diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 574a67c..4e0fbde 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -7751,7 +7751,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..dc4207f 100644 +index cf04cb5..ff7b3f4 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -7877,7 +7877,7 @@ index cf04cb5..dc4207f 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -7906,6 +7906,7 @@ index cf04cb5..dc4207f 100644 + init_reboot(unconfined_domain_type) + init_halt(unconfined_domain_type) + init_undefined(unconfined_domain_type) ++ init_filetrans_named_content(unconfined_domain_type) +') + +optional_policy(` @@ -18528,10 +18529,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..83e6404 100644 +index 88d0028..4cc476f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -18585,6 +18586,7 @@ index 88d0028..83e6404 100644 +application_exec(sysadm_t) + ++init_filetrans_named_content(sysadm_t) init_exec(sysadm_t) +init_exec_script_files(sysadm_t) +init_dbus_chat(sysadm_t) @@ -18621,7 +18623,7 @@ index 88d0028..83e6404 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -18636,7 +18638,7 @@ index 88d0028..83e6404 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +104,9 @@ optional_policy(` +@@ -71,9 +105,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -18647,7 +18649,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -87,6 +120,7 @@ optional_policy(` +@@ -87,6 +121,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -18655,7 +18657,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -110,6 +144,10 @@ optional_policy(` +@@ -110,6 +145,10 @@ optional_policy(` ') optional_policy(` @@ -18666,7 +18668,7 @@ index 88d0028..83e6404 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -122,11 +160,19 @@ optional_policy(` +@@ -122,11 +161,19 @@ optional_policy(` ') optional_policy(` @@ -18688,7 +18690,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -140,6 +186,10 @@ optional_policy(` +@@ -140,6 +187,10 @@ optional_policy(` ') optional_policy(` @@ -18699,7 +18701,7 @@ index 88d0028..83e6404 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +206,11 @@ optional_policy(` +@@ -156,11 +207,11 @@ optional_policy(` ') optional_policy(` @@ -18713,7 +18715,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -179,6 +229,13 @@ optional_policy(` +@@ -179,6 +230,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -18727,7 +18729,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -186,15 +243,20 @@ optional_policy(` +@@ -186,15 +244,20 @@ optional_policy(` ') optional_policy(` @@ -18751,7 +18753,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -214,22 +276,20 @@ optional_policy(` +@@ -214,22 +277,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -18780,7 +18782,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -241,14 +301,27 @@ optional_policy(` +@@ -241,14 +302,27 @@ optional_policy(` ') optional_policy(` @@ -18808,7 +18810,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -256,10 +329,20 @@ optional_policy(` +@@ -256,10 +330,20 @@ optional_policy(` ') optional_policy(` @@ -18829,7 +18831,7 @@ index 88d0028..83e6404 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +353,36 @@ optional_policy(` +@@ -270,31 +354,36 @@ optional_policy(` ') optional_policy(` @@ -18873,7 +18875,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -319,12 +407,18 @@ optional_policy(` +@@ -319,12 +408,18 @@ optional_policy(` ') optional_policy(` @@ -18893,7 +18895,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -349,7 +443,18 @@ optional_policy(` +@@ -349,7 +444,18 @@ optional_policy(` ') optional_policy(` @@ -18913,7 +18915,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -360,19 +465,15 @@ optional_policy(` +@@ -360,19 +466,15 @@ optional_policy(` ') optional_policy(` @@ -18935,7 +18937,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -384,10 +485,6 @@ optional_policy(` +@@ -384,10 +486,6 @@ optional_policy(` ') optional_policy(` @@ -18946,7 +18948,7 @@ index 88d0028..83e6404 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +492,9 @@ optional_policy(` +@@ -395,6 +493,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -18956,7 +18958,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -402,31 +502,34 @@ optional_policy(` +@@ -402,31 +503,34 @@ optional_policy(` ') optional_policy(` @@ -18997,7 +18999,7 @@ index 88d0028..83e6404 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +542,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +543,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19008,7 +19010,7 @@ index 88d0028..83e6404 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +562,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +563,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -26812,7 +26814,7 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fc38c9c..dce2d4e 100644 +index fc38c9c..61a1d24 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t) @@ -26854,17 +26856,20 @@ index fc38c9c..dce2d4e 100644 # Support logging in from /dev/console term_use_console(getty_t) ',` -@@ -125,10 +130,6 @@ optional_policy(` +@@ -121,11 +126,11 @@ tunable_policy(`console_login',` + ') + + optional_policy(` +- mta_send_mail(getty_t) ++ lockdev_manage_files(getty_t) ') optional_policy(` - nscd_use(getty_t) --') -- --optional_policy(` - ppp_domtrans(getty_t) ++ mta_send_mail(getty_t) ') + optional_policy(` diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc index 9dfecf7..6d00f5c 100644 --- a/policy/modules/system/hostname.fc @@ -27076,7 +27081,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..1894886 100644 +index 24e7804..d0780a9 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -27961,7 +27966,7 @@ index 24e7804..1894886 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -28246,6 +28251,28 @@ index 24e7804..1894886 100644 + + allow $1 init_t:system undefined; +') ++ ++######################################## ++## ++## Transition to init named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_filetrans_named_content',` ++ gen_require(` ++ type init_var_run_t; ++ type initrc_var_run_t; ++ type machineid_t; ++ ') ++ ++ files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ++ files_pid_filetrans($1, init_var_run_t, file, "random-seed") ++ files_etc_filetrans($1, machineid_t, file, "machine-id" ) ++') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index dd3be8d..969bda2 100644 --- a/policy/modules/system/init.te @@ -32310,7 +32337,7 @@ index 9fe8e01..fa82aac 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..2f33076 100644 +index fc28bc3..2960ed7 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -32448,7 +32475,7 @@ index fc28bc3..2f33076 100644 ') ######################################## -@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -32469,6 +32496,7 @@ index fc28bc3..2f33076 100644 + + files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") + files_etc_filetrans($1, locale_t, file, "locale.conf") ++ files_etc_filetrans($1, locale_t, file, "vconsole.conf") + files_etc_filetrans($1, locale_t, file, "locale.conf.new") + files_etc_filetrans($1, locale_t, file, "timezone") + files_etc_filetrans($1, locale_t, file, "clock") @@ -37063,10 +37091,10 @@ index 0000000..5894afb +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b3ea12d +index 0000000..2c9ccbf --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,642 @@ +@@ -0,0 +1,643 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37311,6 +37339,7 @@ index 0000000..b3ea12d +dev_create_generic_dirs(systemd_passwd_agent_t) +dev_read_generic_files(systemd_passwd_agent_t) +dev_write_generic_sock_files(systemd_passwd_agent_t) ++dev_write_kmsg(systemd_passwd_agent_t) + +term_read_console(systemd_passwd_agent_t) + @@ -39081,7 +39110,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..9799799 100644 +index 3c5dba7..b44b1c9 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40363,7 +40392,7 @@ index 3c5dba7..9799799 100644 - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + -+ tunable_policy(`selinuxuser_user_share_music',` ++ tunable_policy(`selinuxuser_share_music',` + corenet_tcp_bind_daap_port($1_usertype) + ') + @@ -41748,7 +41777,7 @@ index 3c5dba7..9799799 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -42309,6 +42338,42 @@ index 3c5dba7..9799799 100644 + +######################################## +## ++## Dontaudit Read files inherited from the admin home dir. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_inherited_admin_home_files',` ++ gen_require(` ++ attribute admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## Dontaudit append files inherited from the admin home dir. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_append_inherited_admin_home_file',` ++ gen_require(` ++ attribute admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## +## Read/Write files inherited +## in a user home subdirectory. +## @@ -43107,7 +43172,7 @@ index 3c5dba7..9799799 100644 + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..6371ed6 100644 +index e2b538b..9e23738 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -43146,7 +43211,7 @@ index e2b538b..6371ed6 100644 ##

## -gen_tunable(user_dmesg, false) -+gen_tunable(selinuxuser_user_share_music, false) ++gen_tunable(selinuxuser_share_music, false) ## ##

diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 932a185..cc76d7e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -7316,10 +7316,10 @@ index 0000000..98ab9ed +') diff --git a/authconfig.te b/authconfig.te new file mode 100644 -index 0000000..d4eb297 +index 0000000..f2aa4e6 --- /dev/null +++ b/authconfig.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,32 @@ +policy_module(authconfig, 1.0.0) + +######################################## @@ -7349,7 +7349,6 @@ index 0000000..d4eb297 + +domain_use_interactive_fds(authconfig_t) + -+ +init_domtrans_script(authconfig_t) + +unconfined_domain_noaudit(authconfig_t) @@ -17928,7 +17927,7 @@ index afcf3a2..0730306 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 2c2e7e1..5e0bf2f 100644 +index 2c2e7e1..78bbb7d 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ @@ -17976,7 +17975,7 @@ index 2c2e7e1..5e0bf2f 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,57 @@ ifdef(`enable_mls',` +@@ -51,59 +47,58 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -17989,6 +17988,7 @@ index 2c2e7e1..5e0bf2f 100644 +# dac_override: /var/run/dbus is owned by messagebus on Debian +# cjp: dac_override should probably go in a distro_debian ++allow system_dbusd_t self:capability2 block_suspend; allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; @@ -18052,7 +18052,7 @@ index 2c2e7e1..5e0bf2f 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +117,155 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -18222,7 +18222,7 @@ index 2c2e7e1..5e0bf2f 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +274,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -18247,7 +18247,7 @@ index 2c2e7e1..5e0bf2f 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -18255,7 +18255,7 @@ index 2c2e7e1..5e0bf2f 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +302,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -18297,7 +18297,7 @@ index 2c2e7e1..5e0bf2f 100644 ') ######################################## -@@ -244,5 +339,6 @@ optional_policy(` +@@ -244,5 +340,6 @@ optional_policy(` # Unconfined access to this module # @@ -26564,7 +26564,7 @@ index d03fd43..26023f7 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 20f726b..eb0d80a 100644 +index 20f726b..6af4e62 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ @@ -26608,7 +26608,7 @@ index 20f726b..eb0d80a 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -29,107 +47,228 @@ type gconfd_exec_t; +@@ -29,107 +47,227 @@ type gconfd_exec_t; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) @@ -26819,8 +26819,7 @@ index 20f726b..eb0d80a 100644 -allow gkeyringd_domain gnome_home_t:dir create_dir_perms; -gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") -+allow gkeyringd_domain config_home_t:dir add_entry_dir_perms; -+allow gkeyringd_domain config_home_t:file write; ++manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t) -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) -manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) @@ -27951,9 +27950,18 @@ index 3226f52..68b2eb8 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index 25f09ae..2200e6d 100644 +index 25f09ae..aa94571 100644 --- a/gpsd.te +++ b/gpsd.te +@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t) + # + + allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; +-dontaudit gpsd_t self:capability { dac_read_search dac_override }; ++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override }; + allow gpsd_t self:process { setsched signal_perms }; + allow gpsd_t self:shm create_shm_perms; + allow gpsd_t self:unix_dgram_socket sendto; @@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t) term_use_unallocated_ttys(gpsd_t) @@ -33136,6 +33144,36 @@ index 6cbb977..bd5406a 100644 userdom_list_user_home_content(loadkeys_t) ifdef(`hide_broken_symptoms',` +diff --git a/lockdev.if b/lockdev.if +index 4313b8b..cd1435c 100644 +--- a/lockdev.if ++++ b/lockdev.if +@@ -1,5 +1,25 @@ + ##

Library for locking devices. + ++####################################### ++## ++## Create, read, write, and delete ++## lockdev lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lockdev_manage_files',` ++ gen_require(` ++ type lockdev_lock_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t) ++') ++ + ######################################## + ## + ## Role access for lockdev. diff --git a/lockdev.te b/lockdev.te index db87831..30bfb76 100644 --- a/lockdev.te @@ -38281,7 +38319,7 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..0f46305 100644 +index 7c8afcc..97f2b6f 100644 --- a/mpd.te +++ b/mpd.te @@ -62,6 +62,9 @@ files_type(mpd_var_lib_t) @@ -38322,15 +38360,18 @@ index 7c8afcc..0f46305 100644 corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -139,7 +148,6 @@ dev_read_sound(mpd_t) +@@ -139,9 +148,9 @@ dev_read_sound(mpd_t) dev_write_sound(mpd_t) dev_read_sysfs(mpd_t) -files_read_usr_files(mpd_t) fs_getattr_all_fs(mpd_t) ++fs_getattr_all_dirs(mpd_t) fs_list_inotifyfs(mpd_t) -@@ -150,7 +158,9 @@ auth_use_nsswitch(mpd_t) + fs_rw_anon_inodefs_files(mpd_t) + fs_search_auto_mountpoints(mpd_t) +@@ -150,7 +159,9 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) @@ -38341,7 +38382,7 @@ index 7c8afcc..0f46305 100644 tunable_policy(`mpd_enable_homedirs',` userdom_search_user_home_dirs(mpd_t) -@@ -199,6 +209,16 @@ optional_policy(` +@@ -199,6 +210,16 @@ optional_policy(` ') optional_policy(` @@ -38491,10 +38532,10 @@ index c97c177..9411154 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..8654c3c 100644 +index f42896c..cb2791a 100644 --- a/mta.fc +++ b/mta.fc -@@ -2,33 +2,42 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) @@ -38514,6 +38555,9 @@ index f42896c..8654c3c 100644 +/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) -/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) +- +-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +ifdef(`distro_redhat',` +/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) +') @@ -38523,8 +38567,7 @@ index f42896c..8654c3c 100644 +/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) - --/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++ +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -63768,7 +63811,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..085ab40 100644 +index 9a8f052..c558c79 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -63777,7 +63820,7 @@ index 9a8f052..085ab40 100644 ######################################## # -@@ -7,47 +7,86 @@ policy_module(realmd, 1.0.2) +@@ -7,47 +7,88 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; @@ -63847,6 +63890,8 @@ index 9a8f052..085ab40 100644 auth_use_nsswitch(realmd_t) ++init_filetrans_named_content(realmd_t) ++ +logging_manage_generic_logs(realmd_t) logging_send_syslog_msg(realmd_t) @@ -63876,7 +63921,7 @@ index 9a8f052..085ab40 100644 networkmanager_dbus_chat(realmd_t) ') -@@ -63,21 +102,40 @@ optional_policy(` +@@ -63,21 +104,40 @@ optional_policy(` optional_policy(` kerberos_use(realmd_t) kerberos_rw_keytab(realmd_t) @@ -63920,7 +63965,7 @@ index 9a8f052..085ab40 100644 ') optional_policy(` -@@ -86,5 +144,27 @@ optional_policy(` +@@ -86,5 +146,27 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) @@ -75260,7 +75305,7 @@ index 3a9a70b..039b0c8 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..a89828e 100644 +index 49b12ae..a7c3d7c 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -75349,7 +75394,7 @@ index 49b12ae..a89828e 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t) +@@ -79,13 +85,13 @@ dev_getattr_mtrr_dev(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) domain_signull_all_domains(setroubleshootd_t) @@ -75357,7 +75402,14 @@ index 49b12ae..a89828e 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t) + files_getattr_all_sockets(setroubleshootd_t) + files_read_all_symlinks(setroubleshootd_t) + files_read_mnt_files(setroubleshootd_t) ++files_read_var_lib_files(setroubleshootd_t) + + fs_getattr_all_dirs(setroubleshootd_t) + fs_getattr_all_files(setroubleshootd_t) +@@ -107,27 +113,24 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -75390,7 +75442,7 @@ index 49b12ae..a89828e 100644 ') optional_policy(` -@@ -135,10 +137,18 @@ optional_policy(` +@@ -135,10 +138,18 @@ optional_policy(` ') optional_policy(` @@ -75409,7 +75461,7 @@ index 49b12ae..a89828e 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,15 +158,17 @@ optional_policy(` +@@ -148,15 +159,17 @@ optional_policy(` ######################################## # @@ -75428,7 +75480,7 @@ index 49b12ae..a89828e 100644 setroubleshoot_stream_connect(setroubleshoot_fixit_t) kernel_read_system_state(setroubleshoot_fixit_t) -@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -165,9 +178,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t) @@ -75443,7 +75495,7 @@ index 49b12ae..a89828e 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -86559,7 +86611,7 @@ index 9dec06c..cd873d3 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..d0747ff 100644 +index 1f22fba..832423f 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -88040,7 +88092,7 @@ index 1f22fba..d0747ff 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1111,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1111,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -88052,6 +88104,8 @@ index 1f22fba..d0747ff 100644 +systemd_read_unit_files(svirt_lxc_domain) + +userdom_use_inherited_user_terminals(svirt_lxc_domain) ++userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain) + +optional_policy(` + apache_exec_modules(svirt_lxc_domain) @@ -88176,7 +88230,7 @@ index 1f22fba..d0747ff 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1207,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1209,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -88191,7 +88245,7 @@ index 1f22fba..d0747ff 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1225,8 @@ optional_policy(` +@@ -1183,9 +1227,8 @@ optional_policy(` ######################################## # @@ -88202,7 +88256,7 @@ index 1f22fba..d0747ff 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1239,70 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1241,70 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 754b6aa..e7cdbae 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 34%{?dist} +Release: 35%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -229,8 +229,12 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ -/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ -/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \ +if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ + continue; \ +fi; \ +if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \ + continue; \ +fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ @@ -526,6 +530,26 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 23 2013 Miroslav Grepl 3.12.1-35 +- Fix lockdev_manage_files() +- Allow setroubleshootd to read var_lib_t to make email_alert working +- Add lockdev_manage_files() +- Call proper interface in virt.te +- Allow gkeyring_domain to create /var/run/UID/config/dbus file +- system dbus seems to be blocking suspend +- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need +- When you enter a container from root, you generate avcs with a leaked file descriptor +- Allow mpd getattr on file system directories +- Make sure realmd creates content with the correct label +- Allow systemd-tty-ask to write kmsg +- Allow mgetty to use lockdev library for device locking +- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music +- When you enter a container from root, you generate avcs with a leaked file descriptor +- Make sure init.fc files are labeled correctly at creation +- File name trans vconsole.conf +- Fix labeling for nagios plugins +- label shared libraries in /opt/google/chrome as testrel_shlib_t + * Thu Apr 18 2013 Miroslav Grepl 3.12.1-34 - Allow certmonger to dbus communicate with realmd - Make realmd working