diff --git a/policy-F15.patch b/policy-F15.patch index 9844784..00dd796 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -723,7 +723,7 @@ index 56c43c0..de535e4 100644 +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) + diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..7b4728c 100644 +index 5671977..8498ed1 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -7,9 +7,13 @@ policy_module(mcelog, 1.1.0) @@ -744,10 +744,10 @@ index 5671977..7b4728c 100644 allow mcelog_t self:capability sys_admin; -+allow mcelog_t mcelog_var_run_t:file manage_file_perms; -+allow mcelog_t mcelog_var_run_t:sock_file manage_sock_file_perms; -+allow mcelog_t mcelog_var_run_t:dir manage_dir_perms; -+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) ++manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) ++manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) ++manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) ++files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file ) + kernel_read_system_state(mcelog_t) @@ -1242,7 +1242,7 @@ index 47c4723..4866a08 100644 + domtrans_pattern($1, readahead_exec_t, readahead_t) +') diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te -index b4ac57e..c00f4d9 100644 +index b4ac57e..d3b51b7 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -1272,15 +1272,21 @@ index b4ac57e..c00f4d9 100644 kernel_read_all_sysctls(readahead_t) kernel_read_system_state(readahead_t) -@@ -53,6 +56,7 @@ domain_read_all_domains_state(readahead_t) +@@ -53,10 +56,13 @@ domain_read_all_domains_state(readahead_t) files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) +files_dontaudit_read_security_files(readahead_t) ++files_dontaudit_write_all_files(readahead_t) files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) -@@ -66,12 +70,14 @@ fs_read_cgroup_files(readahead_t) + files_dontaudit_getattr_non_security_blk_files(readahead_t) ++files_dontaudit_all_access_check(readahead_t) + + fs_getattr_all_fs(readahead_t) + fs_search_auto_mountpoints(readahead_t) +@@ -66,12 +72,14 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -2020,7 +2026,7 @@ index 975af1a..30a7f38 100644 fs_manage_nfs_files($1_sudo_t) ') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 7aacfc2..9829fc3 100644 +index 2731fa1..3443ba2 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,7 @@ attribute sudodomain; @@ -2108,7 +2114,7 @@ index 81fb26f..cd18ca8 100644 optional_policy(` diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..b90d4cc 100644 +index 441cf22..89a126f 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t) @@ -2122,7 +2128,18 @@ index 441cf22..b90d4cc 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -194,8 +192,7 @@ selinux_compute_create_context(groupadd_t) +@@ -118,6 +116,10 @@ userdom_use_unpriv_users_fds(chfn_t) + # on user home dir + userdom_dontaudit_search_user_home_content(chfn_t) + ++optional_policy(` ++ rssh_exec(chfn_t) ++') ++ + ######################################## + # + # Crack local policy +@@ -194,8 +196,7 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -2132,7 +2149,7 @@ index 441cf22..b90d4cc 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -291,17 +288,18 @@ selinux_compute_create_context(passwd_t) +@@ -291,17 +292,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -2155,7 +2172,7 @@ index 441cf22..b90d4cc 100644 domain_use_interactive_fds(passwd_t) -@@ -332,6 +330,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +334,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2163,7 +2180,7 @@ index 441cf22..b90d4cc 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +380,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +384,7 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -2173,7 +2190,7 @@ index 441cf22..b90d4cc 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +424,7 @@ optional_policy(` +@@ -426,7 +428,7 @@ optional_policy(` # Useradd local policy # @@ -2182,7 +2199,7 @@ index 441cf22..b90d4cc 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -469,8 +467,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +471,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -2192,7 +2209,7 @@ index 441cf22..b90d4cc 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,12 +495,8 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,12 +499,8 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -2613,15 +2630,16 @@ index 0000000..09f0673 +/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if new file mode 100644 -index 0000000..06ed3de +index 0000000..ee9466f --- /dev/null +++ b/policy/modules/apps/execmem.if -@@ -0,0 +1,110 @@ +@@ -0,0 +1,111 @@ +## execmem domain + +######################################## +## -+## Execute the execmem program in the execmem domain. ++## Execute the execmem program ++## in the caller domain. +## +## +## @@ -4918,7 +4936,7 @@ index 9a6d67d..dba7755 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..2b4fe93 100644 +index 2a91fa8..26f1ff3 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5000,7 +5018,7 @@ index 2a91fa8..2b4fe93 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,176 @@ optional_policy(` +@@ -266,3 +291,180 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -5030,6 +5048,7 @@ index 2a91fa8..2b4fe93 100644 +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) ++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) + +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) @@ -5083,6 +5102,8 @@ index 2a91fa8..2b4fe93 100644 + +application_dontaudit_signull(mozilla_plugin_t) + ++auth_use_nsswitch(mozilla_plugin_t) ++ +logging_send_syslog_msg(mozilla_plugin_t) + +miscfiles_read_localization(mozilla_plugin_t) @@ -5101,6 +5122,7 @@ index 2a91fa8..2b4fe93 100644 +userdom_dontaudit_use_user_ptys(mozilla_plugin_t) +userdom_dontaudit_use_user_terminals(mozilla_plugin_t) +userdom_manage_user_tmp_sockets(mozilla_plugin_t) ++userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) + +userdom_list_user_tmp(mozilla_plugin_t) +userdom_manage_user_tmp_dirs(mozilla_plugin_t) @@ -6679,10 +6701,36 @@ index 4c091ca..a58f123 100644 + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if -index 7cdac1e..6f9f6e6 100644 +index 7cdac1e..8b920c8 100644 --- a/policy/modules/apps/rssh.if +++ b/policy/modules/apps/rssh.if -@@ -64,3 +64,21 @@ interface(`rssh_read_ro_content',` +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Execute the rssh program ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rssh_exec',` ++ gen_require(` ++ type rssh_exec_t; ++ ') ++ ++ can_exec($1, rssh_exec_t) ++') ++ ++######################################## ++## + ## Role access for rssh + ## + ## +@@ -64,3 +83,21 @@ interface(`rssh_read_ro_content',` read_files_pattern($1, rssh_ro_t, rssh_ro_t) read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t) ') @@ -9115,7 +9163,7 @@ index 0757523..791a227 100644 +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 3b2da10..cb1a128 100644 +index 8ac94e4..c02f095 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -18,6 +18,7 @@ @@ -9134,7 +9182,7 @@ index 3b2da10..cb1a128 100644 /dev/pts(/.*)? <> /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -176,13 +178,12 @@ ifdef(`distro_suse', ` +@@ -178,13 +180,12 @@ ifdef(`distro_suse', ` /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) @@ -9150,7 +9198,7 @@ index 3b2da10..cb1a128 100644 ifdef(`distro_redhat',` # originally from named.fc -@@ -191,3 +192,8 @@ ifdef(`distro_redhat',` +@@ -193,3 +194,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -9160,7 +9208,7 @@ index 3b2da10..cb1a128 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index efaf808..79e4ff3 100644 +index efaf808..321f9ad 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',` @@ -9174,7 +9222,32 @@ index efaf808..79e4ff3 100644 relabel_blk_files_pattern($1, device_t, { device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node }) ') -@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',` +@@ -209,6 +209,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',` + + ######################################## + ## ++## Dontaudit attempts to list all device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_all_access_check',` ++ gen_require(` ++ attribute device_node; ++ ') ++ ++ dontaudit $1 device_node:file_class_set audit_access; ++') ++ ++######################################## ++## + ## Add entries to directories in /dev. + ## + ## +@@ -336,6 +354,24 @@ interface(`dev_dontaudit_getattr_generic_files',` ######################################## ## @@ -9199,7 +9272,7 @@ index efaf808..79e4ff3 100644 ## Read and write generic files in /dev. ## ## -@@ -516,6 +534,24 @@ interface(`dev_getattr_generic_chr_files',` +@@ -516,6 +552,24 @@ interface(`dev_getattr_generic_chr_files',` ######################################## ## @@ -9224,7 +9297,7 @@ index efaf808..79e4ff3 100644 ## Dontaudit getattr for generic character device files. ## ## -@@ -552,6 +588,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` +@@ -552,6 +606,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` ######################################## ## @@ -9249,7 +9322,7 @@ index efaf808..79e4ff3 100644 ## Read and write generic character device files. ## ## -@@ -570,6 +624,24 @@ interface(`dev_rw_generic_chr_files',` +@@ -570,6 +642,24 @@ interface(`dev_rw_generic_chr_files',` ######################################## ## @@ -9274,7 +9347,7 @@ index efaf808..79e4ff3 100644 ## Dontaudit attempts to read/write generic character device files. ## ## -@@ -679,6 +751,24 @@ interface(`dev_delete_generic_symlinks',` +@@ -679,6 +769,24 @@ interface(`dev_delete_generic_symlinks',` ######################################## ## @@ -9299,7 +9372,7 @@ index efaf808..79e4ff3 100644 ## Create, delete, read, and write symbolic links in device directories. ## ## -@@ -1088,6 +1178,42 @@ interface(`dev_create_all_chr_files',` +@@ -1088,6 +1196,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -9342,7 +9415,7 @@ index efaf808..79e4ff3 100644 ## Delete all block device files. ## ## -@@ -1350,6 +1476,24 @@ interface(`dev_getattr_autofs_dev',` +@@ -1350,6 +1494,24 @@ interface(`dev_getattr_autofs_dev',` ######################################## ## @@ -9367,7 +9440,7 @@ index efaf808..79e4ff3 100644 ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -1597,6 +1741,24 @@ interface(`dev_rw_cpu_microcode',` +@@ -1597,6 +1759,24 @@ interface(`dev_rw_cpu_microcode',` ######################################## ## @@ -9392,7 +9465,7 @@ index efaf808..79e4ff3 100644 ## Read and write the the hardware SSL accelerator. ## ## -@@ -1979,6 +2141,24 @@ interface(`dev_read_kmsg',` +@@ -1979,6 +2159,24 @@ interface(`dev_read_kmsg',` ######################################## ## @@ -9417,7 +9490,7 @@ index efaf808..79e4ff3 100644 ## Write to the kernel messages device ## ## -@@ -3048,24 +3228,6 @@ interface(`dev_rw_printer',` +@@ -3048,24 +3246,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -9442,7 +9515,7 @@ index efaf808..79e4ff3 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3613,6 +3775,24 @@ interface(`dev_manage_smartcard',` +@@ -3613,6 +3793,24 @@ interface(`dev_manage_smartcard',` ######################################## ## @@ -9467,7 +9540,7 @@ index efaf808..79e4ff3 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3773,6 +3953,24 @@ interface(`dev_rw_sysfs',` +@@ -3773,6 +3971,24 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -9492,7 +9565,7 @@ index efaf808..79e4ff3 100644 ## Read and write the TPM device. ## ## -@@ -3960,6 +4158,24 @@ interface(`dev_read_usbmon_dev',` +@@ -3960,6 +4176,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -9517,7 +9590,7 @@ index efaf808..79e4ff3 100644 ## Mount a usbfs filesystem. ## ## -@@ -4270,11 +4486,10 @@ interface(`dev_write_video_dev',` +@@ -4270,11 +4504,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -9532,7 +9605,7 @@ index efaf808..79e4ff3 100644 ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 41f892f..5ce9978 100644 +index c03e21b..2942d8d 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -56,6 +56,12 @@ dev_node(clock_device_t) @@ -9660,7 +9733,7 @@ index aad8c52..6ac24b0 100644 + dontaudit $1 domain:socket_class_set { read write }; +') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index bc534c1..778d512 100644 +index bc534c1..2a6b5e1 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.0) @@ -9753,7 +9826,7 @@ index bc534c1..778d512 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,85 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -9819,6 +9892,10 @@ index bc534c1..778d512 100644 +') + +optional_policy(` ++ ipsec_match_default_spd(domain) ++') ++ ++optional_policy(` + ifdef(`hide_broken_symptoms',` + afs_rw_udp_sockets(domain) + ') @@ -9943,7 +10020,7 @@ index 3517db2..f798a69 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ed203b2..d38c240 100644 +index ed203b2..45fe4f9 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -10244,7 +10321,7 @@ index ed203b2..d38c240 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3935,100 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3935,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10257,7 +10334,6 @@ index ed203b2..d38c240 100644 +## Domain allowed access. +## +## -+## +# +interface(`files_read_system_conf_files',` + gen_require(` @@ -10345,7 +10421,7 @@ index ed203b2..d38c240 100644 ######################################## ## ## Allow the specified type to associate -@@ -3914,6 +4214,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4213,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -10378,7 +10454,7 @@ index ed203b2..d38c240 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3968,7 +4294,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,7 +4293,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -10387,7 +10463,7 @@ index ed203b2..d38c240 100644 ## ## ## -@@ -3976,17 +4302,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3976,17 +4301,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -10409,7 +10485,7 @@ index ed203b2..d38c240 100644 ## ## ## -@@ -3994,74 +4320,77 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -3994,74 +4319,77 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -10505,7 +10581,7 @@ index ed203b2..d38c240 100644 ## ## ## -@@ -4069,22 +4398,97 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +@@ -4069,25 +4397,100 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` ## ## # @@ -10530,8 +10606,9 @@ index ed203b2..d38c240 100644 ## -## Domain allowed access. +## Domain not to audit. -+## -+## + ## + ## +-## +# +interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` @@ -10605,10 +10682,13 @@ index ed203b2..d38c240 100644 +## +## +## Domain allowed access. ++## ++## ++## + ## + ## The type of the object to be created. ## - ## - ## -@@ -4127,6 +4531,13 @@ interface(`files_purge_tmp',` +@@ -4127,6 +4530,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10622,7 +10702,7 @@ index ed203b2..d38c240 100644 ') ######################################## -@@ -4736,6 +5147,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5146,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -10647,7 +10727,7 @@ index ed203b2..d38c240 100644 ## Read and write files in the /var directory. ## ## -@@ -5071,6 +5500,24 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5499,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -10672,7 +10752,7 @@ index ed203b2..d38c240 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5156,12 +5603,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5602,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -10689,7 +10769,7 @@ index ed203b2..d38c240 100644 ') ######################################## -@@ -5207,6 +5654,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5653,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -10717,7 +10797,7 @@ index ed203b2..d38c240 100644 ## Read all lock files. ## ## -@@ -5335,6 +5803,43 @@ interface(`files_search_pids',` +@@ -5335,6 +5802,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -10761,7 +10841,7 @@ index ed203b2..d38c240 100644 ######################################## ## ## Do not audit attempts to search -@@ -5542,6 +6047,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6046,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -10824,7 +10904,7 @@ index ed203b2..d38c240 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6120,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6119,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -10869,7 +10949,7 @@ index ed203b2..d38c240 100644 ') ######################################## -@@ -5844,3 +6443,247 @@ interface(`files_unconfined',` +@@ -5844,3 +6442,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -11117,6 +11197,43 @@ index ed203b2..d38c240 100644 + + allow $1 file_type:kernel_service create_files_as; +') ++ ++######################################## ++## ++## Do not audit attempts to check the ++## write access on all files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_all_access_check',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:file_class_set audit_access; ++') ++ ++######################################## ++## ++## Do not audit attempts to write to all files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_files',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ dontaudit $1 file_type:file_class_set write; ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index e8a6b1d..fd53860 100644 --- a/policy/modules/kernel/files.te @@ -15248,10 +15365,10 @@ index 0000000..8e6e2c3 +') diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te new file mode 100644 -index 0000000..cee49e3 +index 0000000..ffdcad1 --- /dev/null +++ b/policy/modules/services/ajaxterm.te -@@ -0,0 +1,54 @@ +@@ -0,0 +1,59 @@ +policy_module(ajaxterm, 1.0.0) + +######################################## @@ -15277,7 +15394,7 @@ index 0000000..cee49e3 +# ajaxterm local policy +# +allow ajaxterm_t self:capability setuid; -+allow ajaxterm_t self:process setpgid; ++allow ajaxterm_t self:process { setpgid signal }; +allow ajaxterm_t self:fifo_file rw_fifo_file_perms; +allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; +allow ajaxterm_t self:tcp_socket create_stream_socket_perms; @@ -15306,6 +15423,11 @@ index 0000000..cee49e3 +miscfiles_read_localization(ajaxterm_t) + +sysnet_dns_name_resolve(ajaxterm_t) ++ ++optional_policy(` ++ ssh_domtrans(ajaxterm_t) ++') ++ diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index ceb2142..e31d92a 100644 --- a/policy/modules/services/amavis.if @@ -15424,7 +15546,7 @@ index 9e39aa5..7ba3b11 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index c9e1a44..1a1ba36 100644 +index 6480167..504ec33 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -15579,7 +15701,7 @@ index c9e1a44..1a1ba36 100644 ') optional_policy(` -@@ -211,16 +201,15 @@ template(`apache_content_template',` +@@ -211,14 +201,15 @@ template(`apache_content_template',` interface(`apache_role',` gen_require(` attribute httpdcontent; @@ -15592,14 +15714,14 @@ index c9e1a44..1a1ba36 100644 role $1 types httpd_user_script_t; - allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; ++ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; ++ + allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; - manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) -@@ -229,6 +218,13 @@ interface(`apache_role',` + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) +@@ -234,6 +225,13 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -15613,7 +15735,7 @@ index c9e1a44..1a1ba36 100644 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -243,6 +239,8 @@ interface(`apache_role',` +@@ -248,6 +246,8 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) @@ -15622,7 +15744,7 @@ index c9e1a44..1a1ba36 100644 tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) -@@ -312,6 +310,25 @@ interface(`apache_domtrans',` +@@ -317,6 +317,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -15648,7 +15770,7 @@ index c9e1a44..1a1ba36 100644 ####################################### ## ## Send a generic signal to apache. -@@ -400,7 +417,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -15657,7 +15779,7 @@ index c9e1a44..1a1ba36 100644 ') ######################################## -@@ -482,7 +499,7 @@ interface(`apache_setattr_cache_dirs',` +@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',` type httpd_cache_t; ') @@ -15666,7 +15788,7 @@ index c9e1a44..1a1ba36 100644 ') ######################################## -@@ -526,6 +543,25 @@ interface(`apache_rw_cache_files',` +@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -15692,7 +15814,7 @@ index c9e1a44..1a1ba36 100644 ## Apache cache. ## ## -@@ -544,6 +580,26 @@ interface(`apache_delete_cache_files',` +@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -15719,7 +15841,7 @@ index c9e1a44..1a1ba36 100644 ## Allow the specified domain to read ## apache configuration files. ## -@@ -694,7 +750,7 @@ interface(`apache_dontaudit_append_log',` +@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') @@ -15728,7 +15850,7 @@ index c9e1a44..1a1ba36 100644 ') ######################################## -@@ -740,6 +796,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -15754,7 +15876,7 @@ index c9e1a44..1a1ba36 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -756,6 +831,7 @@ interface(`apache_list_modules',` +@@ -761,6 +838,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -15762,7 +15884,7 @@ index c9e1a44..1a1ba36 100644 ') ######################################## -@@ -814,6 +890,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +897,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -15770,7 +15892,7 @@ index c9e1a44..1a1ba36 100644 files_search_var($1) ') -@@ -841,6 +918,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +925,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -15845,7 +15967,7 @@ index c9e1a44..1a1ba36 100644 ######################################## ## ## Execute all web scripts in the system -@@ -857,7 +1002,11 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1009,11 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -15858,7 +15980,7 @@ index c9e1a44..1a1ba36 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -916,9 +1065,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1072,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -15870,7 +15992,7 @@ index c9e1a44..1a1ba36 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -945,7 +1095,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1102,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -15879,7 +16001,7 @@ index c9e1a44..1a1ba36 100644 ') ######################################## -@@ -1086,6 +1236,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1243,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -15905,7 +16027,7 @@ index c9e1a44..1a1ba36 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1271,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1278,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -15914,7 +16036,7 @@ index c9e1a44..1a1ba36 100644 ') ######################################## -@@ -1165,17 +1334,14 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1341,14 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -15936,7 +16058,7 @@ index c9e1a44..1a1ba36 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1186,10 +1352,10 @@ interface(`apache_admin',` +@@ -1191,10 +1359,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -15949,7 +16071,7 @@ index c9e1a44..1a1ba36 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1200,14 +1366,43 @@ interface(`apache_admin',` +@@ -1205,14 +1373,43 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -15999,10 +16121,10 @@ index c9e1a44..1a1ba36 100644 + dontaudit $1 httpd_tmp_t:file { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 08dfa0c..61f340d 100644 +index 3136c6a..9c0dab5 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0) +@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) # Declarations # @@ -16950,7 +17072,7 @@ index 1ea99b2..49e6c74 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..62bc936 100644 +index 1c8c27e..5fbd9b3 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -16969,15 +17091,16 @@ index 1c8c27e..62bc936 100644 allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; -@@ -81,6 +83,7 @@ kernel_rw_all_sysctls(apmd_t) +@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) +dev_read_input(apmd_t) ++dev_read_mouse(apmd_t) dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -142,9 +145,8 @@ ifdef(`distro_redhat',` +@@ -142,9 +146,8 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) @@ -16988,7 +17111,7 @@ index 1c8c27e..62bc936 100644 ') optional_policy(` -@@ -155,6 +157,15 @@ ifdef(`distro_redhat',` +@@ -155,6 +158,15 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') @@ -18544,7 +18667,7 @@ index d020c93..e5cbcef 100644 cgroup_initrc_domtrans_cgconfig($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te -index 8ca2333..460f4fd 100644 +index 8ca2333..8b8aa15 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t) @@ -18598,7 +18721,7 @@ index 8ca2333..460f4fd 100644 # -allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; -+allow cgred_t self:capability { chown net_admin sys_admin sys_ptrace dac_override }; ++allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; @@ -19143,10 +19266,10 @@ index 0000000..756ac91 +') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te new file mode 100644 -index 0000000..a2c7134 +index 0000000..6897361 --- /dev/null +++ b/policy/modules/services/cmirrord.te -@@ -0,0 +1,53 @@ +@@ -0,0 +1,57 @@ +policy_module(cmirrord, 1.0.0) + +######################################## @@ -19174,7 +19297,7 @@ index 0000000..a2c7134 + +allow cmirrord_t self:capability { net_admin kill }; +dontaudit cmirrord_t self:capability sys_tty_config; -+allow cmirrord_t self:process signal; ++allow cmirrord_t self:process { setfscreate signal}; +allow cmirrord_t self:fifo_file rw_fifo_file_perms; +allow cmirrord_t self:sem create_sem_perms; +allow cmirrord_t self:shm create_shm_perms; @@ -19193,6 +19316,10 @@ index 0000000..a2c7134 + +files_read_etc_files(cmirrord_t) + ++storage_create_fixed_disk_dev(cmirrord_t) ++ ++seutil_read_file_contexts(cmirrord_t) ++ +logging_send_syslog_msg(cmirrord_t) + +miscfiles_read_localization(cmirrord_t) @@ -20343,7 +20470,7 @@ index 35241ed..b6402c9 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..c6b63be 100644 +index f35b243..8296aaa 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -20481,8 +20608,17 @@ index f35b243..c6b63be 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -208,7 +224,9 @@ init_spec_domtrans_script(crond_t) +@@ -203,12 +219,18 @@ files_list_usr(crond_t) + files_search_var_lib(crond_t) + files_search_default(crond_t) + ++fs_manage_cgroup_dirs(crond_t) ++fs_manage_cgroup_files(crond_t) ++ + init_rw_utmp(crond_t) + init_spec_domtrans_script(crond_t) ++auth_manage_var_auth(crond_t) auth_use_nsswitch(crond_t) +logging_send_audit_msgs(crond_t) @@ -20491,7 +20627,7 @@ index f35b243..c6b63be 100644 seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -219,8 +237,10 @@ miscfiles_read_localization(crond_t) +@@ -219,8 +241,10 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -20502,7 +20638,7 @@ index f35b243..c6b63be 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -232,7 +252,7 @@ ifdef(`distro_debian',` +@@ -232,7 +256,7 @@ ifdef(`distro_debian',` ') ') @@ -20511,7 +20647,7 @@ index f35b243..c6b63be 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -240,16 +260,39 @@ ifdef(`distro_redhat', ` +@@ -240,16 +264,39 @@ ifdef(`distro_redhat', ` ') ') @@ -20552,7 +20688,7 @@ index f35b243..c6b63be 100644 amanda_search_var_lib(crond_t) ') -@@ -259,6 +302,8 @@ optional_policy(` +@@ -259,6 +306,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -20561,7 +20697,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -284,12 +329,18 @@ optional_policy(` +@@ -284,12 +333,18 @@ optional_policy(` udev_read_db(crond_t) ') @@ -20580,7 +20716,7 @@ index f35b243..c6b63be 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -301,10 +352,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -301,10 +356,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -20601,7 +20737,7 @@ index f35b243..c6b63be 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -324,6 +384,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -324,6 +388,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -20609,7 +20745,7 @@ index f35b243..c6b63be 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -335,9 +396,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -335,9 +400,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -20624,7 +20760,7 @@ index f35b243..c6b63be 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -360,6 +425,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -360,6 +429,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -20632,7 +20768,7 @@ index f35b243..c6b63be 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -386,6 +452,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -386,6 +456,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -20640,7 +20776,7 @@ index f35b243..c6b63be 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -408,8 +475,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -408,8 +479,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -20652,7 +20788,7 @@ index f35b243..c6b63be 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -434,6 +503,8 @@ optional_policy(` +@@ -434,6 +507,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -20661,7 +20797,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -441,6 +512,14 @@ optional_policy(` +@@ -441,6 +516,14 @@ optional_policy(` ') optional_policy(` @@ -20676,7 +20812,7 @@ index f35b243..c6b63be 100644 ftp_read_log(system_cronjob_t) ') -@@ -451,15 +530,24 @@ optional_policy(` +@@ -451,15 +534,24 @@ optional_policy(` ') optional_policy(` @@ -20701,7 +20837,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -475,7 +563,7 @@ optional_policy(` +@@ -475,7 +567,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -20710,7 +20846,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -490,6 +578,7 @@ optional_policy(` +@@ -490,6 +582,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -20718,7 +20854,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -497,7 +586,13 @@ optional_policy(` +@@ -497,7 +590,13 @@ optional_policy(` ') optional_policy(` @@ -20732,7 +20868,7 @@ index f35b243..c6b63be 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,9 +685,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -590,9 +689,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -24761,7 +24897,7 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..d1c4458 100644 +index 4fde46b..9507bbb 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te @@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched }; @@ -24784,7 +24920,7 @@ index 4fde46b..d1c4458 100644 + +optional_policy(` + ntp_initrc_domtrans(gnomeclock_t) -+ init_getattr_all_script_files(gnomeclock_t) ++ init_dontaudit_getattr_all_script_files(gnomeclock_t) +') + +optional_policy(` @@ -26062,7 +26198,7 @@ index 0000000..6134ef2 +') diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te new file mode 100644 -index 0000000..a2bf9c3 +index 0000000..045207f --- /dev/null +++ b/policy/modules/services/keyboardd.te @@ -0,0 +1,28 @@ @@ -26088,7 +26224,7 @@ index 0000000..a2bf9c3 +allow keyboardd_t self:fifo_file rw_fifo_file_perms; +allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; + -+files_rw_etc_runtime_files(keyboardd_t) ++files_manage_etc_runtime_files(keyboardd_t) +files_etc_filetrans_etc_runtime(keyboardd_t, file) + +files_read_etc_files(keyboardd_t) @@ -26571,10 +26707,10 @@ index 67c7fdd..84b7626 100644 files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te -index af4d572..96e3c80 100644 +index af4d572..0fd2357 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te -@@ -61,9 +61,9 @@ optional_policy(` +@@ -61,14 +61,18 @@ optional_policy(` # Mailman mail local policy # @@ -26586,7 +26722,16 @@ index af4d572..96e3c80 100644 manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -@@ -81,6 +81,10 @@ optional_policy(` + manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + ++# make NNTP gateway working ++corenet_tcp_connect_innd_port(mailman_mail_t) ++corenet_tcp_connect_spamd_port(mailman_mail_t) ++ + files_search_spool(mailman_mail_t) + + fs_rw_anon_inodefs_files(mailman_mail_t) +@@ -81,6 +85,10 @@ optional_policy(` ') optional_policy(` @@ -26597,7 +26742,16 @@ index af4d572..96e3c80 100644 cron_read_pipes(mailman_mail_t) ') -@@ -125,4 +129,4 @@ optional_policy(` +@@ -104,6 +112,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) + + kernel_read_proc_symlinks(mailman_queue_t) + ++corenet_tcp_connect_innd_port(mailman_queue_t) ++ + auth_domtrans_chk_passwd(mailman_queue_t) + + files_dontaudit_search_pids(mailman_queue_t) +@@ -125,4 +135,4 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) @@ -38081,7 +38235,7 @@ index 22adaca..2cfaf93 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..7230490 100644 +index 2dad3c8..9a289e2 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -38176,7 +38330,7 @@ index 2dad3c8..7230490 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -113,20 +114,23 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -38184,7 +38338,12 @@ index 2dad3c8..7230490 100644 # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) + + allow ssh_t sshd_t:unix_stream_socket connectto; ++allow ssh_t sshd_t:peer recv; + + # ssh client can manage the keys and config + manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -38198,7 +38357,7 @@ index 2dad3c8..7230490 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,6 +142,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -38207,7 +38366,7 @@ index 2dad3c8..7230490 100644 dev_read_urand(ssh_t) -@@ -162,6 +167,7 @@ logging_read_generic_logs(ssh_t) +@@ -162,6 +168,7 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -38215,7 +38374,7 @@ index 2dad3c8..7230490 100644 seutil_read_config(ssh_t) -@@ -169,14 +175,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) +@@ -169,14 +176,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -38239,7 +38398,7 @@ index 2dad3c8..7230490 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -200,6 +210,57 @@ optional_policy(` +@@ -200,6 +211,57 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -38297,7 +38456,7 @@ index 2dad3c8..7230490 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +270,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +271,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -38306,7 +38465,7 @@ index 2dad3c8..7230490 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +293,43 @@ optional_policy(` +@@ -232,33 +294,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -38359,7 +38518,7 @@ index 2dad3c8..7230490 100644 ') optional_policy(` -@@ -266,11 +337,24 @@ optional_policy(` +@@ -266,11 +338,24 @@ optional_policy(` ') optional_policy(` @@ -38385,7 +38544,7 @@ index 2dad3c8..7230490 100644 ') optional_policy(` -@@ -284,6 +368,11 @@ optional_policy(` +@@ -284,6 +369,11 @@ optional_policy(` ') optional_policy(` @@ -38397,7 +38556,7 @@ index 2dad3c8..7230490 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +381,26 @@ optional_policy(` +@@ -292,26 +382,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -38443,7 +38602,7 @@ index 2dad3c8..7230490 100644 ') dnl endif TODO ######################################## -@@ -324,7 +413,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,7 +414,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -38451,7 +38610,7 @@ index 2dad3c8..7230490 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +441,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,10 +442,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -38610,10 +38769,10 @@ index 6073656..eaf49b2 100644 allow $1 stunnel_t:tcp_socket rw_socket_perms; ') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te -index f646c66..b8eec46 100644 +index f646c66..5370bb8 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te -@@ -6,17 +6,7 @@ policy_module(stunnel, 1.10.0) +@@ -6,17 +6,9 @@ policy_module(stunnel, 1.10.0) # type stunnel_t; @@ -38628,23 +38787,12 @@ index f646c66..b8eec46 100644 -',` - inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -') ++init_daemon_domain(stunnel_t, stunnel_exec_t) ++inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) type stunnel_etc_t; files_config_file(stunnel_etc_t) -@@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t) - type stunnel_var_run_t; - files_pid_file(stunnel_var_run_t) - -+ifdef(`distro_gentoo',` -+ init_daemon_domain(stunnel_t, stunnel_exec_t) -+',` -+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -+') -+ - ######################################## - # - # Local policy -@@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms; +@@ -40,7 +32,7 @@ allow stunnel_t self:udp_socket create_socket_perms; allow stunnel_t stunnel_etc_t:dir list_dir_perms; allow stunnel_t stunnel_etc_t:file read_file_perms; @@ -38653,7 +38801,7 @@ index f646c66..b8eec46 100644 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -@@ -77,7 +73,7 @@ miscfiles_read_localization(stunnel_t) +@@ -77,7 +69,7 @@ miscfiles_read_localization(stunnel_t) sysnet_read_config(stunnel_t) @@ -38662,7 +38810,7 @@ index f646c66..b8eec46 100644 dontaudit stunnel_t self:capability sys_tty_config; allow stunnel_t self:udp_socket create_socket_perms; -@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', ` +@@ -120,4 +112,5 @@ ifdef(`distro_gentoo', ` gen_require(` type stunnel_port_t; ') @@ -38710,196 +38858,21 @@ index 7038b55..4e84f23 100644 type tcpd_tmp_t; files_tmp_file(tcpd_tmp_t) -diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc -index 8a473e7..7fdda14 100644 ---- a/policy/modules/services/tcsd.fc -+++ b/policy/modules/services/tcsd.fc -@@ -1,3 +1,6 @@ -+/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) -+ - /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) -+ - /var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) - diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if -index e814f69..f7d6fa3 100644 +index 595f5a7..459d773 100644 --- a/policy/modules/services/tcsd.if +++ b/policy/modules/services/tcsd.if -@@ -1 +1,153 @@ - ## TSS Core Services (TCS) daemon (tcsd) policy -+ -+######################################## -+## -+## Execute a domain transition to run tcsd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tcsd_domtrans',` -+ gen_require(` -+ type tcsd_t, tcsd_exec_t; -+ ') -+ -+ domtrans_pattern($1, tcsd_exec_t, tcsd_t) -+') -+ -+ -+######################################## -+## -+## Execute tcsd server in the tcsd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`tcsd_initrc_domtrans',` -+ gen_require(` -+ type tcsd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, tcsd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Search tcsd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tcsd_search_lib',` -+ gen_require(` -+ type tcsd_var_lib_t; -+ ') -+ -+ allow $1 tcsd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read tcsd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tcsd_read_lib_files',` -+ gen_require(` -+ type tcsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## tcsd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tcsd_manage_lib_files',` -+ gen_require(` -+ type tcsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage tcsd lib dirs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tcsd_manage_lib_dirs',` -+ gen_require(` -+ type tcsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an tcsd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`tcsd_admin',` -+ gen_require(` -+ type tcsd_t; -+ type tcsd_initrc_exec_t; -+ type tcsd_var_lib_t; -+ ') -+ -+ allow $1 tcsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, tcsd_t) -+ -+ tcsd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 tcsd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, tcsd_var_lib_t) +@@ -147,4 +147,5 @@ interface(`tcsd_admin',` + + files_search_var_lib($1) + admin_pattern($1, tcsd_var_lib_t) + -+') + ') diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te -index f17dafd..30d2c75 100644 +index ee9f3c6..30d2c75 100644 --- a/policy/modules/services/tcsd.te +++ b/policy/modules/services/tcsd.te -@@ -10,7 +10,9 @@ type tcsd_exec_t; - domain_type(tcsd_t) - init_daemon_domain(tcsd_t, tcsd_exec_t) - --# /var/lib/tpm -+type tcsd_initrc_exec_t; -+init_script_file(tcsd_initrc_exec_t) -+ - type tcsd_var_lib_t; - files_type(tcsd_var_lib_t) - -@@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid }; - allow tcsd_t self:process { signal sigkill }; - allow tcsd_t self:tcp_socket create_stream_socket_perms; - --# var/lib files for tcsd - manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) +@@ -29,13 +29,11 @@ manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) @@ -38913,17 +38886,6 @@ index f17dafd..30d2c75 100644 dev_rw_tpm(tcsd_t) files_read_etc_files(tcsd_t) - files_read_usr_files(tcsd_t) - --# Log messages via syslog. -+auth_use_nsswitch(tcsd_t) -+ - logging_send_syslog_msg(tcsd_t) - - miscfiles_read_localization(tcsd_t) - --sysnet_read_config(tcsd_t) -+sysnet_dns_name_resolve(tcsd_t) diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if index 58e7ec0..cf4cc85 100644 --- a/policy/modules/services/telnet.if @@ -40067,7 +40029,7 @@ index 7c5d8d8..5e2f264 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..931c98d 100644 +index 3eca020..48fc96d 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -40325,7 +40287,7 @@ index 3eca020..931c98d 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +288,32 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +288,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -40354,12 +40316,11 @@ index 3eca020..931c98d 100644 + +# Manages /etc/sysconfig/system-config-firewall +files_manage_system_conf_files(virtd_t) -+files_manage_system_conf_files(virtd_t) +files_etc_filetrans_system_conf(virtd_t) fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +321,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -40378,7 +40339,7 @@ index 3eca020..931c98d 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -40409,7 +40370,7 @@ index 3eca020..931c98d 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -329,6 +414,10 @@ optional_policy(` +@@ -329,6 +413,10 @@ optional_policy(` ') optional_policy(` @@ -40420,7 +40381,7 @@ index 3eca020..931c98d 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +454,8 @@ optional_policy(` +@@ -365,6 +453,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -40429,7 +40390,7 @@ index 3eca020..931c98d 100644 ') optional_policy(` -@@ -396,12 +487,25 @@ optional_policy(` +@@ -396,12 +486,25 @@ optional_policy(` allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; @@ -40456,7 +40417,7 @@ index 3eca020..931c98d 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +526,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +525,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -40464,7 +40425,7 @@ index 3eca020..931c98d 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +534,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +533,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -40477,7 +40438,7 @@ index 3eca020..931c98d 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +547,11 @@ files_search_all(virt_domain) +@@ -440,6 +546,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -40489,7 +40450,7 @@ index 3eca020..931c98d 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +569,117 @@ optional_policy(` +@@ -457,8 +568,117 @@ optional_policy(` ') optional_policy(` @@ -40513,7 +40474,7 @@ index 3eca020..931c98d 100644 +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; + -+allow virsh_t self:capability { dac_override ipc_lock sys_tty_config }; ++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config }; +allow virsh_t self:process { getcap getsched setcap signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -42047,7 +42008,7 @@ index da2601a..223cc80 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..0220e38 100644 +index edc58df..58b515b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -42839,22 +42800,23 @@ index 145fc4b..0220e38 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +914,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; +allow xserver_t self:netlink_selinux_socket create_socket_perms; -+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; -+ + allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; + +allow xserver_t { input_xevent_t input_xevent_type }:x_event send; + +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) + +allow xserver_t xauth_home_t:file read_file_perms; - ++ manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) + manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) +@@ -630,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -42876,7 +42838,7 @@ index 145fc4b..0220e38 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -643,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -42884,7 +42846,7 @@ index 145fc4b..0220e38 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +988,6 @@ dev_rw_apm_bios(xserver_t) +@@ -669,7 +988,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -42892,7 +42854,7 @@ index 145fc4b..0220e38 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +997,17 @@ dev_wx_raw_memory(xserver_t) +@@ -679,11 +997,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -42910,7 +42872,7 @@ index 145fc4b..0220e38 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -42924,7 +42886,7 @@ index 145fc4b..0220e38 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1046,14 @@ logging_send_audit_msgs(xserver_t) +@@ -717,11 +1046,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -42939,7 +42901,7 @@ index 145fc4b..0220e38 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1106,28 @@ optional_policy(` +@@ -774,16 +1106,28 @@ optional_policy(` ') optional_policy(` @@ -42952,7 +42914,6 @@ index 145fc4b..0220e38 100644 ') optional_policy(` -- unconfined_domain_noaudit(xserver_t) + setrans_translate_context(xserver_t) +') + @@ -42961,15 +42922,16 @@ index 145fc4b..0220e38 100644 +') + +optional_policy(` -+ udev_read_db(xserver_t) -+') -+ -+optional_policy(` + udev_read_db(xserver_t) + ') + + optional_policy(` +- unconfined_domain_noaudit(xserver_t) + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') -@@ -787,6 +1136,10 @@ optional_policy(` +@@ -792,6 +1136,10 @@ optional_policy(` ') optional_policy(` @@ -42980,7 +42942,7 @@ index 145fc4b..0220e38 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1155,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -807,10 +1155,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -42994,7 +42956,7 @@ index 145fc4b..0220e38 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1166,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -818,7 +1166,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -43003,7 +42965,7 @@ index 145fc4b..0220e38 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1179,9 @@ init_use_fds(xserver_t) +@@ -831,6 +1179,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -43013,7 +42975,7 @@ index 145fc4b..0220e38 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1189,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -838,6 +1189,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -43025,7 +42987,7 @@ index 145fc4b..0220e38 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1202,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -846,11 +1202,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -43042,7 +43004,7 @@ index 145fc4b..0220e38 100644 ') optional_policy(` -@@ -853,6 +1217,10 @@ optional_policy(` +@@ -858,6 +1217,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -43053,7 +43015,7 @@ index 145fc4b..0220e38 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -901,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -43062,7 +43024,7 @@ index 145fc4b..0220e38 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1318,31 @@ allow x_domain self:x_resource { read write }; +@@ -955,11 +1318,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -43094,7 +43056,7 @@ index 145fc4b..0220e38 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1364,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -981,18 +1364,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -43705,7 +43667,7 @@ index 88df85d..2fa3974 100644 ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 1c4b1e7..ffa4134 100644 +index 2952cef..4485fd5 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -10,6 +10,7 @@ @@ -44532,7 +44494,7 @@ index 6fed22c..06e5395 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..e96b7b1 100644 +index cc83689..341c578 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -44848,7 +44810,32 @@ index cc83689..e96b7b1 100644 files_search_etc($1) ') -@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',` +@@ -1079,6 +1220,24 @@ interface(`init_read_all_script_files',` + + ####################################### + ## ++## Dontaudit getattr all init script files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_getattr_all_script_files',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ dontaudit $1 init_script_file_type:file getattr; ++') ++ ++####################################### ++## + ## Dontaudit read all init script files. + ## + ## +@@ -1130,12 +1289,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -44862,7 +44849,7 @@ index cc83689..e96b7b1 100644 ') ######################################## -@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1529,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -44890,7 +44877,7 @@ index cc83689..e96b7b1 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1636,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -44916,7 +44903,7 @@ index cc83689..e96b7b1 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -44925,7 +44912,7 @@ index cc83689..e96b7b1 100644 ') ######################################## -@@ -1749,3 +1925,93 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +1943,93 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -45020,7 +45007,7 @@ index cc83689..e96b7b1 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 0580e7c..c45e5d8 100644 +index 77e8ca8..64ba6d1 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -45158,7 +45145,7 @@ index 0580e7c..c45e5d8 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +222,121 @@ tunable_policy(`init_upstart',` +@@ -186,12 +222,96 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -45223,38 +45210,13 @@ index 0580e7c..c45e5d8 100644 + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) -+ -+ # Permissions for systemd-tmpfiles, needs its own policy. -+ # Added systemd_tmpfiles_t domain for systemd-tmpfiles -+ # and will cover by this policy -+ -+ files_relabel_all_lock_dirs(init_t) -+ files_relabel_all_pid_dirs(init_t) -+ files_relabel_all_pid_files(init_t) -+ files_manage_all_pids(init_t) -+ files_manage_all_locks(init_t) -+ files_setattr_all_tmp_dirs(init_t) -+ logging_setattr_all_log_dirs(init_t) -+ -+ files_purge_tmp(init_t) -+ files_manage_generic_tmp_files(init_t) -+ files_manage_generic_tmp_dirs(init_t) -+ files_relabelfrom_tmp_dirs(init_t) -+ files_relabelfrom_tmp_files(init_t) -+ files_relabel_all_tmp_dirs(init_t) -+ files_relabel_all_tmp_files(init_t) -+ -+ auth_manage_faillog(init_t) -+ auth_relabel_faillog(init_t) -+ auth_manage_var_auth(init_t) -+ auth_relabel_var_auth_dirs(init_t) -+ auth_setattr_login_records(init_t) + + # needs to remain + logging_create_devlog_dev(init_t) + -+ miscfiles_delete_man_pages(init_t) -+ miscfiles_relabel_man_pages(init_t) ++# miscfiles_delete_man_pages(init_t) ++# miscfiles_relabel_man_pages(init_t) ++ +') + optional_policy(` @@ -45280,7 +45242,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -199,10 +344,24 @@ optional_policy(` +@@ -199,10 +319,24 @@ optional_policy(` ') optional_policy(` @@ -45305,7 +45267,7 @@ index 0580e7c..c45e5d8 100644 unconfined_domain(init_t) ') -@@ -212,7 +371,7 @@ optional_policy(` +@@ -212,7 +346,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -45314,7 +45276,7 @@ index 0580e7c..c45e5d8 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +400,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +375,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -45329,7 +45291,7 @@ index 0580e7c..c45e5d8 100644 init_write_initctl(initrc_t) -@@ -258,11 +419,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -45353,7 +45315,7 @@ index 0580e7c..c45e5d8 100644 corecmd_exec_all_executables(initrc_t) -@@ -279,6 +452,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +427,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -45361,7 +45323,7 @@ index 0580e7c..c45e5d8 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +465,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +440,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -45369,7 +45331,7 @@ index 0580e7c..c45e5d8 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +473,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +448,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -45385,7 +45347,7 @@ index 0580e7c..c45e5d8 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +498,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +473,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -45397,7 +45359,7 @@ index 0580e7c..c45e5d8 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +517,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +492,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -45411,7 +45373,7 @@ index 0580e7c..c45e5d8 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +532,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +507,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -45420,7 +45382,7 @@ index 0580e7c..c45e5d8 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +546,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +521,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -45428,7 +45390,7 @@ index 0580e7c..c45e5d8 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +558,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +533,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -45436,7 +45398,7 @@ index 0580e7c..c45e5d8 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +579,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +554,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -45452,7 +45414,7 @@ index 0580e7c..c45e5d8 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -474,7 +660,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +639,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -45461,7 +45423,7 @@ index 0580e7c..c45e5d8 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +706,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +685,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -45485,7 +45447,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -527,10 +730,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +709,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -45503,7 +45465,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -545,6 +755,35 @@ ifdef(`distro_suse',` +@@ -549,6 +734,35 @@ ifdef(`distro_suse',` ') ') @@ -45539,7 +45501,7 @@ index 0580e7c..c45e5d8 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -557,6 +796,8 @@ optional_policy(` +@@ -561,6 +775,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -45548,7 +45510,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -573,6 +814,7 @@ optional_policy(` +@@ -577,6 +793,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -45556,7 +45518,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -585,6 +827,11 @@ optional_policy(` +@@ -589,6 +806,11 @@ optional_policy(` ') optional_policy(` @@ -45568,7 +45530,7 @@ index 0580e7c..c45e5d8 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -601,9 +848,13 @@ optional_policy(` +@@ -605,9 +827,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -45582,7 +45544,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -702,7 +953,13 @@ optional_policy(` +@@ -706,7 +932,13 @@ optional_policy(` ') optional_policy(` @@ -45596,7 +45558,7 @@ index 0580e7c..c45e5d8 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -725,6 +982,10 @@ optional_policy(` +@@ -729,6 +961,10 @@ optional_policy(` ') optional_policy(` @@ -45607,7 +45569,7 @@ index 0580e7c..c45e5d8 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -734,10 +995,20 @@ optional_policy(` +@@ -738,10 +974,20 @@ optional_policy(` ') optional_policy(` @@ -45628,7 +45590,7 @@ index 0580e7c..c45e5d8 100644 quota_manage_flags(initrc_t) ') -@@ -746,6 +1017,10 @@ optional_policy(` +@@ -750,6 +996,10 @@ optional_policy(` ') optional_policy(` @@ -45639,7 +45601,7 @@ index 0580e7c..c45e5d8 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -767,8 +1042,6 @@ optional_policy(` +@@ -771,8 +1021,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -45648,7 +45610,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -777,14 +1050,21 @@ optional_policy(` +@@ -781,14 +1029,21 @@ optional_policy(` ') optional_policy(` @@ -45670,7 +45632,7 @@ index 0580e7c..c45e5d8 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -806,11 +1086,19 @@ optional_policy(` +@@ -810,11 +1065,19 @@ optional_policy(` ') optional_policy(` @@ -45691,7 +45653,7 @@ index 0580e7c..c45e5d8 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -820,6 +1108,25 @@ optional_policy(` +@@ -824,6 +1087,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -45717,7 +45679,7 @@ index 0580e7c..c45e5d8 100644 ') optional_policy(` -@@ -845,3 +1152,59 @@ optional_policy(` +@@ -849,3 +1131,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -45799,7 +45761,7 @@ index 07eba2b..942bea1 100644 /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 8232f91..cba1b30 100644 +index 8232f91..8897e32 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -20,6 +20,24 @@ interface(`ipsec_domtrans',` @@ -45827,7 +45789,15 @@ index 8232f91..cba1b30 100644 ## Connect to IPSEC using a unix domain stream socket. ## ## -@@ -273,3 +291,81 @@ interface(`ipsec_run_setkey',` +@@ -129,6 +147,7 @@ interface(`ipsec_match_default_spd',` + + allow $1 ipsec_spd_t:association polmatch; + allow $1 self:association sendto; ++ allow $1 self:peer recv; + ') + + ######################################## +@@ -273,3 +292,81 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -47194,15 +47164,15 @@ index 58bc27f..b95f0c0 100644 + allow $1 clvmd_tmpfs_t:file unlink; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 74e38b4..a5d465f 100644 +index a0a0ebf..402f69e 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) -+type clmvd_tmpfs_t; -+files_tmpfs_file(clmvd_tmpfs_t) ++type clvmd_tmpfs_t alias clmvd_tmpfs_t; ++files_tmpfs_file(clvmd_tmpfs_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -47220,9 +47190,9 @@ index 74e38b4..a5d465f 100644 allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; -+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t) -+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t) -+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file }) ++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) ++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) ++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) + manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) @@ -47251,7 +47221,7 @@ index 74e38b4..a5d465f 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -190,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,8 +204,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -47262,7 +47232,7 @@ index 74e38b4..a5d465f 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -200,7 +214,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -201,7 +215,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -47271,11 +47241,9 @@ index 74e38b4..a5d465f 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) - files_etc_filetrans(lvm_t, lvm_metadata_t, file) - files_search_mnt(lvm_t) +@@ -213,11 +227,13 @@ files_search_mnt(lvm_t) -+kernel_get_sysvipc_info(lvm_t) + kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) +kernel_read_kernel_sysctls(lvm_t) # Read system variables in /proc/sys @@ -47287,7 +47255,7 @@ index 74e38b4..a5d465f 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -242,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -244,6 +260,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -47295,7 +47263,7 @@ index 74e38b4..a5d465f 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -251,8 +269,9 @@ files_read_etc_files(lvm_t) +@@ -253,8 +270,9 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -47306,7 +47274,7 @@ index 74e38b4..a5d465f 100644 fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -262,6 +281,7 @@ fs_rw_anon_inodefs_files(lvm_t) +@@ -264,6 +282,7 @@ fs_rw_anon_inodefs_files(lvm_t) mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -47314,7 +47282,7 @@ index 74e38b4..a5d465f 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -309,6 +329,11 @@ ifdef(`distro_redhat',` +@@ -311,6 +330,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -47326,7 +47294,7 @@ index 74e38b4..a5d465f 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -329,6 +354,10 @@ optional_policy(` +@@ -331,6 +355,10 @@ optional_policy(` ') optional_policy(` @@ -47425,7 +47393,7 @@ index 9c0faab..def8d5a 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 74a4466..9061149 100644 +index a0eef20..75e256f 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -18,11 +18,12 @@ type insmod_t; @@ -47498,9 +47466,9 @@ index 74a4466..9061149 100644 +fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) + kernel_load_module(insmod_t) + kernel_request_load_module(insmod_t) kernel_read_system_state(insmod_t) - kernel_read_network_state(insmod_t) -@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t) +@@ -126,6 +138,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -47508,7 +47476,7 @@ index 74a4466..9061149 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t) +@@ -143,6 +156,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -47516,7 +47484,7 @@ index 74a4466..9061149 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t) +@@ -161,11 +175,15 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -47532,7 +47500,7 @@ index 74a4466..9061149 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t) +@@ -174,8 +192,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -47542,7 +47510,7 @@ index 74a4466..9061149 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -186,8 +203,11 @@ optional_policy(` +@@ -187,8 +204,11 @@ optional_policy(` ') optional_policy(` @@ -47556,7 +47524,7 @@ index 74a4466..9061149 100644 ') optional_policy(` -@@ -235,6 +255,10 @@ optional_policy(` +@@ -236,6 +256,10 @@ optional_policy(` ') optional_policy(` @@ -48174,7 +48142,7 @@ index ed9c70d..b961d53 100644 /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te -index 09845c4..8cc2a2b 100644 +index 73cc8cf..bf6a0b6 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -48210,15 +48178,6 @@ index 09845c4..8cc2a2b 100644 kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) -@@ -42,7 +40,7 @@ kernel_getattr_core_if(mdadm_t) - corecmd_exec_bin(mdadm_t) - corecmd_exec_shell(mdadm_t) - --dev_read_sysfs(mdadm_t) -+dev_rw_sysfs(mdadm_t) - # Ignore attempts to read every device file - dev_dontaudit_getattr_all_blk_files(mdadm_t) - dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: @@ -49710,10 +49669,10 @@ index 0000000..5f0352b + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..dae5641 +index 0000000..4d7a07a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,104 @@ +@@ -0,0 +1,107 @@ + +policy_module(systemd, 1.0.0) + @@ -49777,6 +49736,9 @@ index 0000000..dae5641 + +files_read_etc_files(systemd_tmpfiles_t) + ++files_getattr_all_dirs(systemd_tmpfiles_t) ++files_getattr_all_files(systemd_tmpfiles_t) ++ +files_relabel_all_lock_dirs(systemd_tmpfiles_t) +files_relabel_all_pid_dirs(systemd_tmpfiles_t) +files_relabel_all_pid_files(systemd_tmpfiles_t) @@ -49819,7 +49781,7 @@ index 0000000..dae5641 +') + diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 0291685..44fe366 100644 +index d1c22f3..41150bb 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -22,3 +22,4 @@ @@ -49902,7 +49864,7 @@ index 025348a..cea695c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a054cf5..4fc2837 100644 +index 8f852e5..4c49051 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; @@ -50792,7 +50754,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..a0cd92e 100644 +index 28b88de..b22960c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -50806,7 +50768,7 @@ index 28b88de..a0cd92e 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,99 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,100 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -50894,6 +50856,7 @@ index 28b88de..a0cd92e 100644 + domain_dontaudit_read_all_domains_state($1_usertype) + domain_dontaudit_getattr_all_domains($1_usertype) + domain_dontaudit_getsession_all_domains($1_usertype) ++ dev_dontaudit_all_access_check($1_usertype) + + files_read_etc_files($1_usertype) + files_list_mnt($1_usertype) @@ -50955,7 +50918,7 @@ index 28b88de..a0cd92e 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +147,16 @@ template(`userdom_base_user_template',` +@@ -116,6 +148,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -50972,7 +50935,7 @@ index 28b88de..a0cd92e 100644 ') ####################################### -@@ -149,6 +190,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +191,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -50981,7 +50944,7 @@ index 28b88de..a0cd92e 100644 ############################## # # Domain access to home dir -@@ -166,27 +209,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +210,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -51009,7 +50972,7 @@ index 28b88de..a0cd92e 100644 ') ####################################### -@@ -218,8 +240,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +241,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -51021,7 +50984,7 @@ index 28b88de..a0cd92e 100644 ############################## # # Domain access to home dir -@@ -228,17 +253,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +254,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -51053,7 +51016,7 @@ index 28b88de..a0cd92e 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +275,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +276,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -51083,7 +51046,7 @@ index 28b88de..a0cd92e 100644 ') ') -@@ -289,6 +316,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +317,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -51092,7 +51055,7 @@ index 28b88de..a0cd92e 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +326,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +327,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -51138,7 +51101,7 @@ index 28b88de..a0cd92e 100644 ') ####################################### -@@ -316,6 +384,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +385,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -51146,7 +51109,7 @@ index 28b88de..a0cd92e 100644 files_search_tmp($1) ') -@@ -350,6 +419,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +420,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -51155,7 +51118,7 @@ index 28b88de..a0cd92e 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +431,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +432,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -51224,7 +51187,7 @@ index 28b88de..a0cd92e 100644 ') ####################################### -@@ -430,6 +496,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +497,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -51232,7 +51195,7 @@ index 28b88de..a0cd92e 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +557,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +558,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -51241,7 +51204,7 @@ index 28b88de..a0cd92e 100644 ############################## # -@@ -500,73 +567,79 @@ template(`userdom_common_user_template',` +@@ -500,73 +568,79 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -51360,7 +51323,7 @@ index 28b88de..a0cd92e 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +647,114 @@ template(`userdom_common_user_template',` +@@ -574,67 +648,114 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -51493,7 +51456,7 @@ index 28b88de..a0cd92e 100644 ') optional_policy(` -@@ -650,41 +770,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +771,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -51555,7 +51518,7 @@ index 28b88de..a0cd92e 100644 ') ####################################### -@@ -712,13 +841,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +842,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -51587,7 +51550,7 @@ index 28b88de..a0cd92e 100644 userdom_change_password_template($1) -@@ -736,72 +878,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +879,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -51696,7 +51659,7 @@ index 28b88de..a0cd92e 100644 ') ') -@@ -833,6 +974,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +975,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -51706,7 +51669,7 @@ index 28b88de..a0cd92e 100644 ############################## # # Local policy -@@ -874,45 +1018,107 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1019,107 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -51825,7 +51788,7 @@ index 28b88de..a0cd92e 100644 ') ') -@@ -947,7 +1153,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1154,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -51834,7 +51797,7 @@ index 28b88de..a0cd92e 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1162,77 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1163,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -51942,7 +51905,7 @@ index 28b88de..a0cd92e 100644 ') ') -@@ -1039,7 +1268,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1269,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -51951,7 +51914,7 @@ index 28b88de..a0cd92e 100644 ') ############################## -@@ -1066,6 +1295,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1296,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -51959,7 +51922,7 @@ index 28b88de..a0cd92e 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1304,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1305,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -51969,7 +51932,7 @@ index 28b88de..a0cd92e 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1321,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1322,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -51977,7 +51940,7 @@ index 28b88de..a0cd92e 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1119,10 +1353,13 @@ template(`userdom_admin_user_template',` +@@ -1119,10 +1354,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -51991,7 +51954,7 @@ index 28b88de..a0cd92e 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1142,6 +1379,7 @@ template(`userdom_admin_user_template',` +@@ -1142,6 +1380,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -51999,7 +51962,7 @@ index 28b88de..a0cd92e 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1448,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1449,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52008,7 +51971,7 @@ index 28b88de..a0cd92e 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1462,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1463,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52016,7 +51979,7 @@ index 28b88de..a0cd92e 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1478,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1479,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -52024,7 +51987,7 @@ index 28b88de..a0cd92e 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1521,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1522,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -52062,7 +52025,7 @@ index 28b88de..a0cd92e 100644 ubac_constrained($1) ') -@@ -1395,6 +1663,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1664,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -52070,7 +52033,7 @@ index 28b88de..a0cd92e 100644 files_search_home($1) ') -@@ -1441,6 +1710,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1711,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -52085,7 +52048,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -1456,9 +1733,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1734,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -52097,7 +52060,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -1515,10 +1794,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1795,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -52110,7 +52073,7 @@ index 28b88de..a0cd92e 100644 ## ## ## -@@ -1526,35 +1805,71 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,35 +1806,71 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -52203,7 +52166,7 @@ index 28b88de..a0cd92e 100644 ## ## ## -@@ -1589,6 +1904,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1905,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -52212,7 +52175,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -1603,10 +1920,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1921,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -52227,7 +52190,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -1649,6 +1968,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1969,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -52253,7 +52216,7 @@ index 28b88de..a0cd92e 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2038,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2039,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -52286,7 +52249,7 @@ index 28b88de..a0cd92e 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2074,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2075,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -52304,7 +52267,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -1810,8 +2171,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2172,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -52314,7 +52277,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -1827,20 +2187,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2188,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -52339,7 +52302,7 @@ index 28b88de..a0cd92e 100644 ######################################## ## -@@ -2182,7 +2536,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2537,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -52348,7 +52311,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -2435,13 +2789,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2790,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -52364,7 +52327,7 @@ index 28b88de..a0cd92e 100644 ## ## ## -@@ -2462,26 +2817,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2818,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -52391,7 +52354,7 @@ index 28b88de..a0cd92e 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3150,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -52400,7 +52363,7 @@ index 28b88de..a0cd92e 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3166,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -52416,7 +52379,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -2917,7 +3254,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3255,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -52425,7 +52388,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -2972,7 +3309,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3310,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -52472,7 +52435,7 @@ index 28b88de..a0cd92e 100644 ') ######################################## -@@ -3009,6 +3384,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3385,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -52480,7 +52443,7 @@ index 28b88de..a0cd92e 100644 kernel_search_proc($1) ') -@@ -3139,3 +3515,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3516,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -53644,7 +53607,7 @@ index df29ca1..2333dd8 100644 +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc -index 8c827f8..744fa64 100644 +index a865da7..2e7f2b0 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -1,7 +1,5 @@ @@ -53652,9 +53615,9 @@ index 8c827f8..744fa64 100644 -/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) - + /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) - - ifdef(`distro_debian',` + /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 77d41b6..4aa96c6 100644 --- a/policy/modules/system/xen.if @@ -53707,10 +53670,10 @@ index 77d41b6..4aa96c6 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index f661f5a..600d43f 100644 +index 4350ba0..630c03d 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te -@@ -4,6 +4,7 @@ policy_module(xen, 1.10.0) +@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) # # Declarations # @@ -53718,7 +53681,7 @@ index f661f5a..600d43f 100644 ## ##

-@@ -34,6 +35,7 @@ type xen_image_t; # customizable +@@ -65,6 +66,7 @@ type xen_image_t; # customizable files_type(xen_image_t) # xen_image_t can be assigned to blk devices dev_node(xen_image_t) @@ -53726,7 +53689,7 @@ index f661f5a..600d43f 100644 type xenctl_t; files_type(xenctl_t) -@@ -89,11 +91,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) +@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) @@ -53735,27 +53698,10 @@ index f661f5a..600d43f 100644 -domain_type(xm_t) -init_system_domain(xm_t, xm_exec_t) - - ####################################### - # - # evtchnd local policy -@@ -113,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - # xend local policy + ######################################## # - --allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw }; -+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw }; - dontaudit xend_t self:capability { sys_ptrace }; - allow xend_t self:process { signal sigkill }; - dontaudit xend_t self:process ptrace; -@@ -228,6 +225,7 @@ logging_send_syslog_msg(xend_t) - lvm_domtrans(xend_t) - - miscfiles_read_localization(xend_t) -+miscfiles_read_hwdata(xend_t) - - mount_domtrans(xend_t) - -@@ -245,6 +243,8 @@ xen_stream_connect_xenstore(xend_t) + # blktap local policy +@@ -341,6 +338,8 @@ xen_stream_connect_xenstore(xend_t) netutils_domtrans(xend_t) @@ -53764,7 +53710,7 @@ index f661f5a..600d43f 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -317,9 +317,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +412,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -53776,23 +53722,19 @@ index f661f5a..600d43f 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -346,6 +347,7 @@ dev_read_sysfs(xenstored_t) +@@ -442,9 +442,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) +fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) - storage_raw_read_fixed_disk(xenstored_t) -@@ -353,6 +355,7 @@ storage_raw_write_fixed_disk(xenstored_t) - storage_raw_read_removable_device(xenstored_t) - term_use_generic_ptys(xenstored_t) +term_use_console(xenconsoled_t) init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -365,98 +368,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +459,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -53842,8 +53784,6 @@ index f661f5a..600d43f 100644 -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) - --storage_raw_read_fixed_disk(xm_t) -- -term_use_all_terms(xm_t) - -init_stream_connect_script(xm_t) @@ -53891,7 +53831,7 @@ index f661f5a..600d43f 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -469,8 +383,4 @@ optional_policy(` +@@ -559,8 +474,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') @@ -54042,7 +53982,7 @@ index f7380b3..51867f6 100644 +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/policy/users b/policy/users -index c4ebc7e..be2a04c 100644 +index c4ebc7e..30d6d7a 100644 --- a/policy/users +++ b/policy/users @@ -15,7 +15,7 @@ @@ -54054,15 +53994,17 @@ index c4ebc7e..be2a04c 100644 # # user_u is a generic user identity for Linux users who have no -@@ -25,11 +25,8 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # - gen_user(user_u, user, user_r, s0, s0) +-gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)