diff --git a/container-selinux.tgz b/container-selinux.tgz index ecd2a47..a948e55 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c4bf466..e9995ed 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -27411,10 +27411,10 @@ index 000000000..bb9082586 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 000000000..bdfe41b61 +index 000000000..93d7f8839 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,363 @@ +@@ -0,0 +1,367 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -27735,6 +27735,10 @@ index 000000000..bdfe41b61 +') + +optional_policy(` ++ chronyd_run_chronyc(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) + oddjob_run(unconfined_t, unconfined_r) +') @@ -43463,7 +43467,7 @@ index 79048c410..d404d6528 100644 udev_read_pid_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01e3..c62c76136 100644 +index 9fe8e01e3..6aa1ea05a 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,16 @@ ifdef(`distro_gentoo',` @@ -43524,16 +43528,19 @@ index 9fe8e01e3..c62c76136 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +91,7 @@ ifdef(`distro_debian',` +@@ -89,7 +90,10 @@ ifdef(`distro_debian',` + /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0) ') ++/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:cert_t,s0) ++ ifdef(`distro_redhat',` +/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc31b..7ed7664fb 100644 +index fc28bc31b..1701f0861 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -43777,7 +43784,7 @@ index fc28bc31b..7ed7664fb 100644 ') ######################################## -@@ -809,3 +944,61 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +944,81 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -43831,6 +43838,7 @@ index fc28bc31b..7ed7664fb 100644 + files_var_filetrans($1, man_t, dir, "man") + files_etc_filetrans($1, cert_t, dir, "pki") + files_usr_filetrans($1, cert_t, dir, "certs") ++ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") + files_usr_filetrans($1, fonts_t, dir, "fonts") + files_usr_filetrans($1, hwdata_t, dir, "hwdata") + files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") @@ -43839,6 +43847,25 @@ index fc28bc31b..7ed7664fb 100644 + files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") + files_var_filetrans($1, public_content_t, dir, "ftp") +') ++ ++ ++######################################## ++## ++## Transition to miscfiles named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_filetrans_named_content_letsencrypt',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") ++') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 1361961d0..be6b7fc80 100644 --- a/policy/modules/system/miscfiles.te @@ -52359,10 +52386,10 @@ index 5ca20a97d..43bb011b3 100644 + allow $1 unconfined_service_t:process { noatsecure }; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902db3..0a7c3bb00 100644 +index 5fe902db3..52a051d8a 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,33 @@ +@@ -1,207 +1,38 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -52382,6 +52409,7 @@ index 5fe902db3..0a7c3bb00 100644 +type unconfined_service_t; +domain_type(unconfined_service_t) +role system_r types unconfined_service_t; ++init_nnp_daemon_domain(unconfined_service_t) -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) @@ -52434,24 +52462,30 @@ index 5fe902db3..0a7c3bb00 100644 - apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) -') -- ++role unconfined_r types unconfined_service_t; + -optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') -- --optional_policy(` ++corecmd_bin_entry_type(unconfined_service_t) ++corecmd_shell_entry_type(unconfined_service_t) + + optional_policy(` - bootloader_run(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ rpm_transition_script(unconfined_service_t, system_r) + ') + + optional_policy(` - cron_unconfined_role(unconfined_r, unconfined_t) --') -- --optional_policy(` ++ chronyd_run_chronyc(unconfined_service_t, system_r) + ') + + optional_policy(` - firstboot_run(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ dbus_chat_system_bus(unconfined_service_t) + ') + + optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') - @@ -52523,8 +52557,7 @@ index 5fe902db3..0a7c3bb00 100644 -optional_policy(` - rpm_run(unconfined_t, unconfined_r) -') -+role unconfined_r types unconfined_service_t; - +- -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -52546,20 +52579,16 @@ index 5fe902db3..0a7c3bb00 100644 -optional_policy(` - unconfined_dbus_chat(unconfined_t) -') -+corecmd_bin_entry_type(unconfined_service_t) -+corecmd_shell_entry_type(unconfined_service_t) - - optional_policy(` +- +-optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) -+ rpm_transition_script(unconfined_service_t, system_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - vpn_run(unconfined_t, unconfined_r) -+ dbus_chat_system_bus(unconfined_service_t) - ') - - optional_policy(` +-') +- +-optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') - @@ -52628,7 +52657,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..1d1213e00 100644 +index 9dc60c6c0..562afbe9a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -53653,7 +53682,7 @@ index 9dc60c6c0..1d1213e00 100644 userdom_change_password_template($1) -@@ -761,86 +1031,117 @@ template(`userdom_login_user_template', ` +@@ -761,86 +1031,121 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -53797,6 +53826,10 @@ index 9dc60c6c0..1d1213e00 100644 + ') + + optional_policy(` ++ chronyd_run_chronyc($1_t, $1_r) ++ ') ++ ++ optional_policy(` + ipa_run_helper($1_t, $1_r) + ') + @@ -53809,7 +53842,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## The template for creating a unprivileged login user. ## -@@ -868,6 +1169,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1173,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -53822,7 +53855,7 @@ index 9dc60c6c0..1d1213e00 100644 ############################## # # Local policy -@@ -907,53 +1214,143 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1218,143 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -53901,13 +53934,15 @@ index 9dc60c6c0..1d1213e00 100644 + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; -+ -+ optional_policy(` + + optional_policy(` +- consolekit_dbus_chat($1_t) + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat($1_t) + accountsd_dbus_chat($1_usertype) + ') + @@ -53915,15 +53950,13 @@ index 9dc60c6c0..1d1213e00 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) @@ -53978,7 +54011,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ####################################### -@@ -987,27 +1384,36 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1388,36 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -54019,7 +54052,7 @@ index 9dc60c6c0..1d1213e00 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1424,64 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1428,64 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -54080,21 +54113,21 @@ index 9dc60c6c0..1d1213e00 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) ++ wine_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1490,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1494,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -54105,7 +54138,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ') -@@ -1079,7 +1528,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1532,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -54116,7 +54149,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ############################## -@@ -1095,6 +1546,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1550,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -54124,7 +54157,7 @@ index 9dc60c6c0..1d1213e00 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1557,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1561,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -54141,7 +54174,7 @@ index 9dc60c6c0..1d1213e00 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1574,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1578,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -54150,7 +54183,7 @@ index 9dc60c6c0..1d1213e00 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1593,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1597,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -54166,7 +54199,7 @@ index 9dc60c6c0..1d1213e00 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1612,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1616,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -54211,7 +54244,7 @@ index 9dc60c6c0..1d1213e00 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1655,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1659,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -54220,7 +54253,7 @@ index 9dc60c6c0..1d1213e00 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1664,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1668,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -54243,7 +54276,7 @@ index 9dc60c6c0..1d1213e00 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',` +@@ -1240,8 +1718,8 @@ template(`userdom_admin_user_template',` ## ## # @@ -54254,7 +54287,7 @@ index 9dc60c6c0..1d1213e00 100644 corecmd_exec_shell($1) -@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1728,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -54263,7 +54296,7 @@ index 9dc60c6c0..1d1213e00 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1738,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1742,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -54275,7 +54308,7 @@ index 9dc60c6c0..1d1213e00 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1752,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1756,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -54318,7 +54351,7 @@ index 9dc60c6c0..1d1213e00 100644 ') optional_policy(` -@@ -1357,14 +1837,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1841,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -54337,7 +54370,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -1397,12 +1880,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1884,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -54391,7 +54424,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +2032,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2036,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -54423,7 +54456,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2098,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2102,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -54438,7 +54471,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -1570,9 +2121,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2125,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -54450,7 +54483,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -1613,6 +2166,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2170,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -54475,7 +54508,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2202,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2206,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -54535,7 +54568,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2328,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2332,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -54550,7 +54583,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -1741,10 +2367,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2371,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -54565,7 +54598,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -1769,7 +2397,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2401,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -54574,7 +54607,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -1777,19 +2405,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2409,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -54598,7 +54631,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -1797,47 +2423,157 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,45 +2427,155 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -54653,8 +54686,7 @@ index 9dc60c6c0..1d1213e00 100644 # -interface(`userdom_dontaudit_setattr_user_home_content_files',` +interface(`userdom_setattr_user_tmp_files',` - gen_require(` -- type user_home_t; ++ gen_require(` + type user_tmp_t; + ') + @@ -54764,12 +54796,10 @@ index 9dc60c6c0..1d1213e00 100644 +## +# +interface(`userdom_dontaudit_setattr_user_home_content_files',` -+ gen_require(` -+ type user_home_t; + gen_require(` + type user_home_t; ') - - dontaudit $1 user_home_t:file setattr_file_perms; -@@ -1845,6 +2581,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1845,6 +2585,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -54795,7 +54825,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2630,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1875,14 +2634,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -54833,7 +54863,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2670,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2674,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -54851,7 +54881,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -1938,7 +2718,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2722,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -54860,7 +54890,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -1946,10 +2726,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2730,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -54873,7 +54903,7 @@ index 9dc60c6c0..1d1213e00 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2737,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2741,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -54882,7 +54912,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -1966,12 +2745,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2749,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -54951,7 +54981,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2007,8 +2840,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2844,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -54961,7 +54991,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2024,20 +2856,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2860,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -54986,7 +55016,7 @@ index 9dc60c6c0..1d1213e00 100644 ######################################## ## -@@ -2120,7 +2946,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2950,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -54995,7 +55025,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2128,19 +2954,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2958,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -55019,7 +55049,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2148,12 +2972,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2976,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -55035,7 +55065,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2388,18 +3212,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3216,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -55093,7 +55123,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3274,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3278,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -55102,7 +55132,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2455,6 +3315,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3319,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -55128,7 +55158,7 @@ index 9dc60c6c0..1d1213e00 100644 ######################################## ## -@@ -2538,7 +3417,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3421,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -55137,7 +55167,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2546,19 +3425,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3429,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -55160,7 +55190,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2566,19 +3445,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3449,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -55183,7 +55213,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2586,19 +3465,60 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,20 +3469,61 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -55203,6 +55233,7 @@ index 9dc60c6c0..1d1213e00 100644 ## -## Create objects in a user temporary directory -## with an automatic type transition to +-## a specified private type. +## Create, read, write, and delete user +## temporary named pipes. +## @@ -55245,10 +55276,11 @@ index 9dc60c6c0..1d1213e00 100644 +## +## Create objects in a user temporary directory +## with an automatic type transition to - ## a specified private type. ++## a specified private type. ## ## -@@ -2661,6 +3581,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` + ## +@@ -2661,6 +3585,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -55270,7 +55302,7 @@ index 9dc60c6c0..1d1213e00 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3607,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3611,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -55292,7 +55324,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2692,19 +3622,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3626,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -55315,7 +55347,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2713,13 +3637,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3641,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -55376,7 +55408,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2814,6 +3781,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3785,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -55401,7 +55433,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3817,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3821,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -55444,7 +55476,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -2856,14 +3853,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3857,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -55482,7 +55514,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2882,8 +3898,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3902,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -55512,7 +55544,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -2955,6 +3990,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3994,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -55555,7 +55587,7 @@ index 9dc60c6c0..1d1213e00 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4049,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4053,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -55580,7 +55612,7 @@ index 9dc60c6c0..1d1213e00 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4067,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4071,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -55592,7 +55624,7 @@ index 9dc60c6c0..1d1213e00 100644 ## memory segments. ## ## -@@ -3025,17 +4078,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4082,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -55613,7 +55645,7 @@ index 9dc60c6c0..1d1213e00 100644 ## memory segments. ## ## -@@ -3044,12 +4097,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4101,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -55628,7 +55660,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -3094,7 +4147,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -55637,7 +55669,7 @@ index 9dc60c6c0..1d1213e00 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4163,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -55671,7 +55703,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -3214,7 +4251,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4255,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -55698,7 +55730,7 @@ index 9dc60c6c0..1d1213e00 100644 ') ######################################## -@@ -3269,12 +4324,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4328,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -55714,7 +55746,7 @@ index 9dc60c6c0..1d1213e00 100644 ## ## ## -@@ -3282,49 +4338,125 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,46 +4342,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -55772,9 +55804,8 @@ index 9dc60c6c0..1d1213e00 100644 gen_require(` - attribute userdomain; + type user_tmp_t; - ') - -- allow $1 userdomain:process getattr; ++ ') ++ + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + @@ -55848,13 +55879,10 @@ index 9dc60c6c0..1d1213e00 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process getattr; - ') + ') - ######################################## -@@ -3382,6 +4514,42 @@ interface(`userdom_signal_all_users',` + allow $1 userdomain:process getattr; +@@ -3382,6 +4518,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -55897,7 +55925,7 @@ index 9dc60c6c0..1d1213e00 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4570,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4574,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -55958,7 +55986,7 @@ index 9dc60c6c0..1d1213e00 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4657,1835 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4661,1835 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c022c34..2d99539 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2531,10 +2531,18 @@ index 60d4f8c90..18ef0772c 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 91fa72ae1..2e9b8246a 100644 +index 91fa72ae1..11a55da57 100644 --- a/amavis.te +++ b/amavis.te -@@ -39,14 +39,14 @@ type amavis_quarantine_t; +@@ -16,6 +16,7 @@ gen_tunable(amavis_use_jit, false) + type amavis_t; + type amavis_exec_t; + init_daemon_domain(amavis_t, amavis_exec_t) ++init_nnp_daemon_domain(amavis_t) + + type amavis_etc_t; + files_config_file(amavis_etc_t) +@@ -39,14 +40,14 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) type amavis_spool_t; @@ -2551,7 +2559,7 @@ index 91fa72ae1..2e9b8246a 100644 dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process signal_perms; allow amavis_t self:fifo_file rw_fifo_file_perms; -@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) +@@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) @@ -2565,7 +2573,7 @@ index 91fa72ae1..2e9b8246a 100644 manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) +@@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) corecmd_exec_bin(amavis_t) corecmd_exec_shell(amavis_t) @@ -2573,7 +2581,7 @@ index 91fa72ae1..2e9b8246a 100644 corenet_all_recvfrom_netlabel(amavis_t) corenet_tcp_sendrecv_generic_if(amavis_t) corenet_udp_sendrecv_generic_if(amavis_t) -@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) +@@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_sendrecv_razor_client_packets(amavis_t) corenet_tcp_connect_razor_port(amavis_t) @@ -2581,7 +2589,7 @@ index 91fa72ae1..2e9b8246a 100644 dev_read_rand(amavis_t) dev_read_sysfs(amavis_t) -@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t) +@@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t) domain_dontaudit_read_all_domains_state(amavis_t) files_read_etc_runtime_files(amavis_t) @@ -2589,7 +2597,7 @@ index 91fa72ae1..2e9b8246a 100644 files_search_spool(amavis_t) fs_getattr_xattr_fs(amavis_t) -@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t) +@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) @@ -2613,7 +2621,7 @@ index 91fa72ae1..2e9b8246a 100644 ') optional_policy(` -@@ -173,6 +181,10 @@ optional_policy(` +@@ -173,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -5615,7 +5623,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..f6ac61e03 100644 +index 6649962b6..cb95398ea 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -7796,7 +7804,7 @@ index 6649962b6..f6ac61e03 100644 ') ######################################## -@@ -1330,49 +1633,42 @@ optional_policy(` +@@ -1330,49 +1633,43 @@ optional_policy(` # User content local policy # @@ -7836,6 +7844,7 @@ index 6649962b6..f6ac61e03 100644 - fs_exec_nfs_files(httpd_user_script_t) + read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) + read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) ++ list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) + allow httpd_t httpd_user_content_type:file map; ') @@ -7864,7 +7873,7 @@ index 6649962b6..f6ac61e03 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1678,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -10562,10 +10571,10 @@ index 3a5032e06..3facb7156 100644 + xserver_read_state_xdm(blueman_t) +') diff --git a/bluetooth.fc b/bluetooth.fc -index 2b9c7f329..0086b95d1 100644 +index 2b9c7f329..6ae8a62c9 100644 --- a/bluetooth.fc +++ b/bluetooth.fc -@@ -5,10 +5,14 @@ +@@ -5,10 +5,15 @@ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) @@ -10577,6 +10586,7 @@ index 2b9c7f329..0086b95d1 100644 /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) ++/usr/libexec/bluetooth/obexd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) @@ -13642,10 +13652,10 @@ index 000000000..ca526f823 + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) +') diff --git a/chronyd.fc b/chronyd.fc -index 4e4143ed8..f03dba037 100644 +index 4e4143ed8..9c06350c2 100644 --- a/chronyd.fc +++ b/chronyd.fc -@@ -1,13 +1,18 @@ +@@ -1,13 +1,20 @@ -/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) +/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0) @@ -13655,6 +13665,8 @@ index 4e4143ed8..f03dba037 100644 + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) +/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) ++ ++/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) @@ -13667,7 +13679,7 @@ index 4e4143ed8..f03dba037 100644 /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/chronyd.if b/chronyd.if -index 32e8265c2..ac74503d1 100644 +index 32e8265c2..508f3b84f 100644 --- a/chronyd.if +++ b/chronyd.if @@ -57,6 +57,24 @@ interface(`chronyd_exec',` @@ -13801,7 +13813,7 @@ index 32e8265c2..ac74503d1 100644 ') #################################### -@@ -176,28 +255,38 @@ interface(`chronyd_read_key_files',` +@@ -176,28 +255,81 @@ interface(`chronyd_read_key_files',` # interface(`chronyd_admin',` gen_require(` @@ -13848,12 +13860,65 @@ index 32e8265c2..ac74503d1 100644 + admin_pattern($1, chronyd_unit_file_t) + chronyd_systemctl($1) + allow $1 chronyd_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Execute chronyc in the chronyc domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`chronyd_domtrans_chronyc',` ++ gen_require(` ++ type chronyc_t, chronyc_exec_t; ++ ') ++ ++ domtrans_pattern($1, chronyc_exec_t, chronyc_t) ++') ++ ++######################################## ++## ++## Execute chronyc in the chronyc domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++# ++interface(`chronyd_run_chronyc',` ++ gen_require(` ++ type chronyc_t; ++ attribute_role chronyc_roles; ++ ') ++ ++ chronyd_domtrans_chronyc($1) ++ roleattribute $2 chronyc_roles; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c29..cfc64f1b0 100644 +index e5b621c29..89ecee1f7 100644 --- a/chronyd.te +++ b/chronyd.te -@@ -18,6 +18,9 @@ files_type(chronyd_keys_t) +@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0) + # Declarations + # + ++attribute_role chronyc_roles; ++roleattribute system_r chronyc_roles; ++ + type chronyd_t; + type chronyd_exec_t; + init_daemon_domain(chronyd_t, chronyd_exec_t) +@@ -18,6 +21,9 @@ files_type(chronyd_keys_t) type chronyd_tmpfs_t; files_tmpfs_file(chronyd_tmpfs_t) @@ -13863,13 +13928,25 @@ index e5b621c29..cfc64f1b0 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t) +@@ -27,18 +33,33 @@ logging_log_file(chronyd_var_log_t) + type chronyd_var_run_t; + files_pid_file(chronyd_var_run_t) + ++type chronyc_t; ++type chronyc_exec_t; ++domain_type(chronyc_t, chronyc_exec_t) ++init_system_domain(chronyc_t, chronyc_exec_t) ++role chronyc_roles types chronyc_t; ++ + ######################################## + # # Local policy # -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit signal }; +allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin }; ++allow chronyd_t self:capability2 block_suspend; +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; @@ -13880,17 +13957,24 @@ index e5b621c29..cfc64f1b0 100644 +allow chronyd_t chronyd_keys_t:file setattr_file_perms; allow chronyd_t chronyd_keys_t:file read_file_perms; ++allow chronyd_t chronyc_t:unix_dgram_socket sendto; ++ ++allow chronyd_t chronyc_exec_t:file mmap_file_perms; ++ manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) + manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) + fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) +@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) + kernel_read_system_state(chronyd_t) kernel_read_network_state(chronyd_t) - -+clock_read_adjtime(chronyd_t) ++kernel_request_load_module(chronyd_t) + ++clock_read_adjtime(chronyd_t) + corenet_all_recvfrom_unlabeled(chronyd_t) corenet_all_recvfrom_netlabel(chronyd_t) - corenet_udp_sendrecv_generic_if(chronyd_t) -@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -13935,6 +14019,26 @@ index e5b621c29..cfc64f1b0 100644 +optional_policy(` + ptp4l_rw_shm(chronyd_t) ') ++ ++######################################## ++# ++# Local policy ++# ++ ++allow chronyc_t self:capability { dac_read_search dac_override }; ++allow chronyc_t self:udp_socket create_socket_perms; ++allow chronyc_t self:unix_dgram_socket create_socket_perms; ++allow chronyc_t self:netlink_route_socket create_netlink_socket_perms; ++ ++allow chronyc_t chronyd_t:unix_dgram_socket sendto; ++ ++manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) ++manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) ++manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) ++ ++corecmd_exec_bin(chronyc_t) ++ ++sysnet_read_config(chronyc_t) diff --git a/cinder.fc b/cinder.fc new file mode 100644 index 000000000..4b318b783 @@ -17134,10 +17238,10 @@ index 000000000..1cc5fa464 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 000000000..25cbb9aff +index 000000000..246420052 --- /dev/null +++ b/conman.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,114 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -17153,6 +17257,13 @@ index 000000000..25cbb9aff +## +gen_tunable(conman_can_network, false) + ++## ++##

++## Allow conman to manage nfs files ++##

++## ++gen_tunable(conman_use_nfs, false) ++ +type conman_t; +type conman_exec_t; +init_daemon_domain(conman_t, conman_exec_t) @@ -17209,6 +17320,8 @@ index 000000000..25cbb9aff + +corecmd_exec_bin(conman_t) + ++dev_read_urand(conman_t) ++ +logging_send_syslog_msg(conman_t) + +sysnet_dns_name_resolve(conman_t) @@ -17216,6 +17329,7 @@ index 000000000..25cbb9aff +userdom_use_user_ptys(conman_t) + +term_use_usb_ttys(conman_t) ++term_use_ptmx(conman_t) + +tunable_policy(`conman_can_network',` + corenet_sendrecv_all_client_packets(conman_t) @@ -17223,6 +17337,11 @@ index 000000000..25cbb9aff + corenet_tcp_sendrecv_all_ports(conman_t) +') + ++tunable_policy(`conman_use_nfs',` ++ fs_manage_nfs_files(conman_t) ++ fs_read_nfs_symlinks(conman_t) ++') ++ +optional_policy(` + freeipmi_stream_connect(conman_t) +') @@ -19865,7 +19984,7 @@ index 1303b3036..f5bd4aee8 100644 + logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..f91dd2fe5 100644 +index 7de385956..46400791a 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20504,12 +20623,13 @@ index 7de385956..f91dd2fe5 100644 auth_use_nsswitch(system_cronjob_t) -@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) -miscfiles_read_localization(system_cronjob_t) -- ++miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t) + seutil_read_config(system_cronjob_t) +userdom_manage_tmpfs_files(system_cronjob_t, file) @@ -20534,7 +20654,7 @@ index 7de385956..f91dd2fe5 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -20554,10 +20674,14 @@ index 7de385956..f91dd2fe5 100644 + +optional_policy(` + cron_generic_log_filetrans_log_insights(system_cronjob_t) ++') ++ ++optional_policy(` ++ chronyd_run_chronyc(system_cronjob_t,system_r) ') optional_policy(` -@@ -551,10 +573,6 @@ optional_policy(` +@@ -551,10 +579,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -20568,7 +20692,7 @@ index 7de385956..f91dd2fe5 100644 ') optional_policy(` -@@ -567,6 +585,10 @@ optional_policy(` +@@ -567,6 +591,10 @@ optional_policy(` ') optional_policy(` @@ -20579,7 +20703,7 @@ index 7de385956..f91dd2fe5 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +613,8 @@ optional_policy(` +@@ -591,6 +619,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -20588,7 +20712,7 @@ index 7de385956..f91dd2fe5 100644 ') optional_policy(` -@@ -598,7 +622,31 @@ optional_policy(` +@@ -598,7 +628,31 @@ optional_policy(` ') optional_policy(` @@ -20620,7 +20744,7 @@ index 7de385956..f91dd2fe5 100644 ') optional_policy(` -@@ -607,7 +655,12 @@ optional_policy(` +@@ -607,7 +661,12 @@ optional_policy(` ') optional_policy(` @@ -20633,7 +20757,7 @@ index 7de385956..f91dd2fe5 100644 ') optional_policy(` -@@ -615,12 +668,27 @@ optional_policy(` +@@ -615,12 +674,27 @@ optional_policy(` ') optional_policy(` @@ -20663,7 +20787,7 @@ index 7de385956..f91dd2fe5 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20697,7 +20821,7 @@ index 7de385956..f91dd2fe5 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -27002,10 +27126,10 @@ index 000000000..d22ed691a +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 000000000..238787661 +index 000000000..b93540692 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -27049,6 +27173,8 @@ index 000000000..238787661 + +kernel_read_system_state(dnssec_trigger_t) + ++can_exec(dnssec_trigger_t, dnssec_trigger_exec_t) ++ +corecmd_exec_bin(dnssec_trigger_t) +corecmd_exec_shell(dnssec_trigger_t) +corecmd_read_all_executables(dnssec_trigger_t) @@ -31797,7 +31923,7 @@ index e5b15fb7e..220622e84 100644 diff --git a/ganesha.fc b/ganesha.fc new file mode 100644 -index 000000000..855f58e55 +index 000000000..c723bfb97 --- /dev/null +++ b/ganesha.fc @@ -0,0 +1,12 @@ @@ -31809,8 +31935,8 @@ index 000000000..855f58e55 + +/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) + -+/var/log/ganesha.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0) -+/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:ganesha_var_log_t,s0) ++/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) ++/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) + +/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) diff --git a/ganesha.if b/ganesha.if @@ -39473,7 +39599,7 @@ index fbb54e7d8..05c377768 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df8a..ed6af7994 100644 +index c6450df8a..94760a2ec 100644 --- a/inetd.te +++ b/inetd.te @@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t) @@ -39571,7 +39697,7 @@ index c6450df8a..ed6af7994 100644 dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +244,19 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -39579,6 +39705,10 @@ index c6450df8a..ed6af7994 100644 +sysnet_read_config(inetd_child_t) + +optional_policy(` ++ chronyd_run_chronyc(inetd_child_t,system_r) ++') ++ ++optional_policy(` + kerberos_use(inetd_child_t) +') + @@ -40028,7 +40158,7 @@ index 000000000..61f2003c8 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 000000000..74206edcb +index 000000000..61fd84f00 --- /dev/null +++ b/ipa.fc @@ -0,0 +1,29 @@ @@ -40057,7 +40187,7 @@ index 000000000..74206edcb + +/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) + -+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) ++/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0) + +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + @@ -43698,10 +43828,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..e5b8b3bbf +index 000000000..f84877209 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,101 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43743,6 +43873,7 @@ index 000000000..e5b8b3bbf +kernel_read_network_state(keepalived_t) +kernel_request_load_module(keepalived_t) +kernel_rw_usermodehelper_state(keepalived_t) ++kernel_search_network_sysctl(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -46465,7 +46596,7 @@ index 73e2803ee..34ca3aa22 100644 role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; diff --git a/l2tp.te b/l2tp.te -index bb06a7fee..01e784bf5 100644 +index bb06a7fee..3339bd85c 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) @@ -46492,7 +46623,7 @@ index bb06a7fee..01e784bf5 100644 corenet_all_recvfrom_unlabeled(l2tpd_t) corenet_all_recvfrom_netlabel(l2tpd_t) corenet_raw_sendrecv_generic_if(l2tpd_t) -@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t) +@@ -75,19 +77,38 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) @@ -46524,6 +46655,7 @@ index bb06a7fee..01e784bf5 100644 + ipsec_mgmt_read_pid(l2tpd_t) + ipsec_filetrans_key_file(l2tpd_t) + ipsec_manage_key_file(l2tpd_t) ++ ipsec_kill_mgmt(l2tpd_t) +') + +optional_policy(` @@ -46812,7 +46944,7 @@ index 3602712d0..af83a5b6b 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b1110e..7b306e4bb 100644 +index 4c2b1110e..f01469806 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -46837,7 +46969,15 @@ index 4c2b1110e..7b306e4bb 100644 allow slapd_t self:fifo_file rw_fifo_file_perms; allow slapd_t self:tcp_socket { accept listen }; -@@ -69,9 +72,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; +@@ -60,6 +63,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) + manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) + manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) + manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) ++allow slapd_t slapd_db_t:file map; + + allow slapd_t slapd_etc_t:file read_file_perms; + +@@ -69,9 +73,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t, slapd_lock_t, file) manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) @@ -46848,7 +46988,7 @@ index 4c2b1110e..7b306e4bb 100644 logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -@@ -93,7 +94,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) +@@ -93,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -46856,7 +46996,7 @@ index 4c2b1110e..7b306e4bb 100644 corenet_all_recvfrom_netlabel(slapd_t) corenet_tcp_sendrecv_generic_if(slapd_t) corenet_tcp_sendrecv_generic_node(slapd_t) -@@ -115,25 +115,26 @@ fs_getattr_all_fs(slapd_t) +@@ -115,25 +116,26 @@ fs_getattr_all_fs(slapd_t) fs_search_auto_mountpoints(slapd_t) files_read_etc_runtime_files(slapd_t) @@ -63258,7 +63398,7 @@ index bcd7d0a7d..9b397fdd7 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b663..6b300d54f 100644 +index 4f2b1b663..0e24b49a9 100644 --- a/nsd.fc +++ b/nsd.fc @@ -1,16 +1,19 @@ @@ -63290,7 +63430,7 @@ index 4f2b1b663..6b300d54f 100644 +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) + -+/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0) ++/var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0) diff --git a/nsd.if b/nsd.if index a9c60ff87..ad4f14ad6 100644 --- a/nsd.if @@ -69407,7 +69547,7 @@ index 9b157305b..cb00f200a 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99ab..7bcb16c59 100644 +index 44dbc99ab..6221f5b9a 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -69439,7 +69579,7 @@ index 44dbc99ab..7bcb16c59 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; -+allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid }; ++allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; +allow openvswitch_t self:capability2 block_suspend; +allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; @@ -82044,7 +82184,7 @@ index 7cb8b1f9c..bef72173b 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfeed..5bd88a99d 100644 +index 618dcfeed..56b9252c6 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -82106,7 +82246,7 @@ index 618dcfeed..5bd88a99d 100644 type puppetmaster_t; type puppetmaster_exec_t; -@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t) +@@ -56,161 +62,178 @@ files_tmp_file(puppetmaster_tmp_t) ######################################## # @@ -82305,53 +82445,49 @@ index 618dcfeed..5bd88a99d 100644 + +optional_policy(` + mysql_stream_connect(puppetagent_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(puppetagent_t) ++') ++ ++optional_policy(` ++ cfengine_read_lib_files(puppetagent_t) ++') ++ ++optional_policy(` ++ consoletype_exec(puppetagent_t) ') optional_policy(` - cfengine_read_lib_files(puppet_t) -+ postgresql_stream_connect(puppetagent_t) ++ hostname_exec(puppetagent_t) ') optional_policy(` - consoletype_exec(puppet_t) -+ cfengine_read_lib_files(puppetagent_t) ++ mount_domtrans(puppetagent_t) ') optional_policy(` - hostname_exec(puppet_t) -+ consoletype_exec(puppetagent_t) ++ mta_send_mail(puppetagent_t) ') optional_policy(` - mount_domtrans(puppet_t) -+ hostname_exec(puppetagent_t) ++ networkmanager_dbus_chat(puppetagent_t) ') optional_policy(` - mta_send_mail(puppet_t) -+ mount_domtrans(puppetagent_t) ++ firewalld_dbus_chat(puppetagent_t) ') optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) -+ mta_send_mail(puppetagent_t) - ') - - optional_policy(` -- files_rw_var_files(puppet_t) -+ networkmanager_dbus_chat(puppetagent_t) -+') -+ -+optional_policy(` -+ firewalld_dbus_chat(puppetagent_t) -+') - -- rpm_domtrans(puppet_t) -- rpm_manage_db(puppet_t) -- rpm_manage_log(puppet_t) -+optional_policy(` + portage_domtrans(puppetagent_t) + portage_domtrans_fetch(puppetagent_t) + portage_domtrans_gcc_config(puppetagent_t) @@ -82363,21 +82499,29 @@ index 618dcfeed..5bd88a99d 100644 + rpm_domtrans(puppetagent_t) + rpm_manage_db(puppetagent_t) + rpm_manage_log(puppetagent_t) + ') + + optional_policy(` +- files_rw_var_files(puppet_t) ++ shorewall_domtrans(puppetagent_t) +') -+ + +- rpm_domtrans(puppet_t) +- rpm_manage_db(puppet_t) +- rpm_manage_log(puppet_t) +optional_policy(` -+ shorewall_domtrans(puppetagent_t) ++ unconfined_domain_noaudit(puppetagent_t) ') optional_policy(` - unconfined_domain(puppet_t) -+ unconfined_domain_noaudit(puppetagent_t) ++ shorewall_domtrans(puppet_t) ') optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -+ shorewall_domtrans(puppet_t) ++ rhsmcertd_dbus_chat(puppetagent_t) ') ######################################## @@ -82398,7 +82542,7 @@ index 618dcfeed..5bd88a99d 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +244,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -82406,7 +82550,7 @@ index 618dcfeed..5bd88a99d 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +253,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -82422,7 +82566,7 @@ index 618dcfeed..5bd88a99d 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +263,48 @@ optional_policy(` +@@ -246,38 +267,48 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -82488,7 +82632,7 @@ index 618dcfeed..5bd88a99d 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +320,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -82519,7 +82663,7 @@ index 618dcfeed..5bd88a99d 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +346,32 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -82557,7 +82701,7 @@ index 618dcfeed..5bd88a99d 100644 ') optional_policy(` -@@ -342,3 +376,9 @@ optional_policy(` +@@ -342,3 +380,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -108436,10 +108580,10 @@ index 27a8480bc..fc3fca520 100644 + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/svnserve.fc b/svnserve.fc -index effffd028..12ca090e1 100644 +index effffd028..0d5c275de 100644 --- a/svnserve.fc +++ b/svnserve.fc -@@ -1,8 +1,13 @@ +@@ -1,8 +1,15 @@ -/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) +/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) @@ -108458,6 +108602,8 @@ index effffd028..12ca090e1 100644 +/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++ ++/var/log/svnserve(/.*)? gen_context(system_u:object_r:svnserve_log_t,s0) diff --git a/svnserve.if b/svnserve.if index 2ac91b6e0..a97033d2b 100644 --- a/svnserve.if @@ -108596,10 +108742,10 @@ index 2ac91b6e0..a97033d2b 100644 ') + diff --git a/svnserve.te b/svnserve.te -index 49d688d66..451a64768 100644 +index 49d688d66..f7e23fe71 100644 --- a/svnserve.te +++ b/svnserve.te -@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) +@@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) type svnserve_initrc_exec_t; init_script_file(svnserve_initrc_exec_t) @@ -108615,10 +108761,13 @@ index 49d688d66..451a64768 100644 +type svnserve_tmp_t; +files_tmp_file(svnserve_tmp_t) + ++type svnserve_log_t; ++logging_log_file(svnserve_log_t) ++ ######################################## # # Local policy -@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; +@@ -27,6 +36,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; allow svnserve_t self:tcp_socket create_stream_socket_perms; allow svnserve_t self:unix_stream_socket { listen accept }; @@ -108630,17 +108779,19 @@ index 49d688d66..451a64768 100644 manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) -@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) +@@ -34,8 +48,9 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) -files_read_etc_files(svnserve_t) -files_read_usr_files(svnserve_t) -- ++manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t) ++manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t) ++logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file }) + corenet_all_recvfrom_unlabeled(svnserve_t) corenet_all_recvfrom_netlabel(svnserve_t) - corenet_tcp_sendrecv_generic_if(svnserve_t) -@@ -52,8 +60,9 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) +@@ -52,8 +67,13 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) corenet_udp_bind_svn_port(svnserve_t) corenet_udp_sendrecv_svn_port(svnserve_t) @@ -108652,6 +108803,10 @@ index 49d688d66..451a64768 100644 +logging_send_syslog_msg(svnserve_t) sysnet_dns_name_resolve(svnserve_t) ++ ++optional_policy(` ++ kerberos_use(svnserve_t) ++') diff --git a/swift.fc b/swift.fc new file mode 100644 index 000000000..6d897bc25 @@ -111616,10 +111771,10 @@ index 000000000..9524b50aa +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..2b15dca23 +index 000000000..d6affa561 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,172 @@ +@@ -0,0 +1,173 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -111670,6 +111825,7 @@ index 000000000..2b15dca23 +manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") ++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file) +userdom_dontaudit_access_check_user_content(thumb_t) +userdom_rw_inherited_user_tmp_files(thumb_t) +userdom_manage_home_texlive(thumb_t) @@ -112173,10 +112329,10 @@ index 000000000..5185a9e8e + sssd_stream_connect(tlp_t) +') diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f95..9858c8b8d 100644 +index 585a77f95..71981be9d 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -5,20 +5,46 @@ policy_module(tmpreaper, 1.7.1) +@@ -5,20 +5,47 @@ policy_module(tmpreaper, 1.7.1) # Declarations # @@ -112208,6 +112364,7 @@ index 585a77f95..9858c8b8d 100644 type tmpreaper_exec_t; init_system_domain(tmpreaper_t, tmpreaper_exec_t) +application_domain(tmpreaper_t, tmpreaper_exec_t) ++init_nnp_daemon_domain(tmpreaper_t) ######################################## # @@ -112224,7 +112381,7 @@ index 585a77f95..9858c8b8d 100644 dev_read_urand(tmpreaper_t) -@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t) +@@ -27,15 +54,16 @@ corecmd_exec_shell(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) @@ -112246,7 +112403,7 @@ index 585a77f95..9858c8b8d 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t) +@@ -45,7 +73,6 @@ init_use_inherited_script_ptys(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -112254,7 +112411,7 @@ index 585a77f95..9858c8b8d 100644 miscfiles_delete_man_pages(tmpreaper_t) ifdef(`distro_debian',` -@@ -53,10 +79,33 @@ ifdef(`distro_debian',` +@@ -53,10 +80,33 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -112289,7 +112446,7 @@ index 585a77f95..9858c8b8d 100644 ') optional_policy(` -@@ -64,6 +113,7 @@ optional_policy(` +@@ -64,6 +114,7 @@ optional_policy(` ') optional_policy(` @@ -112297,7 +112454,7 @@ index 585a77f95..9858c8b8d 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,7 +129,19 @@ optional_policy(` +@@ -79,7 +130,19 @@ optional_policy(` ') optional_policy(` @@ -112318,7 +112475,7 @@ index 585a77f95..9858c8b8d 100644 ') optional_policy(` -@@ -89,3 +151,8 @@ optional_policy(` +@@ -89,3 +152,8 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 3286d6b..01b8a40 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 298%{?dist} +Release: 299%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -719,6 +719,32 @@ exit 0 %endif %changelog +* Tue Oct 24 2017 Lukas Vrabec - 3.13.1-299 +- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t +- Allow chronyd_t do request kernel module and block_suspend capability +- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label +- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414) +- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) +- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) +- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) +- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables +- Allow svnserve to use kerberos +- Allow conman to use ptmx. Add conman_use_nfs boolean +- Allow nnp transition for amavis and tmpreaper SELinux domains +- Allow chronyd_t to mmap chronyc_exec_t binary files +- Add dac_read_search capability to openvswitch_t domain +- Allow svnserve to manage own svnserve_log_t files/dirs +- Allow keepalived_t to search network sysctls +- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain +- Add kill capability to openvswitch_t domain +- Label also compressed logs in /var/log for different services +- Allow inetd_child_t and system_cronjob_t to run chronyc. +- Allow chrony to create netlink route sockets +- Add SELinux support for chronyc +- Add support for running certbot(letsencrypt) in crontab +- Allow nnp trasintion for unconfined_service_t +- Allow unpriv user domains and unconfined_service_t to use chronyc + * Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298 - Drop *.lst files from file list - Ship file_contexts.homedirs in store