diff --git a/policy-F16.patch b/policy-F16.patch index 3bef137..df419aa 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -8690,7 +8690,7 @@ index fbb5c5a..8fe4551 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..237cab3 100644 +index 2e9318b..0d111b1 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -8823,7 +8823,15 @@ index 2e9318b..237cab3 100644 dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,13 +402,19 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -355,6 +372,7 @@ dev_write_sound(mozilla_plugin_t) + # for nvidia driver + dev_rw_xserver_misc(mozilla_plugin_t) + dev_dontaudit_rw_dri(mozilla_plugin_t) ++dev_dontaudit_getattr_all(mozilla_plugin_t) + + domain_use_interactive_fds(mozilla_plugin_t) + domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -385,13 +403,20 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -8831,7 +8839,9 @@ index 2e9318b..237cab3 100644 userdom_dontaudit_use_user_terminals(mozilla_plugin_t) userdom_manage_user_tmp_sockets(mozilla_plugin_t) userdom_manage_user_tmp_dirs(mozilla_plugin_t) - userdom_read_user_tmp_files(mozilla_plugin_t) +-userdom_read_user_tmp_files(mozilla_plugin_t) ++userdom_rw_inherited_user_tmp_files(mozilla_plugin_t) ++userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t) userdom_read_user_tmp_symlinks(mozilla_plugin_t) +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) @@ -8843,7 +8853,7 @@ index 2e9318b..237cab3 100644 tunable_policy(`allow_execmem',` allow mozilla_plugin_t self:process { execmem execstack }; -@@ -425,7 +448,13 @@ optional_policy(` +@@ -425,7 +450,13 @@ optional_policy(` ') optional_policy(` @@ -8857,7 +8867,7 @@ index 2e9318b..237cab3 100644 ') optional_policy(` -@@ -438,7 +467,14 @@ optional_policy(` +@@ -438,7 +469,14 @@ optional_policy(` ') optional_policy(` @@ -8873,7 +8883,7 @@ index 2e9318b..237cab3 100644 ') optional_policy(` -@@ -446,10 +482,27 @@ optional_policy(` +@@ -446,10 +484,27 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -10203,18 +10213,22 @@ index f40c64d..a08cb82 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index d1eace5..8522ab4 100644 +index d1eace5..7945217 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te -@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -44,6 +44,11 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs(pulseaudio_t) ++pulseaudio_filetrans_home_content(pulseaudio_t) ++ ++# ~/.esd_auth - maybe we should label this pulseaudit_home_t? ++userdom_read_user_home_content_files(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) +@@ -53,7 +58,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -10223,7 +10237,7 @@ index d1eace5..8522ab4 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,8 +86,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t) +@@ -85,8 +90,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) fs_list_inotifyfs(pulseaudio_t) @@ -10234,7 +10248,7 @@ index d1eace5..8522ab4 100644 auth_use_nsswitch(pulseaudio_t) -@@ -94,10 +95,9 @@ logging_send_syslog_msg(pulseaudio_t) +@@ -94,10 +99,9 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -10248,7 +10262,7 @@ index d1eace5..8522ab4 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -127,10 +127,24 @@ optional_policy(` +@@ -127,10 +131,24 @@ optional_policy(` ') optional_policy(` @@ -10273,7 +10287,7 @@ index d1eace5..8522ab4 100644 policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +162,7 @@ optional_policy(` +@@ -148,3 +166,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -14638,7 +14652,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..43656b7 100644 +index 99b71cb..8c780d2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14741,7 +14755,7 @@ index 99b71cb..43656b7 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -99,14 +134,21 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -99,14 +134,22 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -14749,6 +14763,7 @@ index 99b71cb..43656b7 100644 +network_port(dogtag, tcp,7390,s0) +network_port(dns, udp,53,s0, tcp,53,s0, tcp,8953,s0 ) network_port(epmap, tcp,135,s0, udp,135,s0) ++network_port(echo, tcp,7,s0, udp,7,s0) +network_port(epmd, tcp,4369,s0, udp,4369,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) @@ -14764,7 +14779,7 @@ index 99b71cb..43656b7 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -115,11 +157,12 @@ network_port(hddtemp, tcp,7634,s0) +@@ -115,11 +158,12 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -14773,13 +14788,13 @@ index 99b71cb..43656b7 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) ++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) +network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14810,7 +14825,7 @@ index 99b71cb..43656b7 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14843,7 +14858,7 @@ index 99b71cb..43656b7 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,34 +239,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +240,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14890,7 +14905,7 @@ index 99b71cb..43656b7 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +282,12 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +283,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14904,7 +14919,7 @@ index 99b71cb..43656b7 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +299,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +300,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14912,7 +14927,7 @@ index 99b71cb..43656b7 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +309,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +310,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14925,7 +14940,7 @@ index 99b71cb..43656b7 100644 ######################################## # -@@ -282,9 +359,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +360,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -17151,7 +17166,7 @@ index c19518a..12e8e9c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..0f250ab 100644 +index ff006ea..a7c1eed 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -17590,84 +17605,129 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -3900,6 +4115,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,82 +4115,195 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') +-######################################## +####################################### -+## + ## +-## Allow the specified type to associate +-## to a filesystem with the type of the +-## temporary directory (/tmp). +## Read manageable system configuration files in /etc -+## + ## +-## +-## +-## Type of the file to associate. +-## +## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_associate_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit attempts to get the +-## attributes of the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir getattr; + relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- allow $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +################################### +## +## Create files in /etc with the type used for @@ -17687,19 +17747,106 @@ index ff006ea..0f250ab 100644 + filetrans_pattern($1, etc_t, system_conf_t, file) +') + - ######################################## ++######################################## ++## ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## temporary directory (/tmp). ++## ++## ++## ++## Type of the file to associate. ++## ++## ++# ++interface(`files_associate_tmp',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ allow $1 tmp_t:filesystem associate; ++') ++ ++######################################## ++## ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## / file system ++## ++## ++## ++## Type of the file to associate. ++## ++## ++# ++interface(`files_associate_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:filesystem associate; ++') ++ ++######################################## ++## ++## Get the attributes of the tmp directory (/tmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_tmp_dirs',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ allow $1 tmp_t:dir getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the ++## attributes of the tmp directory (/tmp). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_tmp_dirs',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ dontaudit $1 tmp_t:dir getattr; ++') ++ ++######################################## ++## ++## Search the tmp directory (/tmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_tmp',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ allow $1 tmp_t:dir search_dir_perms; ++') ++ ++######################################## ## - ## Allow the specified type to associate -@@ -3945,7 +4253,7 @@ interface(`files_getattr_tmp_dirs',` + ## Do not audit attempts to search the tmp directory (/tmp). ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -4017,7 +4325,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4345,7 @@ interface(`files_list_tmp',` ## ## ## @@ -17708,14 +17855,12 @@ index ff006ea..0f250ab 100644 ## ## # -@@ -4029,9 +4337,27 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4357,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') --######################################## +####################################### - ## --## Remove entries from the tmp directory. ++## +## Allow read and write to the tmp directory (/tmp). +## +## @@ -17732,13 +17877,10 @@ index ff006ea..0f250ab 100644 + allow $1 tmp_t:dir rw_dir_perms; +') + -+######################################## -+## -+## Remove entries from the tmp directory. - ## - ## - ## -@@ -4085,6 +4411,32 @@ interface(`files_manage_generic_tmp_dirs',` + ######################################## + ## + ## Remove entries from the tmp directory. +@@ -4085,6 +4431,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -17771,7 +17913,7 @@ index ff006ea..0f250ab 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4491,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,6 +4511,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -17814,7 +17956,7 @@ index ff006ea..0f250ab 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4590,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4610,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -17823,7 +17965,7 @@ index ff006ea..0f250ab 100644 ## ## # -@@ -4262,7 +4650,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4670,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -17832,7 +17974,7 @@ index ff006ea..0f250ab 100644 ## ## # -@@ -4318,7 +4706,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4726,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -17841,7 +17983,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -4342,6 +4730,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4750,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -17858,7 +18000,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -4681,7 +5079,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5099,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -17867,7 +18009,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -5084,7 +5482,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5502,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -17876,7 +18018,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -5219,7 +5617,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5637,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17885,7 +18027,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -5259,6 +5657,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5259,6 +5677,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -17911,7 +18053,7 @@ index ff006ea..0f250ab 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5304,6 +5721,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5741,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -17937,7 +18079,7 @@ index ff006ea..0f250ab 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5753,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5773,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -17946,7 +18088,7 @@ index ff006ea..0f250ab 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5774,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5794,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -17962,7 +18104,7 @@ index ff006ea..0f250ab 100644 ## ## ## -@@ -5349,12 +5789,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5809,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -17995,7 +18137,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -5373,6 +5831,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5851,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -18003,7 +18145,7 @@ index ff006ea..0f250ab 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5844,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5864,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -18011,7 +18153,7 @@ index ff006ea..0f250ab 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5870,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5890,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -18020,7 +18162,7 @@ index ff006ea..0f250ab 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5886,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5906,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -18037,7 +18179,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -5452,7 +5910,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5930,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -18046,7 +18188,7 @@ index ff006ea..0f250ab 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5951,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5971,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -18055,7 +18197,7 @@ index ff006ea..0f250ab 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5973,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5993,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -18064,7 +18206,7 @@ index ff006ea..0f250ab 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +6005,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +6025,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -18075,7 +18217,7 @@ index ff006ea..0f250ab 100644 ') ######################################## -@@ -5608,6 +6066,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6086,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -18119,355 +18261,100 @@ index ff006ea..0f250ab 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6124,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,26 +6144,27 @@ interface(`files_dontaudit_search_pids',` ######################################## ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). - ## -@@ -5736,7 +6250,7 @@ interface(`files_pid_filetrans',` - ') - - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_run_t, $2, $3) -+ filetrans_pattern($1, var_run_t, $2, $3, $4) - ') - - ######################################## -@@ -5815,29 +6329,25 @@ interface(`files_dontaudit_ioctl_all_pids',` - - ######################################## - ## --## Read all process ID files. -+## Relable all pid directories ## ## ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_read_all_pids',` -+interface(`files_relabel_all_pid_dirs',` - gen_require(` - attribute pidfile; -- type var_t; - ') - -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) -+ relabel_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all pid sockets - ## - ## - ## -@@ -5845,42 +6355,35 @@ interface(`files_read_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_pid_sockets',` - gen_require(` -- attribute polymember; -+ attribute pidfile; - ') - -- allow $1 polymember:dir mounton; -+ allow $1 pidfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Delete all process IDs. -+## Create all pid sockets - ## - ## - ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## --## # --interface(`files_delete_all_pids',` -+interface(`files_create_all_pid_sockets',` +-interface(`files_list_pids',` ++interface(`files_dontaudit_search_all_pids',` gen_require(` - attribute pidfile; - type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+ allow $1 pidfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. -+## Create all pid named pipes - ## - ## - ## -@@ -5888,20 +6391,17 @@ interface(`files_delete_all_pids',` - ## - ## - # --interface(`files_delete_all_pid_dirs',` -+interface(`files_create_all_pid_pipes',` - gen_require(` - attribute pidfile; -- type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- delete_dirs_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:fifo_file create_fifo_file_perms; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). -+## Delete all pid named pipes - ## - ## - ## -@@ -5909,56 +6409,59 @@ interface(`files_delete_all_pid_dirs',` - ## - ## - # --interface(`files_search_spool',` -+interface(`files_delete_all_pid_pipes',` - gen_require(` -- type var_t, var_spool_t; + attribute pidfile; ') -- search_dirs_pattern($1, var_t, var_spool_t) -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; ') ######################################## ## --## Do not audit attempts to search generic --## spool directories. -+## manage all pidfile directories -+## in the /var/run directory. +-## Read generic process ID files. ++## List the contents of the runtime process ++## ID directories (/var/run). ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5656,7 +6172,25 @@ interface(`files_list_pids',` ## ## # --interface(`files_dontaudit_search_spool',` -+interface(`files_manage_all_pid_dirs',` - gen_require(` -- type var_spool_t; -+ attribute pidfile; - ') - -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ manage_dirs_pattern($1,pidfile,pidfile) - ') - +-interface(`files_read_generic_pids',` ++interface(`files_list_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') + - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. -+## Read all process ID files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_list_spool',` -+interface(`files_read_all_pids',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; -+ type var_t; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). -+## Relable all pid files - ## - ## - ## -@@ -5966,18 +6469,17 @@ interface(`files_list_spool',` - ## - ## - # --interface(`files_manage_generic_spool_dirs',` -+interface(`files_relabel_all_pid_files',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) -+ relabel_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Read generic spool files. -+## Execute generic programs in /var/run in the caller domain. - ## - ## - ## -@@ -5985,19 +6487,18 @@ interface(`files_manage_generic_spool_dirs',` - ## - ## - # --interface(`files_read_generic_spool',` -+interface(`files_exec_generic_pid_files',` ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` gen_require(` -- type var_t, var_spool_t; -+ type var_run_t; + type var_t, var_run_t; ') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) -+ exec_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. -+## manage all pidfiles -+## in the /var/run directory. - ## - ## - ## -@@ -6005,50 +6506,313 @@ interface(`files_read_generic_spool',` - ## - ## - # --interface(`files_manage_generic_spool',` -+interface(`files_manage_all_pids',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +@@ -5736,7 +6270,7 @@ interface(`files_pid_filetrans',` ') -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) -+ manage_files_pattern($1,pidfile,pidfile) + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_run_t, $2, $3) ++ filetrans_pattern($1, var_run_t, $2, $3, $4) ') ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. -+## Mount filesystems on all polyinstantiation -+## member directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## - # --interface(`files_spool_filetrans',` -+interface(`files_mounton_all_poly_members',` - gen_require(` -- type var_t, var_spool_t; -+ attribute polymember; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3) -+ allow $1 polymember:dir mounton; - ') +@@ -5815,6 +6349,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all process IDs. ++## Relable all pid directories +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_delete_all_pids',` ++interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; -+ type var_t, var_run_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ relabel_dirs_pattern($1, pidfile, pidfile) +') + +######################################## +## -+## Delete all process ID directories. ++## Delete all pid sockets +## +## +## @@ -18475,67 +18362,35 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_delete_all_pid_dirs',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; -+ type var_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:sock_file delete_sock_file_perms; +') + +######################################## +## -+## Make the specified type a file -+## used for spool files. ++## Create all pid sockets +## -+## -+##

-+## Make the specified type usable for spool files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a spool file may result in problems with -+## purging spool files. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_spool_filetrans()
    • -+##
-+##

-+## Example usage with a domain that can create and -+## write its spool file in the system spool file -+## directories (/var/spool): -+##

-+##

-+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

-+## -+## ++## +## -+## Type of the file to be used as a -+## spool file. ++## Domain allowed access. +## +## -+## +# -+interface(`files_spool_file',` ++interface(`files_create_all_pid_sockets',` + gen_require(` -+ attribute spoolfile; ++ attribute pidfile; + ') + -+ files_type($1) -+ typeattribute $1 spoolfile; ++ allow $1 pidfile:sock_file create_sock_file_perms; +') + +######################################## +## -+## Create all spool sockets ++## Create all pid named pipes +## +## +## @@ -18543,17 +18398,17 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_create_all_spool_sockets',` ++interface(`files_create_all_pid_pipes',` + gen_require(` -+ attribute spoolfile; ++ attribute pidfile; + ') + -+ allow $1 spoolfile:sock_file create_sock_file_perms; ++ allow $1 pidfile:fifo_file create_fifo_file_perms; +') + +######################################## +## -+## Delete all spool sockets ++## Delete all pid named pipes +## +## +## @@ -18561,18 +18416,18 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_delete_all_spool_sockets',` ++interface(`files_delete_all_pid_pipes',` + gen_require(` -+ attribute spoolfile; ++ attribute pidfile; + ') + -+ allow $1 spoolfile:sock_file delete_sock_file_perms; ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; +') + +######################################## +## -+## Search the contents of generic spool -+## directories (/var/spool). ++## manage all pidfile directories ++## in the /var/run directory. +## +## +## @@ -18580,37 +18435,48 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_search_spool',` ++interface(`files_manage_all_pid_dirs',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute pidfile; + ') + -+ search_dirs_pattern($1, var_t, var_spool_t) ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## + ## Read all process ID files. + ## + ## +@@ -5832,6 +6476,62 @@ interface(`files_read_all_pids',` + + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) +') + +######################################## +## -+## Do not audit attempts to search generic -+## spool directories. ++## Relable all pid files +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_search_spool',` ++interface(`files_relabel_all_pid_files',` + gen_require(` -+ type var_spool_t; ++ attribute pidfile; + ') + -+ dontaudit $1 var_spool_t:dir search_dir_perms; ++ relabel_files_pattern($1, pidfile, pidfile) +') + +######################################## +## -+## List the contents of generic spool -+## (/var/spool) directories. ++## Execute generic programs in /var/run in the caller domain. +## +## +## @@ -18618,18 +18484,18 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_list_spool',` ++interface(`files_exec_generic_pid_files',` + gen_require(` -+ type var_t, var_spool_t; ++ type var_run_t; + ') + -+ list_dirs_pattern($1, var_t, var_spool_t) ++ exec_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## -+## Create, read, write, and delete generic -+## spool directories (/var/spool). ++## manage all pidfiles ++## in the /var/run directory. +## +## +## @@ -18637,38 +18503,68 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_manage_generic_spool_dirs',` ++interface(`files_manage_all_pids',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute pidfile; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Read generic spool files. ++ manage_files_pattern($1,pidfile,pidfile) + ') + + ######################################## +@@ -5900,6 +6600,90 @@ interface(`files_delete_all_pid_dirs',` + + ######################################## + ## ++## Make the specified type a file ++## used for spool files. +## -+## ++## ++##

++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_spool_filetrans()
    • ++##
++##

++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

++##

++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

++## ++## +## -+## Domain allowed access. ++## Type of the file to be used as a ++## spool file. +## +## ++## +# -+interface(`files_read_generic_spool',` ++interface(`files_spool_file',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute spoolfile; + ') + -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) ++ files_type($1) ++ typeattribute $1 spoolfile; +') + +######################################## +## -+## Create, read, write, and delete generic -+## spool files. ++## Create all spool sockets +## +## +## @@ -18676,54 +18572,47 @@ index ff006ea..0f250ab 100644 +## +## +# -+interface(`files_manage_generic_spool',` ++interface(`files_create_all_spool_sockets',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute spoolfile; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) ++ allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## -+## Create objects in the spool directory -+## with a private type with a type transition. ++## Delete all spool sockets +## +## +## +## Domain allowed access. +## +## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## +# -+interface(`files_spool_filetrans',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute spoolfile; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 spoolfile:sock_file delete_sock_file_perms; +') + +######################################## +## -+## Allow access to manage all polyinstantiated -+## directories on the system. + ## Search the contents of generic spool + ## directories (/var/spool). ## - ## - ## -@@ -6117,3 +6881,302 @@ interface(`files_unconfined',` +@@ -6042,7 +6826,7 @@ interface(`files_spool_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3) ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) + ') + + ######################################## +@@ -6117,3 +6901,302 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -19761,18 +19650,19 @@ index 97fcdac..2918153 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index f125dc2..f5e522e 100644 +index f125dc2..744b299 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); +@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. -@@ -52,6 +53,7 @@ type anon_inodefs_t; +@@ -52,6 +54,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -19780,7 +19670,7 @@ index f125dc2..f5e522e 100644 type bdev_t; fs_type(bdev_t) -@@ -67,7 +69,7 @@ fs_type(capifs_t) +@@ -67,7 +70,7 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -19789,7 +19679,7 @@ index f125dc2..f5e522e 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -96,6 +98,7 @@ type hugetlbfs_t; +@@ -96,6 +99,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -19797,7 +19687,7 @@ index f125dc2..f5e522e 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -144,11 +147,6 @@ fs_type(spufs_t) +@@ -144,11 +148,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -19809,7 +19699,7 @@ index f125dc2..f5e522e 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -175,6 +173,7 @@ fs_type(tmpfs_t) +@@ -175,6 +174,7 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -19817,7 +19707,7 @@ index f125dc2..f5e522e 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -254,6 +254,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -19826,7 +19716,7 @@ index f125dc2..f5e522e 100644 files_mountpoint(removable_t) # -@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -273,6 +275,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -20722,7 +20612,7 @@ index 57c4a6a..6a19a94 100644 /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..6499ecb 100644 +index 1700ef2..c9d11d5 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -20742,38 +20632,56 @@ index 1700ef2..6499ecb 100644 dev_add_entry_generic_dirs($1) ') -@@ -267,6 +270,30 @@ interface(`storage_dev_filetrans_fixed_disk',` - ') - +@@ -269,6 +272,48 @@ interface(`storage_dev_filetrans_fixed_disk',` dev_filetrans($1, fixed_disk_device_t, blk_file) -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") -+ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") ') ++###################################### ++## ++## Create block devices in /dev with the fixed disk type ++## via an automatic type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_dev_filetrans_named_fixed_disk',` ++ gen_require(` ++ type fixed_disk_device_t; ++ ') ++ ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") ++ dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") ++') ++ ######################################## -@@ -808,3 +835,369 @@ interface(`storage_unconfined',` + ## + ## Create block devices in on a tmpfs filesystem with the +@@ -808,3 +853,369 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -33835,7 +33743,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..5dafe6a 100644 +index 0f28095..5972414 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -33894,7 +33802,7 @@ index 0f28095..5dafe6a 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t) +@@ -220,11 +225,13 @@ corecmd_exec_bin(cupsd_t) domain_use_interactive_fds(cupsd_t) @@ -33902,7 +33810,13 @@ index 0f28095..5dafe6a 100644 files_list_spool(cupsd_t) files_read_etc_files(cupsd_t) files_read_etc_runtime_files(cupsd_t) -@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t) + # read python modules + files_read_usr_files(cupsd_t) ++files_exec_usr_files(cupsd_t) + # for /var/lib/defoma + files_read_var_lib_files(cupsd_t) + files_list_world_readable(cupsd_t) +@@ -270,12 +277,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -33915,7 +33829,7 @@ index 0f28095..5dafe6a 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -297,8 +297,10 @@ optional_policy(` +@@ -297,8 +298,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -33926,7 +33840,7 @@ index 0f28095..5dafe6a 100644 ') ') -@@ -311,10 +313,22 @@ optional_policy(` +@@ -311,10 +314,22 @@ optional_policy(` ') optional_policy(` @@ -33949,7 +33863,7 @@ index 0f28095..5dafe6a 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +336,8 @@ optional_policy(` +@@ -322,6 +337,8 @@ optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -33958,7 +33872,7 @@ index 0f28095..5dafe6a 100644 ') optional_policy(` -@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +388,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -33969,7 +33883,7 @@ index 0f28095..5dafe6a 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +411,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -33980,7 +33894,7 @@ index 0f28095..5dafe6a 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +447,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -33994,7 +33908,7 @@ index 0f28095..5dafe6a 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +474,10 @@ optional_policy(` +@@ -453,6 +475,10 @@ optional_policy(` ') optional_policy(` @@ -34005,7 +33919,7 @@ index 0f28095..5dafe6a 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +492,10 @@ optional_policy(` +@@ -467,6 +493,10 @@ optional_policy(` ') optional_policy(` @@ -34016,7 +33930,7 @@ index 0f28095..5dafe6a 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,6 +567,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -34024,7 +33938,7 @@ index 0f28095..5dafe6a 100644 dev_read_urand(cupsd_lpd_t) dev_read_rand(cupsd_lpd_t) -@@ -587,13 +617,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +618,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -34044,7 +33958,7 @@ index 0f28095..5dafe6a 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +640,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +641,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -34055,7 +33969,7 @@ index 0f28095..5dafe6a 100644 ######################################## # # HPLIP local policy -@@ -639,7 +677,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +678,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -34064,7 +33978,7 @@ index 0f28095..5dafe6a 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +723,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +724,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -34072,7 +33986,7 @@ index 0f28095..5dafe6a 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +735,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -45294,8 +45208,18 @@ index 83f002c..ed69996 100644 corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc +index ddc14d6..c74bf3d 100644 +--- a/policy/modules/services/mpd.fc ++++ b/policy/modules/services/mpd.fc +@@ -6,3 +6,5 @@ + /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) + /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) + /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) ++ ++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te -index 7f68872..e4ac35e 100644 +index 7f68872..d6d81cb 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -45308,7 +45232,18 @@ index 7f68872..e4ac35e 100644 manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) -@@ -103,6 +106,19 @@ logging_send_syslog_msg(mpd_t) +@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) + + read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) + ++manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t) ++manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t) ++logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file }) ++ + manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) + manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) + manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +@@ -103,6 +110,19 @@ logging_send_syslog_msg(mpd_t) miscfiles_read_localization(mpd_t) @@ -45328,7 +45263,7 @@ index 7f68872..e4ac35e 100644 optional_policy(` alsa_read_rw_config(mpd_t) ') -@@ -122,5 +138,14 @@ optional_policy(` +@@ -122,5 +142,14 @@ optional_policy(` ') optional_policy(` @@ -47828,7 +47763,7 @@ index 0619395..293aaca 100644 ######################################## diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc -index 15448d5..3587f6a 100644 +index 15448d5..2eef00c 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -1,5 +1,5 @@ @@ -47838,19 +47773,20 @@ index 15448d5..3587f6a 100644 /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) -@@ -7,10 +7,10 @@ +@@ -7,10 +7,11 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) ++/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) -@@ -19,3 +19,8 @@ +@@ -19,3 +20,8 @@ /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) @@ -47998,7 +47934,7 @@ index abe3f7f..2214d71 100644 + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..eabed96 100644 +index 4876cae..8db6004 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) @@ -48049,7 +47985,16 @@ index 4876cae..eabed96 100644 allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -@@ -211,6 +218,10 @@ optional_policy(` +@@ -156,6 +163,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) + manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) + manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) + ++can_exec(yppasswdd_t,yppasswdd_exec_t) ++ + kernel_list_proc(yppasswdd_t) + kernel_read_proc_symlinks(yppasswdd_t) + kernel_getattr_proc_files(yppasswdd_t) +@@ -211,6 +220,10 @@ optional_policy(` ') optional_policy(` @@ -48060,7 +48005,7 @@ index 4876cae..eabed96 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -224,8 +235,8 @@ optional_policy(` +@@ -224,8 +237,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; @@ -63245,10 +63190,10 @@ index 0000000..7647279 + diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 -index 0000000..4fd2377 +index 0000000..c2c115a --- /dev/null +++ b/policy/modules/services/vdagent.te -@@ -0,0 +1,54 @@ +@@ -0,0 +1,55 @@ +policy_module(vdagent,1.0.0) + +######################################## @@ -63272,6 +63217,7 @@ index 0000000..4fd2377 +# + +dontaudit vdagent_t self:capability sys_admin; ++allow vdagent_t self:process signal; + +allow vdagent_t self:fifo_file rw_fifo_file_perms; +allow vdagent_t self:unix_stream_socket create_stream_socket_perms; @@ -64054,7 +64000,7 @@ index 7c5d8d8..45bac8e 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..2cd5679 100644 +index 3eca020..bea24d2 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -64594,7 +64540,7 @@ index 3eca020..2cd5679 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +618,373 @@ files_search_all(virt_domain) +@@ -440,25 +618,375 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -64781,6 +64727,7 @@ index 3eca020..2cd5679 100644 +manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; ++files_associate_rootfs(svirt_lxc_file_t) + +storage_manage_fixed_disk(virtd_lxc_t) + @@ -64804,6 +64751,7 @@ index 3eca020..2cd5679 100644 +files_mount_all_file_type_fs(virtd_lxc_t) +files_unmount_all_file_type_fs(virtd_lxc_t) +files_list_isid_type_dirs(virtd_lxc_t) ++files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) + +fs_manage_tmpfs_dirs(virtd_lxc_t) +fs_manage_tmpfs_chr_files(virtd_lxc_t) @@ -68188,10 +68136,35 @@ index f9a06d2..3d407c6 100644 files_read_etc_files(zos_remote_t) diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..c480ddd 100644 +index 1b6619e..3aed6ad 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if -@@ -205,3 +205,21 @@ interface(`application_dontaudit_sigkill',` +@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',` + + ######################################## + ## ++## Send kill signals to all application domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`application_sigkill',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ allow $1 application_domain_type:process sigkill; ++') ++ ++######################################## ++## + ## Do not audit attempts to send kill signals + ## to all application domains. + ## +@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',` dontaudit $1 application_domain_type:process sigkill; ') @@ -71727,7 +71700,7 @@ index ddbd8be..8ba922e 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..ffb8797 100644 +index 560dc48..5b99ce0 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -28,7 +28,9 @@ ifdef(`distro_redhat',` @@ -71758,9 +71731,12 @@ index 560dc48..ffb8797 100644 ') ifdef(`distro_gentoo',` -@@ -62,7 +59,6 @@ ifdef(`distro_gentoo',` +@@ -60,9 +57,8 @@ ifdef(`distro_gentoo',` # - /opt/.*\.so gen_context(system_u:object_r:lib_t,s0) + # /opt + # +-/opt/.*\.so gen_context(system_u:object_r:lib_t,s0) ++/opt/.*\.so(\.[^/]*)* gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -76774,10 +76750,10 @@ index 0000000..1688a39 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9106ba4 +index 0000000..c52e7dc --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,381 @@ +@@ -0,0 +1,389 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -76838,7 +76814,7 @@ index 0000000..9106ba4 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; ++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -76905,6 +76881,14 @@ index 0000000..9106ba4 +userdom_manage_user_tmp_dirs(systemd_logind_t) +userdom_manage_user_tmp_files(systemd_logind_t) +userdom_manage_user_tmp_symlinks(systemd_logind_t) ++userdom_manage_user_tmp_sockets(systemd_logind_t) ++userdom_signal_all_users(systemd_logind_t) ++userdom_signull_all_users(systemd_logind_t) ++userdom_kill_all_users(systemd_logind_t) ++ ++application_signal(systemd_logind_t) ++application_signull(systemd_logind_t) ++application_sigkill(systemd_logind_t) + +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) @@ -78373,7 +78357,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..dcfd6fd 100644 +index 4b2878a..11fb936 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -80738,10 +80722,30 @@ index 4b2878a..dcfd6fd 100644 kernel_search_proc($1) ') -@@ -3142,6 +3846,24 @@ interface(`userdom_signal_all_users',` +@@ -3140,6 +3844,42 @@ interface(`userdom_signal_all_users',` + allow $1 userdomain:process signal; + ') - ######################################## - ## ++####################################### ++## ++## Send signull to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_signull_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process signull; ++') ++ ++######################################## ++## +## Send kill signals to all user domains. +## +## @@ -80758,12 +80762,10 @@ index 4b2878a..dcfd6fd 100644 + allow $1 userdomain:process sigkill; +') + -+######################################## -+## + ######################################## + ## ## Send a SIGCHLD signal to all user domains. - ## - ## -@@ -3160,6 +3882,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3900,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -80788,7 +80790,7 @@ index 4b2878a..dcfd6fd 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3934,1220 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3952,1238 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -81725,6 +81727,24 @@ index 4b2878a..dcfd6fd 100644 + +######################################## +## ++## Write all inherited users home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_home_sock_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:sock_file write; ++') ++ ++######################################## ++## +## Delete all users files in /tmp +## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 8c479a8..bcfba22 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -467,6 +467,11 @@ SELinux Reference policy mls base module. %changelog * Fri Apr 6 2012 Miroslav Grepl 3.10.0-82 +- zfs now supports xattrs +- allow mozilla_plugin_t to read user_home_t socket +- Allow signal for vhostmd +- Add support for echo port +- Allow mpd_t to manage log files - Add httpd_use_fusefs boolean - /etc/auto.* should be labeled bin_t - Allow sshd_t to signal processes that it transitions to