprovagt +- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working +- Allow virtual machines and containers to run as user doains, needed for virt-sandbox +- Allow buglist.cgi to read cpu info + * Wed Jul 24 2013 Miroslav Grepl 3.12.1-66 - Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages