diff --git a/policy-F16.patch b/policy-F16.patch index 57fc850..5e3fd35 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -8168,7 +8168,7 @@ index 0000000..2a83f6e +') diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te new file mode 100644 -index 0000000..a323883 +index 0000000..6de888a --- /dev/null +++ b/policy/modules/apps/jockey.te @@ -0,0 +1,37 @@ @@ -8193,7 +8193,7 @@ index 0000000..a323883 +# +# jockey local policy +# -+ ++allow jockey_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t) +manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) @@ -16790,7 +16790,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..9b821b9 100644 +index fae1ab1..b062dce 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -16815,9 +16815,12 @@ index fae1ab1..9b821b9 100644 ## ##

-@@ -87,14 +102,20 @@ allow domain self:dir list_dir_perms; +@@ -86,15 +101,23 @@ neverallow ~{ domain unlabeled_t } *:process *; + allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; ++allow domain self:fifo_file rw_fifo_file_perms; ++ kernel_read_proc_symlinks(domain) +kernel_read_crypto_sysctls(domain) + @@ -16837,7 +16840,7 @@ index fae1ab1..9b821b9 100644 # Use trusted objects in /dev dev_rw_null(domain) -@@ -103,6 +124,16 @@ term_use_controlling_term(domain) +@@ -103,6 +126,16 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) @@ -16854,7 +16857,7 @@ index fae1ab1..9b821b9 100644 tunable_policy(`global_ssp',` # enable reading of urandom for all domains: -@@ -113,8 +144,13 @@ tunable_policy(`global_ssp',` +@@ -113,8 +146,13 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -16868,7 +16871,7 @@ index fae1ab1..9b821b9 100644 ') optional_policy(` -@@ -125,6 +161,8 @@ optional_policy(` +@@ -125,6 +163,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -16877,7 +16880,7 @@ index fae1ab1..9b821b9 100644 ') ######################################## -@@ -143,6 +181,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; +@@ -143,6 +183,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -16886,7 +16889,7 @@ index fae1ab1..9b821b9 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -158,5 +198,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +200,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -26183,10 +26186,10 @@ index 6480167..6ecc96d 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..e8e4fa6 100644 +index 3136c6a..fcccdde 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,232 @@ policy_module(apache, 2.2.1) +@@ -18,130 +18,239 @@ policy_module(apache, 2.2.1) # Declarations # @@ -26276,6 +26279,13 @@ index 3136c6a..e8e4fa6 100644 + +## +##

++## Allow HTTPD to connect to port 80 for graceful shutdown ++##

++## ++gen_tunable(httpd_graceful_shutdown, false) ++ ++## ++##

+## Allow HTTPD scripts and modules to connect to databases over the network. +##

## @@ -26475,7 +26485,7 @@ index 3136c6a..e8e4fa6 100644 attribute httpdcontent; attribute httpd_user_content_type; -@@ -166,7 +268,7 @@ files_type(httpd_cache_t) +@@ -166,7 +275,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26484,7 +26494,7 @@ index 3136c6a..e8e4fa6 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +279,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +286,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26494,7 +26504,7 @@ index 3136c6a..e8e4fa6 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +321,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +328,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26513,7 +26523,7 @@ index 3136c6a..e8e4fa6 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +341,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +348,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26524,7 +26534,7 @@ index 3136c6a..e8e4fa6 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +352,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +359,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26532,7 +26542,7 @@ index 3136c6a..e8e4fa6 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +374,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +381,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26556,7 +26566,7 @@ index 3136c6a..e8e4fa6 100644 ######################################## # # Apache server local policy -@@ -281,11 +410,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +417,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26570,7 +26580,7 @@ index 3136c6a..e8e4fa6 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +460,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +467,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26581,7 +26591,7 @@ index 3136c6a..e8e4fa6 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +471,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +478,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26592,7 +26602,7 @@ index 3136c6a..e8e4fa6 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +488,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +495,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26602,7 +26612,7 @@ index 3136c6a..e8e4fa6 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +501,17 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +508,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26617,11 +26627,13 @@ index 3136c6a..e8e4fa6 100644 +corenet_tcp_bind_puppet_port(httpd_t) # Signal self for shutdown -corenet_tcp_connect_http_port(httpd_t) -+#corenet_tcp_connect_http_port(httpd_t) ++tunable_policy(`httpd_graceful_shutdown',` ++ corenet_tcp_connect_http_port(httpd_t) ++') dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +520,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +529,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26637,7 +26649,7 @@ index 3136c6a..e8e4fa6 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +533,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +542,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26645,7 +26657,7 @@ index 3136c6a..e8e4fa6 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +545,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +554,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26749,7 +26761,7 @@ index 3136c6a..e8e4fa6 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -454,27 +650,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +659,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -26813,7 +26825,7 @@ index 3136c6a..e8e4fa6 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +714,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +723,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26836,7 +26848,7 @@ index 3136c6a..e8e4fa6 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +744,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +753,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26857,7 +26869,7 @@ index 3136c6a..e8e4fa6 100644 ') optional_policy(` -@@ -513,7 +768,13 @@ optional_policy(` +@@ -513,7 +777,13 @@ optional_policy(` ') optional_policy(` @@ -26872,7 +26884,7 @@ index 3136c6a..e8e4fa6 100644 ') optional_policy(` -@@ -528,7 +789,19 @@ optional_policy(` +@@ -528,7 +798,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26893,7 +26905,7 @@ index 3136c6a..e8e4fa6 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +810,13 @@ optional_policy(` +@@ -537,8 +819,13 @@ optional_policy(` ') optional_policy(` @@ -26908,7 +26920,7 @@ index 3136c6a..e8e4fa6 100644 ') ') -@@ -556,7 +834,21 @@ optional_policy(` +@@ -556,7 +843,21 @@ optional_policy(` ') optional_policy(` @@ -26930,7 +26942,7 @@ index 3136c6a..e8e4fa6 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +859,7 @@ optional_policy(` +@@ -567,6 +868,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26938,7 +26950,7 @@ index 3136c6a..e8e4fa6 100644 ') optional_policy(` -@@ -577,6 +870,20 @@ optional_policy(` +@@ -577,6 +879,20 @@ optional_policy(` ') optional_policy(` @@ -26959,7 +26971,7 @@ index 3136c6a..e8e4fa6 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +898,11 @@ optional_policy(` +@@ -591,6 +907,11 @@ optional_policy(` ') optional_policy(` @@ -26971,7 +26983,7 @@ index 3136c6a..e8e4fa6 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +915,12 @@ optional_policy(` +@@ -603,6 +924,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26984,7 +26996,7 @@ index 3136c6a..e8e4fa6 100644 ######################################## # # Apache helper local policy -@@ -616,7 +934,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +943,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26997,7 +27009,7 @@ index 3136c6a..e8e4fa6 100644 ######################################## # -@@ -654,28 +976,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +985,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27041,7 +27053,7 @@ index 3136c6a..e8e4fa6 100644 ') ######################################## -@@ -685,6 +1009,8 @@ optional_policy(` +@@ -685,6 +1018,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27050,7 +27062,7 @@ index 3136c6a..e8e4fa6 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1025,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1034,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27076,7 +27088,7 @@ index 3136c6a..e8e4fa6 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1071,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1080,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27109,7 +27121,7 @@ index 3136c6a..e8e4fa6 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1118,25 @@ optional_policy(` +@@ -769,6 +1127,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27135,7 +27147,7 @@ index 3136c6a..e8e4fa6 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1157,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1166,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27153,7 +27165,7 @@ index 3136c6a..e8e4fa6 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1176,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1185,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27210,7 +27222,7 @@ index 3136c6a..e8e4fa6 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1227,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1236,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27251,7 +27263,7 @@ index 3136c6a..e8e4fa6 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1272,20 @@ optional_policy(` +@@ -842,10 +1281,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27272,7 +27284,7 @@ index 3136c6a..e8e4fa6 100644 ') ######################################## -@@ -891,11 +1331,49 @@ optional_policy(` +@@ -891,11 +1340,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -27290,13 +27302,13 @@ index 3136c6a..e8e4fa6 100644 + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') + ') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) - ') ++') + +######################################## +# @@ -30269,7 +30281,7 @@ index 9a0da94..714f905 100644 + chronyd_systemctl($1) ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te -index fa82327..1a486b0 100644 +index fa82327..6bf2b26 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t) @@ -30285,7 +30297,12 @@ index fa82327..1a486b0 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit }; +@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t) + # + + allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +-allow chronyd_t self:process { getcap setcap setrlimit }; ++allow chronyd_t self:process { getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; allow chronyd_t self:udp_socket create_socket_perms; allow chronyd_t self:unix_dgram_socket create_socket_perms; @@ -30406,10 +30423,10 @@ index 1f11572..9eb2461 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..9f2a358 100644 +index f758323..c78e22d 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te -@@ -1,9 +1,16 @@ +@@ -1,9 +1,23 @@ policy_module(clamav, 1.9.0) ## @@ -30423,13 +30440,20 @@ index f758323..9f2a358 100644 +gen_tunable(clamscan_read_user_content, false) + +## ++##

++## Allow clamscan to non security files on a system ++##

++## ++gen_tunable(clamscan_can_scan_system, false) ++ ++## +##

+## Allow clamd to use JIT compiler +##

## gen_tunable(clamd_use_jit, false) -@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t) +@@ -64,6 +78,8 @@ logging_log_file(freshclam_var_log_t) allow clamd_t self:capability { kill setgid setuid dac_override }; dontaudit clamd_t self:capability sys_tty_config; @@ -30438,7 +30462,7 @@ index f758323..9f2a358 100644 allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow clamd_t self:unix_dgram_socket create_socket_perms; -@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) +@@ -80,6 +96,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) # var/lib files for clamd @@ -30446,7 +30470,7 @@ index f758323..9f2a358 100644 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) +@@ -89,9 +106,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) # pid file @@ -30458,7 +30482,7 @@ index f758323..9f2a358 100644 kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t) +@@ -110,6 +128,7 @@ corenet_tcp_bind_generic_node(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) corenet_tcp_bind_generic_port(clamd_t) corenet_tcp_connect_generic_port(clamd_t) @@ -30466,7 +30490,7 @@ index f758323..9f2a358 100644 corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) -@@ -127,13 +139,6 @@ logging_send_syslog_msg(clamd_t) +@@ -127,13 +146,6 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) @@ -30480,7 +30504,7 @@ index f758323..9f2a358 100644 optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) -@@ -142,13 +147,31 @@ optional_policy(` +@@ -142,13 +154,31 @@ optional_policy(` ') optional_policy(` @@ -30513,7 +30537,7 @@ index f758323..9f2a358 100644 ') ######################################## -@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +208,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -30532,7 +30556,7 @@ index f758323..9f2a358 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +225,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -30540,7 +30564,7 @@ index f758323..9f2a358 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +244,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -30563,7 +30587,7 @@ index f758323..9f2a358 100644 ######################################## # # clamscam local policy -@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,15 +281,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -30588,12 +30612,16 @@ index f758323..9f2a358 100644 + userdom_dontaudit_read_user_home_content_files(clamscan_t) +') + ++tunable_policy(`clamscan_can_scan_system',` ++ files_read_non_security_files(clamscan_t) ++') ++ kernel_read_kernel_sysctls(clamscan_t) +kernel_read_system_state(clamscan_t) files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +321,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -31652,10 +31680,10 @@ index 0000000..ed13d1e + diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 -index 0000000..ab1d55b +index 0000000..7bd44e8 --- /dev/null +++ b/policy/modules/services/collectd.te -@@ -0,0 +1,81 @@ +@@ -0,0 +1,85 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -31688,10 +31716,12 @@ index 0000000..ab1d55b +# +# collectd local policy +# ++ +allow collectd_t self:capability ipc_lock; -+allow collectd_t self:process fork; ++allow collectd_t self:process { signal fork }; + +allow collectd_t self:fifo_file rw_fifo_file_perms; ++allow collectd_t self:packet_socket create_socket_perms; +allow collectd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) @@ -31709,6 +31739,8 @@ index 0000000..ab1d55b +kernel_read_system_state(collectd_t) + +dev_read_sysfs(collectd_t) ++dev_read_urand(collectd_t) ++dev_read_rand(collectd_t) + +files_getattr_all_dirs(collectd_t) +files_read_etc_files(collectd_t) @@ -31738,7 +31770,7 @@ index 0000000..ab1d55b +') + diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..294727a 100644 +index 74505cc..de4b5c7 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -5,9 +5,17 @@ policy_module(colord, 1.0.0) @@ -31759,7 +31791,7 @@ index 74505cc..294727a 100644 type colord_tmp_t; files_tmp_file(colord_tmp_t) -@@ -23,9 +31,11 @@ files_type(colord_var_lib_t) +@@ -23,9 +31,12 @@ files_type(colord_var_lib_t) # colord local policy # allow colord_t self:capability { dac_read_search dac_override }; @@ -31768,10 +31800,11 @@ index 74505cc..294727a 100644 allow colord_t self:fifo_file rw_fifo_file_perms; allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:tcp_socket create_stream_socket_perms; ++allow colord_t self:shm create_shm_perms; allow colord_t self:udp_socket create_socket_perms; allow colord_t self:unix_dgram_socket create_socket_perms; -@@ -41,8 +51,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +@@ -41,8 +52,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) @@ -31787,7 +31820,7 @@ index 74505cc..294727a 100644 corenet_all_recvfrom_unlabeled(colord_t) corenet_all_recvfrom_netlabel(colord_t) -@@ -50,6 +66,8 @@ corenet_udp_bind_generic_node(colord_t) +@@ -50,6 +67,8 @@ corenet_udp_bind_generic_node(colord_t) corenet_udp_bind_ipp_port(colord_t) corenet_tcp_connect_ipp_port(colord_t) @@ -31796,7 +31829,7 @@ index 74505cc..294727a 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,19 +83,35 @@ files_list_mnt(colord_t) +@@ -65,19 +84,35 @@ files_list_mnt(colord_t) files_read_etc_files(colord_t) files_read_usr_files(colord_t) @@ -31833,7 +31866,7 @@ index 74505cc..294727a 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +123,12 @@ optional_policy(` +@@ -89,6 +124,12 @@ optional_policy(` ') optional_policy(` @@ -31846,7 +31879,7 @@ index 74505cc..294727a 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +136,16 @@ optional_policy(` +@@ -96,5 +137,16 @@ optional_policy(` ') optional_policy(` @@ -38292,7 +38325,7 @@ index f590a1f..338e5bf 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..2599f96 100644 +index 2a69e5e..2fd17d8 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) @@ -38346,7 +38379,7 @@ index 2a69e5e..2599f96 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +107,38 @@ optional_policy(` +@@ -94,5 +107,43 @@ optional_policy(` ') optional_policy(` @@ -38385,6 +38418,11 @@ index 2a69e5e..2599f96 100644 +files_search_pids(fail2ban_client_t) + +miscfiles_read_localization(fail2ban_client_t) ++ ++optional_policy(` ++ gnome_dontaudit_search_config(fail2ban_client_t) ++') ++ diff --git a/policy/modules/services/fcoemon.fc b/policy/modules/services/fcoemon.fc new file mode 100644 index 0000000..83279fb @@ -46975,7 +47013,7 @@ index e9c0982..b3b1d5a 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..c51cbf6 100644 +index 0a0d63c..e71dc4c 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -47018,7 +47056,7 @@ index 0a0d63c..c51cbf6 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,13 +85,20 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,13 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -47032,6 +47070,7 @@ index 0a0d63c..c51cbf6 100644 +read_files_pattern(mysqld_t, mysqld_home_t, mysqld_home_t) kernel_read_system_state(mysqld_t) ++kernel_read_network_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) +corecmd_exec_bin(mysqld_t) @@ -47040,7 +47079,7 @@ index 0a0d63c..c51cbf6 100644 corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) -@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t) +@@ -122,13 +137,8 @@ miscfiles_read_localization(mysqld_t) sysnet_read_config(mysqld_t) @@ -47055,7 +47094,7 @@ index 0a0d63c..c51cbf6 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,9 +164,11 @@ optional_policy(` +@@ -155,9 +165,11 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; @@ -47067,7 +47106,7 @@ index 0a0d63c..c51cbf6 100644 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -@@ -170,26 +181,33 @@ kernel_read_system_state(mysqld_safe_t) +@@ -170,26 +182,33 @@ kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) @@ -53053,7 +53092,7 @@ index b524673..921a60f 100644 + ppp_systemctl($1) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..f530c23 100644 +index 2af42e7..499a41b 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -53159,7 +53198,7 @@ index 2af42e7..f530c23 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -176,7 +184,7 @@ sysnet_exec_ifconfig(pppd_t) +@@ -176,9 +184,10 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -53167,8 +53206,11 @@ index 2af42e7..f530c23 100644 +userdom_use_inherited_user_terminals(pppd_t) userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) ++userdom_search_admin_dir(pppd_t) -@@ -187,13 +195,21 @@ optional_policy(` + ppp_exec(pppd_t) + +@@ -187,13 +196,21 @@ optional_policy(` ') optional_policy(` @@ -53191,7 +53233,7 @@ index 2af42e7..f530c23 100644 ') optional_policy(` -@@ -243,14 +259,18 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +260,18 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -53211,7 +53253,7 @@ index 2af42e7..f530c23 100644 dev_read_sysfs(pptp_t) -@@ -265,9 +285,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) +@@ -265,9 +286,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) corenet_raw_sendrecv_generic_node(pptp_t) corenet_tcp_sendrecv_all_ports(pptp_t) corenet_tcp_bind_generic_node(pptp_t) @@ -56880,10 +56922,10 @@ index 0000000..811c52e + diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..4d1d0c7 +index 0000000..8d25cc5 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,67 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## @@ -56915,6 +56957,9 @@ index 0000000..4d1d0c7 +# rhsmcertd local policy +# + ++allow rhsmcertd_t self:capability sys_nice; ++allow rhsmcertd_t self:process { signal signull getsched setsched }; ++ +allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; +allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; + @@ -56929,8 +56974,10 @@ index 0000000..4d1d0c7 + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) ++files_pid_filetrans(rhsmcertd_var_run_t, rhsmcertd_var_run_t, { file dir }) + +kernel_read_system_state(rhsmcertd_t) ++kernel_read_network_state(rhsmcertd_t) + +corecmd_exec_bin(rhsmcertd_t) + @@ -56938,6 +56985,7 @@ index 0000000..4d1d0c7 + +files_read_etc_files(rhsmcertd_t) +files_read_usr_files(rhsmcertd_t) ++files_list_tmp(rhsmcertd_t) + +miscfiles_read_localization(rhsmcertd_t) +miscfiles_read_certs(rhsmcertd_t) @@ -62843,12 +62891,59 @@ index 665bf7c..a1ea37a 100644 +optional_policy(` + iscsi_manage_semaphores(tgtd_t) +') +diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc +index e2e06b2..e210bd0 100644 +--- a/policy/modules/services/tor.fc ++++ b/policy/modules/services/tor.fc +@@ -4,6 +4,8 @@ + /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) + /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) + ++/lib/systemd/system/tor\.service -- gen_context(system_u:object_r:tor_unit_file_t,s0) ++ + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if -index 904f13e..464347f 100644 +index 904f13e..cfc087a 100644 --- a/policy/modules/services/tor.if +++ b/policy/modules/services/tor.if -@@ -42,7 +42,7 @@ interface(`tor_admin',` +@@ -18,6 +18,30 @@ interface(`tor_domtrans',` + domtrans_pattern($1, tor_exec_t, tor_t) + ') + ++####################################### ++## ++## Execute tor server in the tor domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tor_systemctl',` ++ gen_require(` ++ type tor_t; ++ type tor_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 tor_unit_file_t:file read_file_perms; ++ allow $1 tor_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, tor_t) ++') ++ + ######################################## + ## + ## All of the rules required to administrate +@@ -40,9 +64,10 @@ interface(`tor_admin',` + type tor_t, tor_var_log_t, tor_etc_t; + type tor_var_lib_t, tor_var_run_t; type tor_initrc_exec_t; ++ type tor_unit_file_t; ') - allow $1 tor_t:process { ptrace signal_perms getattr }; @@ -62856,11 +62951,34 @@ index 904f13e..464347f 100644 ps_process_pattern($1, tor_t) init_labeled_script_domtrans($1, tor_initrc_exec_t) +@@ -61,4 +86,13 @@ interface(`tor_admin',` + + files_list_pids($1) + admin_pattern($1, tor_var_run_t) ++ ++ tor_systemctl($1) ++ admin_pattern($1, tor_unit_file_t) ++ allow $1 tor_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te -index c842cad..037dd90 100644 +index c842cad..799fac3 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te -@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t) +@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t) + type tor_var_run_t; + files_pid_file(tor_var_run_t) + ++type tor_unit_file_t; ++systemd_unit_file(tor_unit_file_t) ++ + ######################################## + # + # tor local policy # allow tor_t self:capability { setgid setuid sys_tty_config }; @@ -62868,7 +62986,7 @@ index c842cad..037dd90 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) +@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) corenet_tcp_bind_tor_port(tor_t) @@ -62876,7 +62994,7 @@ index c842cad..037dd90 100644 corenet_udp_bind_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_sendrecv_dns_server_packets(tor_t) -@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,9 +100,11 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -72563,7 +72681,7 @@ index 560dc48..964d353 100644 +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..4ff705d 100644 +index 808ba93..792321c 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -207,6 +207,23 @@ interface(`libs_search_lib',` @@ -72646,7 +72764,7 @@ index 808ba93..4ff705d 100644 ') ######################################## -@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',` +@@ -534,3 +533,26 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -72664,27 +72782,33 @@ index 808ba93..4ff705d 100644 +interface(`libs_filetrans_named_content',` + gen_require(` + type ld_so_cache_t; ++ type ldconfig_cache_t; + ') + ++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index e5836d3..cc8dabb 100644 +index e5836d3..648d152 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te -@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; +@@ -59,9 +59,11 @@ optional_policy(` + allow ldconfig_t self:capability { dac_override sys_chroot }; + ++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) ++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig") -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t) +@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) @@ -72699,7 +72823,7 @@ index e5836d3..cc8dabb 100644 files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) -@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t) +@@ -94,7 +100,8 @@ miscfiles_read_localization(ldconfig_t) logging_send_syslog_msg(ldconfig_t) @@ -72709,7 +72833,7 @@ index e5836d3..cc8dabb 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +110,12 @@ ifdef(`distro_ubuntu',` ') ') @@ -72722,7 +72846,7 @@ index e5836d3..cc8dabb 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +127,9 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -72732,7 +72856,7 @@ index e5836d3..cc8dabb 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +145,10 @@ optional_policy(` +@@ -131,6 +147,10 @@ optional_policy(` ') optional_policy(` @@ -72743,7 +72867,7 @@ index e5836d3..cc8dabb 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +159,3 @@ optional_policy(` +@@ -141,6 +161,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -76649,10 +76773,10 @@ index 0000000..db57bc7 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..1688a39 +index 0000000..d77929b --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,504 @@ +@@ -0,0 +1,523 @@ +## SELinux policy for systemd components + +####################################### @@ -76765,6 +76889,25 @@ index 0000000..1688a39 + allow $1 systemd_unit_file_type:dir list_dir_perms; +') + ++##################################### ++## ++## Allow domain to getattr all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_getattr_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:file getattr_file_perms; ++') ++ +###################################### +## +## Allow domain to read all systemd unit files. diff --git a/selinux-policy.spec b/selinux-policy.spec index 565a4fe..042c5d3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 87%{?dist} +Release: 88%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri May 4 2012 Miroslav Grepl 3.10.0-88 +- Allow jockey to use its own fifo_file +- Allow collectd to read /dev/random +- Allow collectd to send signal to itself +- Allow chronyd to send signal to itself +- Allow collectd to create packet socke +- Allow colord to create shm +- Fix description on httpd_graceful_shutdown +- Add httpd_graceful_shutdown boolean to allow httpd to connect to port 80 +- Add clamscan_can_scan_system boolean +- Allow mysqld to read kernel network state +- Dontaudit fail2ban looking at gnome content +- Allow ldconfig to create /var/cache/ldconfig + * Wed Apr 25 2012 Miroslav Grepl 3.10.0-87 - More fixes for l2tpd * Allow pppd to stream connet to l2tpd