diff --git a/policy-F16.patch b/policy-F16.patch index cc32a50..81156f2 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -58704,24 +58704,27 @@ index 0bfc958..af95b7a 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 7a6f06f..3cf6457 100644 +index 7a6f06f..530d2df 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc -@@ -1,9 +1,11 @@ +@@ -1,9 +1,14 @@ - +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index 63eb96b..d7a6063 100644 --- a/policy/modules/admin/bootloader.if @@ -59748,10 +59751,11 @@ index 7090dae..51123b2 100644 +logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc -index 3c7b1e8..1e155f5 100644 +index 3c7b1e8..084a576 100644 --- a/policy/modules/admin/logwatch.fc +++ b/policy/modules/admin/logwatch.fc -@@ -1,7 +1,11 @@ +@@ -1,7 +1,12 @@ ++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:logwatch_exec_t,s0) /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) @@ -59764,10 +59768,18 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te -index 75ce30f..63310a1 100644 +index 75ce30f..671d4e1 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te -@@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t) +@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0) + + type logwatch_t; + type logwatch_exec_t; ++init_daemon_domain(logwatch_t, logwatch_exec_t) + application_domain(logwatch_t, logwatch_exec_t) + role system_r types logwatch_t; + +@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t) type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -59780,7 +59792,7 @@ index 75ce30f..63310a1 100644 ######################################## # # Local policy -@@ -39,6 +45,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) @@ -59790,7 +59802,7 @@ index 75ce30f..63310a1 100644 kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -58,6 +67,7 @@ files_list_var(logwatch_t) +@@ -58,6 +68,7 @@ files_list_var(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_files(logwatch_t) files_read_etc_runtime_files(logwatch_t) @@ -59798,7 +59810,7 @@ index 75ce30f..63310a1 100644 files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -@@ -70,6 +80,8 @@ fs_getattr_all_fs(logwatch_t) +@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) @@ -59807,7 +59819,7 @@ index 75ce30f..63310a1 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -92,11 +104,14 @@ sysnet_dns_name_resolve(logwatch_t) +@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -59823,7 +59835,7 @@ index 75ce30f..63310a1 100644 files_getattr_all_file_type_fs(logwatch_t) ') -@@ -145,3 +160,24 @@ optional_policy(` +@@ -145,3 +161,24 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -59859,7 +59871,7 @@ index 56c43c0..409bbfc 100644 + +/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..8ddc091 100644 +index 5671977..a4a5f20 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0) @@ -59878,7 +59890,7 @@ index 5671977..8ddc091 100644 ######################################## # -@@ -17,16 +23,34 @@ cron_system_entry(mcelog_t, mcelog_exec_t) +@@ -17,16 +23,35 @@ cron_system_entry(mcelog_t, mcelog_exec_t) allow mcelog_t self:capability sys_admin; @@ -59893,6 +59905,7 @@ index 5671977..8ddc091 100644 + kernel_read_system_state(mcelog_t) ++corecmd_exec_shell(mcelog_t) +corecmd_exec_bin(mcelog_t) + dev_read_raw_memory(mcelog_t) @@ -60030,10 +60043,10 @@ index ec29391..28c9672 100644 optional_policy(` diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc -index 407078f..41c9b24 100644 +index 407078f..56cc947 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc -@@ -1,14 +1,18 @@ +@@ -1,15 +1,20 @@ /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) -/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -60053,7 +60066,9 @@ index 407078f..41c9b24 100644 +/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/sbin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if index c6ca761..46e0767 100644 --- a/policy/modules/admin/netutils.if @@ -62300,7 +62315,7 @@ index d5aaf0e..6b16aef 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..65681da 100644 +index 6a5004b..c687f14 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -62311,7 +62326,7 @@ index 6a5004b..65681da 100644 application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; -@@ -18,6 +19,8 @@ role system_r types tmpreaper_t; +@@ -18,18 +19,25 @@ role system_r types tmpreaper_t; allow tmpreaper_t self:process { fork sigchld }; allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; @@ -62320,7 +62335,8 @@ index 6a5004b..65681da 100644 dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) -@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t) ++fs_list_all(tmpreaper_t) + files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) @@ -62336,7 +62352,7 @@ index 6a5004b..65681da 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t) +@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -62358,7 +62374,7 @@ index 6a5004b..65681da 100644 ') optional_policy(` -@@ -52,7 +63,9 @@ optional_policy(` +@@ -52,7 +64,9 @@ optional_policy(` ') optional_policy(` @@ -62368,7 +62384,7 @@ index 6a5004b..65681da 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +79,13 @@ optional_policy(` +@@ -66,9 +80,13 @@ optional_policy(` ') optional_policy(` @@ -63753,10 +63769,10 @@ index 4a2e63b..e964f12 100644 + mta_send_mail(gitosis_t) +') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc -index 00a19e3..3681873 100644 +index 00a19e3..a6bcf1f 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc -@@ -1,9 +1,47 @@ +@@ -1,9 +1,48 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) @@ -63767,6 +63783,7 @@ index 00a19e3..3681873 100644 HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) +HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) @@ -63807,7 +63824,7 @@ index 00a19e3..3681873 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..50068d6 100644 +index f5afe78..a19d881 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,900 @@ @@ -64941,7 +64958,7 @@ index f5afe78..50068d6 100644 ## ## ## -@@ -140,51 +1088,301 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1088,303 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -65167,6 +65184,7 @@ index f5afe78..50068d6 100644 + userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") + userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") + userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") @@ -65210,6 +65228,7 @@ index f5afe78..50068d6 100644 + userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") + userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") + userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") ++ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") + # /root/.color/icc: legacy @@ -66819,7 +66838,7 @@ index fbb5c5a..637eb37 100644 ') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..b3e9826 100644 +index 2e9318b..04472f3 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -66935,7 +66954,7 @@ index 2e9318b..b3e9826 100644 -allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config }; + -+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem setrlimit }; ++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; allow mozilla_plugin_t self:udp_socket create_socket_perms; @@ -67016,7 +67035,15 @@ index 2e9318b..b3e9826 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -383,35 +405,34 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -362,6 +384,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) + files_read_config_files(mozilla_plugin_t) + files_read_usr_files(mozilla_plugin_t) + files_list_mnt(mozilla_plugin_t) ++files_exec_usr_files(mozilla_plugin_t) + + fs_getattr_all_fs(mozilla_plugin_t) + fs_list_dos(mozilla_plugin_t) +@@ -383,35 +406,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -67042,11 +67069,9 @@ index 2e9318b..b3e9826 100644 -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process { execmem execstack }; -+tunable_policy(`deny_execmem',`', ` -+ allow mozilla_plugin_t self:process execmem; - ') - - tunable_policy(`allow_execstack',` +-') +- +-tunable_policy(`allow_execstack',` - allow mozilla_plugin_t self:process { execstack }; -') - @@ -67054,9 +67079,8 @@ index 2e9318b..b3e9826 100644 - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) -+ allow mozilla_plugin_t self:process execstack; - ') - +-') +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_t) - fs_manage_cifs_files(mozilla_plugin_t) @@ -67066,7 +67090,7 @@ index 2e9318b..b3e9826 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -421,11 +442,19 @@ optional_policy(` +@@ -421,11 +435,19 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -67086,7 +67110,7 @@ index 2e9318b..b3e9826 100644 ') optional_policy(` -@@ -438,18 +467,98 @@ optional_policy(` +@@ -438,18 +460,98 @@ optional_policy(` ') optional_policy(` @@ -67128,7 +67152,7 @@ index 2e9318b..b3e9826 100644 +# + +allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem }; ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + +allow mozilla_plugin_config_t self:fifo_file rw_file_perms; +allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; @@ -68826,10 +68850,10 @@ index 4c091ca..a58f123 100644 + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index f594e12..2025c1f 100644 +index f594e12..e8f731d 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te -@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t) +@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -68843,7 +68867,14 @@ index f594e12..2025c1f 100644 logging_send_syslog_msg(sambagui_t) -@@ -56,6 +58,7 @@ optional_policy(` + miscfiles_read_localization(sambagui_t) + ++sysnet_use_ldap(sambagui_t) ++ + optional_policy(` + consoletype_exec(sambagui_t) + ') +@@ -56,6 +60,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -72083,10 +72114,26 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 4f3b542..63f4e1c 100644 +index 4f3b542..0ebac89 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in -@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',` +@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` + ') + + typeattribute $1 reserved_port_type; ++ corenet_port($1) + ') + + ######################################## +@@ -82,6 +83,7 @@ interface(`corenet_rpc_port',` + ') + + typeattribute $1 rpc_port_type; ++ corenet_port($1) + ') + + ######################################## +@@ -615,6 +617,24 @@ interface(`corenet_raw_sendrecv_all_if',` ######################################## ## @@ -72111,7 +72158,7 @@ index 4f3b542..63f4e1c 100644 ## Send and receive TCP network traffic on generic nodes. ## ## -@@ -789,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',` +@@ -789,6 +809,24 @@ interface(`corenet_raw_sendrecv_generic_node',` ######################################## ## @@ -72136,7 +72183,7 @@ index 4f3b542..63f4e1c 100644 ## Bind TCP sockets to generic nodes. ## ## -@@ -928,6 +964,24 @@ interface(`corenet_inout_generic_node',` +@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',` ######################################## ## @@ -72161,7 +72208,7 @@ index 4f3b542..63f4e1c 100644 ## Send and receive TCP network traffic on all nodes. ## ## -@@ -1102,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` +@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` ######################################## ## @@ -72186,7 +72233,7 @@ index 4f3b542..63f4e1c 100644 ## Bind TCP sockets to all nodes. ## ## -@@ -1157,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',` +@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',` ######################################## ## @@ -72211,7 +72258,7 @@ index 4f3b542..63f4e1c 100644 ## Send and receive TCP network traffic on generic ports. ## ## -@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',` +@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',` # interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` @@ -72244,7 +72291,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` +@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` # interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` gen_require(` @@ -72257,7 +72304,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` +@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` # interface(`corenet_udp_send_generic_port',` gen_require(` @@ -72270,7 +72317,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',` +@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',` # interface(`corenet_udp_receive_generic_port',` gen_require(` @@ -72283,7 +72330,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',` ######################################## ## @@ -72310,7 +72357,7 @@ index 4f3b542..63f4e1c 100644 ## Bind TCP sockets to generic ports. ## ## -@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1254,12 +1386,31 @@ interface(`corenet_udp_sendrecv_generic_port',` # interface(`corenet_tcp_bind_generic_port',` gen_require(` @@ -72346,7 +72393,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',` +@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',` # interface(`corenet_dontaudit_tcp_bind_generic_port',` gen_require(` @@ -72359,7 +72406,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` +@@ -1292,12 +1443,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` # interface(`corenet_udp_bind_generic_port',` gen_require(` @@ -72394,7 +72441,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',` +@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',` # interface(`corenet_tcp_connect_generic_port',` gen_require(` @@ -72425,7 +72472,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',` +@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',` ######################################## ## @@ -72451,7 +72498,7 @@ index 4f3b542..63f4e1c 100644 ## Bind TCP sockets to all ports. ## ## -@@ -1458,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',` +@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',` ######################################## ## @@ -72476,7 +72523,7 @@ index 4f3b542..63f4e1c 100644 ## Do not audit attepts to bind TCP sockets to any ports. ## ## -@@ -1513,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` +@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` ######################################## ## @@ -72501,7 +72548,7 @@ index 4f3b542..63f4e1c 100644 ## Connect TCP sockets to all ports. ## ## -@@ -1559,6 +1799,25 @@ interface(`corenet_tcp_connect_all_ports',` +@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',` ######################################## ## @@ -72527,7 +72574,7 @@ index 4f3b542..63f4e1c 100644 ## Do not audit attempts to connect TCP sockets ## to all ports. ## -@@ -1578,6 +1837,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` +@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` ######################################## ## @@ -72552,7 +72599,7 @@ index 4f3b542..63f4e1c 100644 ## Send and receive TCP network traffic on generic reserved ports. ## ## -@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` +@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` ######################################## ## @@ -72578,7 +72625,7 @@ index 4f3b542..63f4e1c 100644 ## Bind TCP sockets to generic reserved ports. ## ## -@@ -1685,6 +1981,24 @@ interface(`corenet_udp_bind_reserved_port',` +@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',` ######################################## ## @@ -72603,7 +72650,7 @@ index 4f3b542..63f4e1c 100644 ## Connect TCP sockets to generic reserved ports. ## ## -@@ -1703,6 +2017,24 @@ interface(`corenet_tcp_connect_reserved_port',` +@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',` ######################################## ## @@ -72628,7 +72675,7 @@ index 4f3b542..63f4e1c 100644 ## Send and receive TCP network traffic on all reserved ports. ## ## -@@ -1749,15 +2081,213 @@ interface(`corenet_udp_send_all_reserved_ports',` +@@ -1749,15 +2083,213 @@ interface(`corenet_udp_send_all_reserved_ports',` # interface(`corenet_udp_receive_all_reserved_ports',` gen_require(` @@ -72845,7 +72892,7 @@ index 4f3b542..63f4e1c 100644 ## ## ## -@@ -1765,14 +2295,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` +@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` ## ## # @@ -72867,7 +72914,7 @@ index 4f3b542..63f4e1c 100644 ## ## ## -@@ -1780,36 +2313,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` +@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ## ## # @@ -72911,7 +72958,7 @@ index 4f3b542..63f4e1c 100644 ## ## ## -@@ -1817,36 +2349,53 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` +@@ -1817,36 +2351,53 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ## ## # @@ -72975,7 +73022,7 @@ index 4f3b542..63f4e1c 100644 ## ## ## -@@ -1854,53 +2403,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` +@@ -1854,53 +2405,55 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ## ## # @@ -73044,7 +73091,7 @@ index 4f3b542..63f4e1c 100644 ## ## ## -@@ -1908,49 +2459,49 @@ interface(`corenet_tcp_connect_all_reserved_ports',` +@@ -1908,49 +2461,49 @@ interface(`corenet_tcp_connect_all_reserved_ports',` ## ## # @@ -73107,7 +73154,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -1993,6 +2544,24 @@ interface(`corenet_rw_tun_tap_dev',` +@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## @@ -73132,7 +73179,7 @@ index 4f3b542..63f4e1c 100644 ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## -@@ -2049,6 +2618,25 @@ interface(`corenet_rw_ppp_dev',` +@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',` ######################################## ## @@ -73158,7 +73205,7 @@ index 4f3b542..63f4e1c 100644 ## Bind TCP sockets to all RPC ports. ## ## -@@ -2068,6 +2656,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` +@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## ## @@ -73183,7 +73230,7 @@ index 4f3b542..63f4e1c 100644 ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## -@@ -2194,6 +2800,25 @@ interface(`corenet_tcp_recv_netlabel',` +@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',` ######################################## ## @@ -73209,7 +73256,7 @@ index 4f3b542..63f4e1c 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,6 +2838,31 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,6 +2840,31 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## @@ -73241,7 +73288,7 @@ index 4f3b542..63f4e1c 100644 ## Receive TCP packets from an unlabled connection. ## ## -@@ -2222,9 +2872,14 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2222,9 +2874,14 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## # interface(`corenet_tcp_recvfrom_unlabeled',` @@ -73256,7 +73303,7 @@ index 4f3b542..63f4e1c 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2904,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2906,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -73283,7 +73330,7 @@ index 4f3b542..63f4e1c 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2944,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2946,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -73311,7 +73358,7 @@ index 4f3b542..63f4e1c 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,6 +3229,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,6 +3231,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` @@ -73319,7 +73366,7 @@ index 4f3b542..63f4e1c 100644 kernel_tcp_recvfrom_unlabeled($1) kernel_udp_recvfrom_unlabeled($1) kernel_raw_recvfrom_unlabeled($1) -@@ -2571,7 +3268,31 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2571,7 +3270,31 @@ interface(`corenet_all_recvfrom_netlabel',` ') allow $1 netlabel_peer_t:peer recv; @@ -73352,7 +73399,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -2585,6 +3306,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3308,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -73360,7 +73407,7 @@ index 4f3b542..63f4e1c 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3335,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3337,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -73397,7 +73444,7 @@ index 4f3b542..63f4e1c 100644 ') ######################################## -@@ -2727,6 +3477,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3479,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -73405,7 +73452,7 @@ index 4f3b542..63f4e1c 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3885,53 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3887,53 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -73460,7 +73507,7 @@ index 4f3b542..63f4e1c 100644 + dev_filetrans($1, ppp_device_t, chr_file, "ppp") +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..a8962b5 100644 +index 99b71cb..83554ff 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -73557,7 +73604,7 @@ index 99b71cb..a8962b5 100644 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) +network_port(cma, tcp,1050,s0, udp,1050,s0) network_port(cobbler, tcp,25151,s0) -+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0) ++network_port(commplex, tcp,5001,s0, udp,5001,s0) network_port(comsat, udp,512,s0) +network_port(condor, tcp, 9618,s0, udp, 9618,s0) +network_port(couchdb, tcp,5984,s0, udp,5984,s0) @@ -73565,7 +73612,7 @@ index 99b71cb..a8962b5 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -99,14 +136,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -99,27 +136,39 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -73585,13 +73632,16 @@ index 99b71cb..a8962b5 100644 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(git, tcp,9418,s0, udp,9418,s0) ++network_port(glance, tcp,9292,s0, udp,9292,s0) +network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -115,11 +161,13 @@ network_port(hddtemp, tcp,7634,s0) + network_port(hadoop_namenode, tcp,8020,s0) + network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) - network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) +-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) ++network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy @@ -73605,7 +73655,7 @@ index 99b71cb..a8962b5 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +177,28 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +178,30 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -73614,10 +73664,12 @@ index 99b71cb..a8962b5 100644 -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) +network_port(jboss_debug, tcp,8787,s0) ++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0) +network_port(jboss_management, tcp,4712,s0, tcp,4447,s0, udp,4712,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) ++network_port(keystone, tcp,5000,s0, udp,5000,s0) network_port(kismet, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) @@ -73637,7 +73689,7 @@ index 99b71cb..a8962b5 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +208,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +211,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -73670,7 +73722,7 @@ index 99b71cb..a8962b5 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -175,38 +241,46 @@ network_port(pulseaudio, tcp,4713,s0) +@@ -175,38 +244,46 @@ network_port(pulseaudio, tcp,4713,s0) network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) @@ -73723,7 +73775,7 @@ index 99b71cb..a8962b5 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +289,12 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +292,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -73737,7 +73789,7 @@ index 99b71cb..a8962b5 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +306,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +309,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -73745,7 +73797,7 @@ index 99b71cb..a8962b5 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +316,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +319,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -73758,7 +73810,7 @@ index 99b71cb..a8962b5 100644 ######################################## # -@@ -282,9 +366,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +369,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -73893,7 +73945,7 @@ index 6cf8784..21a5923 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..790494f 100644 +index f820f3b..31a502b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -74335,32 +74387,33 @@ index f820f3b..790494f 100644 ') ######################################## -@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',` +@@ -3210,7 +3466,7 @@ interface(`dev_rw_printer',` ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) --## --## --## --## Domain allowed access. --## --## --# ++## Read and write the printer device. + ## + ## + ## +@@ -3218,12 +3474,13 @@ interface(`dev_rw_printer',` + ## + ## + # -interface(`dev_read_printk',` -- gen_require(` ++interface(`dev_manage_printer',` + gen_require(` - type device_t, printk_device_t; -- ') -- ++ type device_t, printer_device_t; + ') + - read_chr_files_pattern($1, device_t, printk_device_t) --') -- --######################################## --## - ## Get the attributes of the QEMU - ## microcode and id interfaces. - ## -@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',` ++ manage_chr_files_pattern($1, device_t, printer_device_t) ++ dev_filetrans_printer_named_dev($1) + ') + + ######################################## +@@ -3811,6 +4068,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -74403,7 +74456,7 @@ index f820f3b..790494f 100644 ## Search the sysfs directories. ## ## -@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',` +@@ -3860,6 +4153,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -74411,7 +74464,7 @@ index f820f3b..790494f 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3902,23 +4177,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3902,23 +4196,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -74465,7 +74518,7 @@ index f820f3b..790494f 100644 ######################################## ## ## Read hardware state information. -@@ -3972,6 +4273,62 @@ interface(`dev_rw_sysfs',` +@@ -3972,6 +4292,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -74528,7 +74581,7 @@ index f820f3b..790494f 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4426,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4445,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -74554,7 +74607,7 @@ index f820f3b..790494f 100644 ## Getattr generic the USB devices. ## ## -@@ -4103,6 +4479,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4103,6 +4498,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -74579,7 +74632,7 @@ index f820f3b..790494f 100644 ######################################## ## ## Read generic the USB devices. -@@ -4495,6 +4889,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4908,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -74604,7 +74657,7 @@ index f820f3b..790494f 100644 ## Read and write VMWare devices. ## ## -@@ -4695,6 +5107,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4695,6 +5126,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -74631,7 +74684,7 @@ index f820f3b..790494f 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5216,843 @@ interface(`dev_unconfined',` +@@ -4784,3 +5235,861 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -74665,6 +74718,64 @@ index f820f3b..790494f 100644 +## +## +# ++interface(`dev_filetrans_printer_named_dev',` ++ ++ gen_require(` ++ type printer_device_t; ++ ++ ') ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_filetrans_all_named_dev',` + +gen_require(` @@ -74686,7 +74797,6 @@ index f820f3b..790494f 100644 + type random_device_t; + type dri_device_t; + type ipmi_device_t; -+ type printer_device_t; + type memory_device_t; + type kmsg_device_t; + type qemu_device_t; @@ -74713,6 +74823,7 @@ index f820f3b..790494f 100644 + type mtrr_device_t; +') + ++ dev_filetrans_printer_named_dev($1) + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") @@ -74950,16 +75061,6 @@ index f820f3b..790494f 100644 + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") @@ -75008,16 +75109,6 @@ index f820f3b..790494f 100644 + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") @@ -75081,16 +75172,6 @@ index f820f3b..790494f 100644 + filetrans_pattern($1, device_t, null_device_t, chr_file, "null") + filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") @@ -75196,16 +75277,6 @@ index f820f3b..790494f 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") @@ -75647,7 +75718,7 @@ index 6a1e4d1..ffaa90a 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..6d455ba 100644 +index fae1ab1..28b8105 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -75748,7 +75819,7 @@ index fae1ab1..6d455ba 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -158,5 +199,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +199,260 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -75875,6 +75946,10 @@ index fae1ab1..6d455ba 100644 +') + +optional_policy(` ++ tftp_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) + userdom_filetrans_home_content(unconfined_domain_type) +') @@ -81493,7 +81568,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..2ea9a72 100644 +index e14b961..f40dcef 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,69 @@ policy_module(sysadm, 2.2.1) @@ -81834,7 +81909,7 @@ index e14b961..2ea9a72 100644 ') optional_policy(` -@@ -332,7 +417,14 @@ optional_policy(` +@@ -332,7 +417,18 @@ optional_policy(` ') optional_policy(` @@ -81847,10 +81922,14 @@ index e14b961..2ea9a72 100644 + systemd_login_reboot(sysadm_t) + systemd_login_halt(sysadm_t) + systemd_login_undefined(sysadm_t) ++') ++ ++optional_policy(` ++ tftp_filetrans_named_content(sysadm_t) ') optional_policy(` -@@ -343,19 +435,15 @@ optional_policy(` +@@ -343,19 +439,15 @@ optional_policy(` ') optional_policy(` @@ -81872,7 +81951,7 @@ index e14b961..2ea9a72 100644 ') optional_policy(` -@@ -367,45 +455,45 @@ optional_policy(` +@@ -367,45 +459,45 @@ optional_policy(` ') optional_policy(` @@ -81929,7 +82008,7 @@ index e14b961..2ea9a72 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +506,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +510,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -81940,7 +82019,7 @@ index e14b961..2ea9a72 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +523,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +527,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -81948,7 +82027,7 @@ index e14b961..2ea9a72 100644 ') optional_policy(` -@@ -446,11 +531,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +535,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -81967,8 +82046,9 @@ index e14b961..2ea9a72 100644 + + optional_policy(` + mozilla_role(sysadm_r, sysadm_t) -+ ') -+ + ') +-') + + optional_policy(` + mplayer_role(sysadm_r, sysadm_t) + ') @@ -81987,9 +82067,8 @@ index e14b961..2ea9a72 100644 + + optional_policy(` + spamassassin_role(sysadm_r, sysadm_t) - ') --') - ++ ') ++ + optional_policy(` + thunderbird_role(sysadm_r, sysadm_t) + ') @@ -83448,10 +83527,10 @@ index e88b95f..9b6536a 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..2e52710 100644 +index 1bd5812..d17ee73 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -1,13 +1,15 @@ +@@ -1,13 +1,16 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -83462,6 +83541,7 @@ index 1bd5812..2e52710 100644 -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) @@ -83470,7 +83550,7 @@ index 1bd5812..2e52710 100644 /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -@@ -15,6 +17,19 @@ +@@ -15,6 +18,19 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -83764,7 +83844,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..07f46bc 100644 +index 30861ec..ec4a1db 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -83825,7 +83905,7 @@ index 30861ec..07f46bc 100644 type abrt_helper_exec_t; application_domain(abrt_helper_t, abrt_helper_exec_t) role system_r types abrt_helper_t; -@@ -43,22 +75,42 @@ ifdef(`enable_mcs',` +@@ -43,22 +75,46 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -83849,6 +83929,10 @@ index 30861ec..07f46bc 100644 +type abrt_retrace_spool_t; +files_spool_file(abrt_retrace_spool_t) + ++type abrt_watch_log_t; ++type abrt_watch_log_exec_t; ++init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) ++ ######################################## # # abrt local policy @@ -83871,7 +83955,7 @@ index 30861ec..07f46bc 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -68,7 +120,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -68,7 +124,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) # abrt tmp files manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) @@ -83881,7 +83965,7 @@ index 30861ec..07f46bc 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +136,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +140,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -83894,7 +83978,7 @@ index 30861ec..07f46bc 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +158,8 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +162,8 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -83903,7 +83987,7 @@ index 30861ec..07f46bc 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +169,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +173,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -83913,7 +83997,7 @@ index 30861ec..07f46bc 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +178,9 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +182,9 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -83923,7 +84007,7 @@ index 30861ec..07f46bc 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +191,26 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +195,26 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -83956,7 +84040,7 @@ index 30861ec..07f46bc 100644 ') optional_policy(` -@@ -167,6 +231,7 @@ optional_policy(` +@@ -167,6 +235,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -83964,7 +84048,7 @@ index 30861ec..07f46bc 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +243,35 @@ optional_policy(` +@@ -178,12 +247,35 @@ optional_policy(` ') optional_policy(` @@ -84001,7 +84085,7 @@ index 30861ec..07f46bc 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +288,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -84030,7 +84114,7 @@ index 30861ec..07f46bc 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +311,128 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +315,146 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -84048,7 +84132,7 @@ index 30861ec..07f46bc 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; -+') + ') + +####################################### +# @@ -84116,7 +84200,7 @@ index 30861ec..07f46bc 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') + +######################################## +# @@ -84149,6 +84233,24 @@ index 30861ec..07f46bc 100644 + +####################################### +# ++# abrt_watch_log local policy ++# ++ ++allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; ++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms; ++ ++read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) ++ ++domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) ++ ++logging_read_all_logs(abrt_watch_log_t) ++ ++optional_policy(` ++ unconfined_domain(abrt_watch_log_t) ++') ++ ++####################################### ++# +# Local policy for all abrt domain +# + @@ -85672,10 +85774,10 @@ index 6480167..4fc1968 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..80880c0 100644 +index 3136c6a..3ee87ed 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,136 +18,254 @@ policy_module(apache, 2.2.1) +@@ -18,136 +18,261 @@ policy_module(apache, 2.2.1) # Declarations # @@ -85929,6 +86031,13 @@ index 3136c6a..80880c0 100644 -## Allow httpd to access cifs file systems -##

+##

++## Allow httpd to access openstack ports ++##

++## ++gen_tunable(httpd_use_openstack, false) ++ ++## ++##

+## Allow httpd to access cifs file systems +##

## @@ -85986,7 +86095,7 @@ index 3136c6a..80880c0 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -166,7 +284,7 @@ files_type(httpd_cache_t) +@@ -166,7 +291,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -85995,7 +86104,7 @@ index 3136c6a..80880c0 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +295,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +302,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -86005,7 +86114,7 @@ index 3136c6a..80880c0 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +337,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +344,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -86028,7 +86137,7 @@ index 3136c6a..80880c0 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +361,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +368,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -86039,7 +86148,7 @@ index 3136c6a..80880c0 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +372,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +379,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -86047,7 +86156,7 @@ index 3136c6a..80880c0 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +394,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +401,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -86071,7 +86180,7 @@ index 3136c6a..80880c0 100644 ######################################## # # Apache server local policy -@@ -281,11 +430,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +437,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -86085,7 +86194,7 @@ index 3136c6a..80880c0 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +480,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +487,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -86096,7 +86205,7 @@ index 3136c6a..80880c0 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +491,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +498,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -86107,7 +86216,7 @@ index 3136c6a..80880c0 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +508,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +515,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -86117,7 +86226,7 @@ index 3136c6a..80880c0 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +521,16 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +528,17 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -86127,6 +86236,7 @@ index 3136c6a..80880c0 100644 corenet_tcp_bind_http_cache_port(httpd_t) +corenet_tcp_bind_ntop_port(httpd_t) +corenet_tcp_bind_jboss_management_port(httpd_t) ++corenet_tcp_bind_jboss_messaging_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) +corenet_tcp_bind_puppet_port(httpd_t) # Signal self for shutdown @@ -86135,7 +86245,7 @@ index 3136c6a..80880c0 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +539,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +547,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -86151,7 +86261,7 @@ index 3136c6a..80880c0 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +552,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +560,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -86159,7 +86269,7 @@ index 3136c6a..80880c0 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +564,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +572,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -86263,7 +86373,7 @@ index 3136c6a..80880c0 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -454,27 +669,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +677,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -86327,7 +86437,7 @@ index 3136c6a..80880c0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +733,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +741,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -86350,7 +86460,7 @@ index 3136c6a..80880c0 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +763,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +771,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -86371,7 +86481,7 @@ index 3136c6a..80880c0 100644 ') optional_policy(` -@@ -513,7 +787,13 @@ optional_policy(` +@@ -513,7 +795,13 @@ optional_policy(` ') optional_policy(` @@ -86386,7 +86496,7 @@ index 3136c6a..80880c0 100644 ') optional_policy(` -@@ -528,7 +808,19 @@ optional_policy(` +@@ -528,7 +816,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -86407,7 +86517,7 @@ index 3136c6a..80880c0 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +829,13 @@ optional_policy(` +@@ -537,8 +837,13 @@ optional_policy(` ') optional_policy(` @@ -86422,7 +86532,7 @@ index 3136c6a..80880c0 100644 ') ') -@@ -556,7 +853,21 @@ optional_policy(` +@@ -556,7 +861,21 @@ optional_policy(` ') optional_policy(` @@ -86444,7 +86554,7 @@ index 3136c6a..80880c0 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +878,7 @@ optional_policy(` +@@ -567,6 +886,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -86452,7 +86562,7 @@ index 3136c6a..80880c0 100644 ') optional_policy(` -@@ -577,6 +889,29 @@ optional_policy(` +@@ -577,6 +897,29 @@ optional_policy(` ') optional_policy(` @@ -86482,7 +86592,7 @@ index 3136c6a..80880c0 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +926,11 @@ optional_policy(` +@@ -591,6 +934,11 @@ optional_policy(` ') optional_policy(` @@ -86494,7 +86604,7 @@ index 3136c6a..80880c0 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +943,12 @@ optional_policy(` +@@ -603,6 +951,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -86507,7 +86617,7 @@ index 3136c6a..80880c0 100644 ######################################## # # Apache helper local policy -@@ -616,7 +962,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -86520,7 +86630,7 @@ index 3136c6a..80880c0 100644 ######################################## # -@@ -654,28 +1004,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -86564,7 +86674,7 @@ index 3136c6a..80880c0 100644 ') ######################################## -@@ -685,6 +1037,8 @@ optional_policy(` +@@ -685,6 +1045,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -86573,7 +86683,7 @@ index 3136c6a..80880c0 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1053,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -86599,7 +86709,7 @@ index 3136c6a..80880c0 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1099,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -86632,7 +86742,7 @@ index 3136c6a..80880c0 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1146,25 @@ optional_policy(` +@@ -769,6 +1154,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -86658,7 +86768,7 @@ index 3136c6a..80880c0 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1185,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -86676,7 +86786,7 @@ index 3136c6a..80880c0 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1204,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -86733,7 +86843,7 @@ index 3136c6a..80880c0 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1255,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -86774,7 +86884,7 @@ index 3136c6a..80880c0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1300,20 @@ optional_policy(` +@@ -842,10 +1308,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -86795,7 +86905,7 @@ index 3136c6a..80880c0 100644 ') ######################################## -@@ -891,11 +1359,135 @@ optional_policy(` +@@ -891,11 +1367,142 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -86819,7 +86929,7 @@ index 3136c6a..80880c0 100644 + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) -+') + ') + +######################################## +# @@ -86933,7 +87043,14 @@ index 3136c6a..80880c0 100644 + allow httpd_t httpd_content_type:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) + read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type) - ') ++') ++ ++tunable_policy(`httpd_use_openstack',` ++ corenet_tcp_connect_keystone_port(httpd_sys_script_t) ++ corenet_tcp_connect_all_ephemeral_ports(httpd_t) ++ corenet_tcp_connect_glance_port(httpd_sys_script_t) ++') ++ diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc index cd07b96..f5298af 100644 --- a/policy/modules/services/apcupsd.fc @@ -90612,10 +90729,10 @@ index 0000000..2972c77 +') diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te new file mode 100644 -index 0000000..02d8a13 +index 0000000..0de6133 --- /dev/null +++ b/policy/modules/services/cfengine.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +policy_module(cfengine, 1.0.0) + +######################################## @@ -90693,6 +90810,8 @@ index 0000000..02d8a13 +allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot }; +allow cfengine_execd_t self:process { fork setfscreate signal }; + ++kernel_read_sysctl(cfengine_execd_t) ++ +domain_read_all_domains_state(cfengine_execd_t) +domain_use_interactive_fds(cfengine_execd_t) + @@ -92174,7 +92293,7 @@ index 116d60f..e2c6ec6 100644 + allow $1 cobblerd_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te -index 0258b48..5fe2f77 100644 +index 0258b48..f114e78 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te @@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) @@ -92391,7 +92510,7 @@ index 0258b48..5fe2f77 100644 ') optional_policy(` -@@ -110,12 +222,20 @@ optional_policy(` +@@ -110,12 +222,21 @@ optional_policy(` ') optional_policy(` @@ -92412,10 +92531,11 @@ index 0258b48..5fe2f77 100644 + # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg) + # are any of those hard linked? + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ++ tftp_manage_config(cobblerd_t) ') ######################################## -@@ -124,5 +244,6 @@ optional_policy(` +@@ -124,5 +245,6 @@ optional_policy(` # apache_content_template(cobbler) @@ -92922,10 +93042,10 @@ index 0000000..a9ad037 +/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if new file mode 100644 -index 0000000..d509142 +index 0000000..88a0b5d --- /dev/null +++ b/policy/modules/services/condor.if -@@ -0,0 +1,278 @@ +@@ -0,0 +1,272 @@ + +## policy for condor + @@ -93168,12 +93288,6 @@ index 0000000..d509142 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`condor_admin',` + gen_require(` @@ -96152,7 +96266,7 @@ index 305ddf4..4d70951 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..a1527a7 100644 +index 0f28095..085e634 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -96408,7 +96522,16 @@ index 0f28095..a1527a7 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +720,9 @@ domain_use_interactive_fds(hplip_t) +@@ -661,6 +696,8 @@ corenet_tcp_bind_generic_node(hplip_t) + corenet_udp_bind_generic_node(hplip_t) + corenet_tcp_bind_hplip_port(hplip_t) + corenet_tcp_connect_hplip_port(hplip_t) ++corenet_tcp_bind_glance_port(hplip_t) ++corenet_tcp_connect_glance_port(hplip_t) + corenet_tcp_connect_ipp_port(hplip_t) + corenet_sendrecv_hplip_client_packets(hplip_t) + corenet_receive_hplip_server_packets(hplip_t) +@@ -685,6 +722,9 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -96418,7 +96541,7 @@ index 0f28095..a1527a7 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +734,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +736,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -101540,10 +101663,10 @@ index 0000000..c4c7510 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..3b2ff3b +index 0000000..3e016c3 --- /dev/null +++ b/policy/modules/services/firewalld.te -@@ -0,0 +1,85 @@ +@@ -0,0 +1,86 @@ + +policy_module(firewalld,1.0.0) + @@ -101596,6 +101719,7 @@ index 0000000..3b2ff3b +kernel_read_system_state(firewalld_t) + +corecmd_exec_bin(firewalld_t) ++corecmd_exec_shell(firewalld_t) + +dev_read_urand(firewalld_t) + @@ -103148,7 +103272,7 @@ index 0000000..ebe1dde +') diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 -index 0000000..941c652 +index 0000000..883a846 --- /dev/null +++ b/policy/modules/services/glance.te @@ -0,0 +1,105 @@ @@ -103248,7 +103372,7 @@ index 0000000..941c652 +corecmd_exec_shell(glance_api_t) + +corenet_tcp_bind_generic_node(glance_api_t) -+corenet_tcp_bind_hplip_port(glance_api_t) ++corenet_tcp_bind_glance_port(glance_api_t) +corenet_tcp_connect_glance_registry_port(glance_api_t) +corenet_tcp_connect_all_ephemeral_ports(glance_api_t) + @@ -104248,7 +104372,7 @@ index df48e5e..878d9df 100644 type inetd_t; ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te -index c51a7b2..b07694c 100644 +index c51a7b2..afc68dc 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t) @@ -104273,6 +104397,17 @@ index c51a7b2..b07694c 100644 sysnet_read_config(inetd_t) +@@ -176,6 +183,10 @@ optional_policy(` + ') + + optional_policy(` ++ tftp_read_config(inetd_t) ++') ++ ++optional_policy(` + udev_read_db(inetd_t) + ') + diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc index 8ca038d..8507ee2 100644 --- a/policy/modules/services/inn.fc @@ -105692,7 +105827,7 @@ index 0000000..c7a5aeb +') diff --git a/policy/modules/services/keystone.te b/policy/modules/services/keystone.te new file mode 100644 -index 0000000..d73c319 +index 0000000..1b3d4d9 --- /dev/null +++ b/policy/modules/services/keystone.te @@ -0,0 +1,69 @@ @@ -105746,7 +105881,7 @@ index 0000000..d73c319 +corecmd_exec_bin(keystone_t) +corecmd_exec_shell(keystone_t) + -+corenet_tcp_bind_commplex_port(keystone_t) ++corenet_tcp_bind_keystone_port(keystone_t) +corenet_tcp_bind_generic_node(keystone_t) + +dev_read_urand(keystone_t) @@ -111241,10 +111376,10 @@ index 74da57f..b94bb3b 100644 /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..ea4e5e6 100644 +index 386543b..0f1f9c4 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc -@@ -1,6 +1,17 @@ +@@ -1,6 +1,21 @@ /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -111253,6 +111388,10 @@ index 386543b..ea4e5e6 100644 +/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) +/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + ++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++ +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) @@ -111263,7 +111402,7 @@ index 386543b..ea4e5e6 100644 /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -12,15 +23,19 @@ +@@ -12,15 +27,19 @@ /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -111285,7 +111424,7 @@ index 386543b..ea4e5e6 100644 /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if -index 2324d9e..6717db4 100644 +index 2324d9e..69db955 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -111360,7 +111499,7 @@ index 2324d9e..6717db4 100644 ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +236,77 @@ interface(`networkmanager_read_pid_files',` +@@ -191,3 +236,81 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -111425,6 +111564,7 @@ index 2324d9e..6717db4 100644 +interface(`networkmanager_filetrans_named_content',` + gen_require(` + type NetworkManager_var_run_t; ++ type NetworkManager_var_lib_t; + ') + + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf") @@ -111437,9 +111577,12 @@ index 2324d9e..6717db4 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..71b47c8 100644 +index 0619395..103f6f8 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -111458,7 +111601,7 @@ index 0619395..71b47c8 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,16 +44,25 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -35,16 +44,26 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -111473,6 +111616,7 @@ index 0619395..71b47c8 100644 +') +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; +tunable_policy(`deny_ptrace',`',` ++ allow NetworkManager_t self:capability sys_ptrace; + allow NetworkManager_t self:process ptrace; +') + @@ -111488,7 +111632,7 @@ index 0619395..71b47c8 100644 allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -52,9 +70,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; +@@ -52,9 +71,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; can_exec(NetworkManager_t, NetworkManager_exec_t) @@ -111509,7 +111653,7 @@ index 0619395..71b47c8 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -95,11 +124,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) +@@ -95,11 +125,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_rw_tun_tap_dev(NetworkManager_t) corenet_getattr_ppp_dev(NetworkManager_t) @@ -111523,7 +111667,7 @@ index 0619395..71b47c8 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +143,11 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -111536,7 +111680,7 @@ index 0619395..71b47c8 100644 files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -133,30 +164,37 @@ logging_send_syslog_msg(NetworkManager_t) +@@ -133,30 +165,37 @@ logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -111576,7 +111720,7 @@ index 0619395..71b47c8 100644 ') optional_policy(` -@@ -176,10 +214,17 @@ optional_policy(` +@@ -176,10 +215,17 @@ optional_policy(` ') optional_policy(` @@ -111594,7 +111738,7 @@ index 0619395..71b47c8 100644 ') ') -@@ -191,6 +236,7 @@ optional_policy(` +@@ -191,6 +237,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -111602,7 +111746,7 @@ index 0619395..71b47c8 100644 ') optional_policy(` -@@ -202,23 +248,45 @@ optional_policy(` +@@ -202,23 +249,45 @@ optional_policy(` ') optional_policy(` @@ -111648,7 +111792,7 @@ index 0619395..71b47c8 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +302,10 @@ optional_policy(` +@@ -234,6 +303,10 @@ optional_policy(` ') optional_policy(` @@ -111659,7 +111803,7 @@ index 0619395..71b47c8 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +313,7 @@ optional_policy(` +@@ -241,6 +314,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -111667,7 +111811,7 @@ index 0619395..71b47c8 100644 ') optional_policy(` -@@ -254,6 +327,10 @@ optional_policy(` +@@ -254,6 +328,10 @@ optional_policy(` ') optional_policy(` @@ -111678,7 +111822,7 @@ index 0619395..71b47c8 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +340,7 @@ optional_policy(` +@@ -263,6 +341,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -113549,7 +113693,7 @@ index bd76ec2..ca6517b 100644 ## ## Execute a domain transition to run oddjob_mkhomedir. diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te -index cadfc63..c8f4d64 100644 +index cadfc63..e056e78 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0) @@ -113568,7 +113712,16 @@ index cadfc63..c8f4d64 100644 domain_obj_id_change_exemption(oddjob_mkhomedir_t) init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) +@@ -53,6 +51,8 @@ selinux_compute_create_context(oddjob_t) + + files_read_etc_files(oddjob_t) + ++auth_use_nsswitch(oddjob_t) ++ + miscfiles_read_localization(oddjob_t) + + locallogin_dontaudit_use_fds(oddjob_t) +@@ -99,8 +99,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) @@ -114242,7 +114395,7 @@ index 8ac407e..45673ad 100644 admin_pattern($1, pads_config_t) ') diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te -index b246bdd..07baada 100644 +index b246bdd..84afa7a 100644 --- a/policy/modules/services/pads.te +++ b/policy/modules/services/pads.te @@ -1,4 +1,4 @@ @@ -114259,7 +114412,7 @@ index b246bdd..07baada 100644 type pads_initrc_exec_t; init_script_file(pads_initrc_exec_t) -@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t) +@@ -25,10 +24,11 @@ files_pid_file(pads_var_run_t) # allow pads_t self:capability { dac_override net_raw }; @@ -114269,12 +114422,13 @@ index b246bdd..07baada 100644 -allow pads_t self:unix_dgram_socket { write create connect }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; +allow pads_t self:packet_socket create_socket_perms; ++allow pads_t self:socket create_socket_perms; +allow pads_t self:udp_socket create_socket_perms; +allow pads_t self:unix_dgram_socket create_socket_perms; allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) -@@ -48,6 +47,7 @@ corenet_tcp_connect_prelude_port(pads_t) +@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t) dev_read_rand(pads_t) dev_read_urand(pads_t) @@ -117427,7 +117581,7 @@ index 7257526..7d73656 100644 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index f03fad4..668467d 100644 +index f03fad4..df9f22b 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -11,9 +11,9 @@ @@ -117443,6 +117597,18 @@ index f03fad4..668467d 100644 ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) +@@ -28,9 +28,9 @@ ifdef(`distro_redhat', ` + # + /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + +-/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ++/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) +-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) + + /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) @@ -45,4 +45,4 @@ ifdef(`distro_redhat', ` /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) @@ -122339,10 +122505,10 @@ index 0000000..6572600 +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..d0aef10 +index 0000000..5653d39 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,66 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## @@ -122403,6 +122569,8 @@ index 0000000..d0aef10 +files_read_usr_files(rhsmcertd_t) +files_manage_generic_locks(rhsmcertd_t) + ++auth_read_passwd(rhsmcertd_t) ++ +miscfiles_read_localization(rhsmcertd_t) +miscfiles_read_certs(rhsmcertd_t) + @@ -124226,7 +124394,7 @@ index 82cb169..0ed7e14 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..e7e7187 100644 +index e30bb63..ef60f40 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false) @@ -124272,11 +124440,13 @@ index e30bb63..e7e7187 100644 kernel_read_proc_symlinks(samba_net_t) kernel_read_system_state(samba_net_t) -@@ -215,22 +222,28 @@ miscfiles_read_localization(samba_net_t) +@@ -215,22 +222,30 @@ miscfiles_read_localization(samba_net_t) samba_read_var_files(samba_net_t) -userdom_use_user_terminals(samba_net_t) ++sysnet_use_ldap(samba_net_t) ++ +userdom_use_inherited_user_terminals(samba_net_t) userdom_list_user_home_dirs(samba_net_t) @@ -124303,7 +124473,7 @@ index e30bb63..e7e7187 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -248,7 +261,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -248,7 +263,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; @@ -124313,7 +124483,7 @@ index e30bb63..e7e7187 100644 allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -263,12 +278,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -124328,7 +124498,7 @@ index e30bb63..e7e7187 100644 allow smbd_t smbcontrol_t:process { signal signull }; -@@ -279,7 +295,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -124337,7 +124507,7 @@ index e30bb63..e7e7187 100644 allow smbd_t swat_t:process signal; -@@ -316,6 +332,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -124345,7 +124515,7 @@ index e30bb63..e7e7187 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -323,15 +340,18 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,15 +342,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -124364,7 +124534,7 @@ index e30bb63..e7e7187 100644 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -343,6 +363,7 @@ files_read_usr_files(smbd_t) +@@ -343,6 +365,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -124372,7 +124542,7 @@ index e30bb63..e7e7187 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -354,6 +375,8 @@ logging_send_syslog_msg(smbd_t) +@@ -354,6 +377,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -124381,7 +124551,7 @@ index e30bb63..e7e7187 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -372,6 +395,11 @@ tunable_policy(`allow_smbd_anon_write',` +@@ -372,6 +397,11 @@ tunable_policy(`allow_smbd_anon_write',` miscfiles_manage_public_files(smbd_t) ') @@ -124393,7 +124563,7 @@ index e30bb63..e7e7187 100644 tunable_policy(`samba_domain_controller',` gen_require(` class passwd passwd; -@@ -385,12 +413,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +415,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -124407,7 +124577,7 @@ index e30bb63..e7e7187 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +433,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +435,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -124418,7 +124588,7 @@ index e30bb63..e7e7187 100644 optional_policy(` cups_read_rw_config(smbd_t) -@@ -422,6 +449,11 @@ optional_policy(` +@@ -422,6 +451,11 @@ optional_policy(` ') optional_policy(` @@ -124430,7 +124600,7 @@ index e30bb63..e7e7187 100644 lpd_exec_lpr(smbd_t) ') -@@ -445,26 +477,25 @@ optional_policy(` +@@ -445,26 +479,25 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -124464,7 +124634,7 @@ index e30bb63..e7e7187 100644 ######################################## # # nmbd Local policy -@@ -484,8 +515,10 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +517,10 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -124476,7 +124646,7 @@ index e30bb63..e7e7187 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -555,18 +588,21 @@ optional_policy(` +@@ -555,18 +590,21 @@ optional_policy(` # smbcontrol local policy # @@ -124502,7 +124672,7 @@ index e30bb63..e7e7187 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +610,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +612,21 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -124515,6 +124685,8 @@ index e30bb63..e7e7187 100644 miscfiles_read_localization(smbcontrol_t) -userdom_use_user_terminals(smbcontrol_t) ++sysnet_use_ldap(smbcontrol_t) ++ +userdom_use_inherited_user_terminals(smbcontrol_t) + +optional_policy(` @@ -124523,7 +124695,7 @@ index e30bb63..e7e7187 100644 ######################################## # -@@ -644,19 +688,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +692,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -124548,7 +124720,7 @@ index e30bb63..e7e7187 100644 ######################################## # # SWAT Local policy -@@ -677,7 +723,8 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +727,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -124558,7 +124730,7 @@ index e30bb63..e7e7187 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +739,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -124573,7 +124745,7 @@ index e30bb63..e7e7187 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +759,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -124581,8 +124753,12 @@ index e30bb63..e7e7187 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +804,8 @@ logging_search_logs(swat_t) +@@ -752,8 +806,12 @@ logging_send_syslog_msg(swat_t) + logging_send_audit_msgs(swat_t) + logging_search_logs(swat_t) ++sysnet_use_ldap(swat_t) ++ miscfiles_read_localization(swat_t) +userdom_dontaudit_search_admin_dir(swat_t) @@ -124590,7 +124766,7 @@ index e30bb63..e7e7187 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +835,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +841,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -124600,7 +124776,7 @@ index e30bb63..e7e7187 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +859,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +865,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -124622,7 +124798,7 @@ index e30bb63..e7e7187 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +887,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +893,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -124630,7 +124806,7 @@ index e30bb63..e7e7187 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -850,10 +905,14 @@ domain_use_interactive_fds(winbind_t) +@@ -850,10 +911,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) @@ -124645,7 +124821,7 @@ index e30bb63..e7e7187 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +922,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -863,6 +928,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -124658,7 +124834,7 @@ index e30bb63..e7e7187 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +969,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +975,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -124667,7 +124843,7 @@ index e30bb63..e7e7187 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,19 +987,34 @@ optional_policy(` +@@ -922,19 +993,34 @@ optional_policy(` # optional_policy(` @@ -127829,7 +128005,7 @@ index 22adaca..60103b5 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..322c050 100644 +index 2dad3c8..a67b643 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0) @@ -128058,7 +128234,7 @@ index 2dad3c8..322c050 100644 ################################# # # sshd local policy -@@ -232,33 +243,39 @@ optional_policy(` +@@ -232,33 +243,40 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -128088,6 +128264,7 @@ index 2dad3c8..322c050 100644 +userdom_spec_domtrans_unpriv_users(sshd_t) +userdom_signal_unpriv_users(sshd_t) +userdom_dyntransition_unpriv_users(sshd_t) ++userdom_dyntransition_admin_users(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd @@ -128107,7 +128284,7 @@ index 2dad3c8..322c050 100644 ') optional_policy(` -@@ -266,11 +283,24 @@ optional_policy(` +@@ -266,11 +284,24 @@ optional_policy(` ') optional_policy(` @@ -128133,7 +128310,7 @@ index 2dad3c8..322c050 100644 ') optional_policy(` -@@ -284,6 +314,15 @@ optional_policy(` +@@ -284,6 +315,15 @@ optional_policy(` ') optional_policy(` @@ -128149,7 +128326,7 @@ index 2dad3c8..322c050 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +331,26 @@ optional_policy(` +@@ -292,26 +332,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -128195,7 +128372,7 @@ index 2dad3c8..322c050 100644 ') dnl endif TODO ######################################## -@@ -322,19 +361,26 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +362,26 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -128223,7 +128400,7 @@ index 2dad3c8..322c050 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,9 +397,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,9 +398,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -128237,7 +128414,7 @@ index 2dad3c8..322c050 100644 ') optional_policy(` -@@ -363,3 +411,76 @@ optional_policy(` +@@ -363,3 +412,76 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -128808,8 +128985,17 @@ index f40e67b..8d1e658 100644 +optional_policy(` + remotelogin_domtrans(telnetd_t) +') +diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc +index 25eee43..621f343 100644 +--- a/policy/modules/services/tftp.fc ++++ b/policy/modules/services/tftp.fc +@@ -1,3 +1,4 @@ ++/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) + + /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if -index 38bb312..0fee098 100644 +index 38bb312..4b691ac 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -13,9 +13,33 @@ @@ -128846,10 +129032,47 @@ index 38bb312..0fee098 100644 ') ######################################## -@@ -40,6 +64,36 @@ interface(`tftp_manage_rw_content',` +@@ -40,6 +64,91 @@ interface(`tftp_manage_rw_content',` ######################################## ## ++## Read tftp config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_read_config',` ++ gen_require(` ++ type tftpd_etc_t; ++ ') ++ ++ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) ++') ++ ++######################################## ++## ++## Manage tftp config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_manage_config',` ++ gen_require(` ++ type tftpd_etc_t; ++ ') ++ ++ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) ++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp") ++') ++ ++######################################## ++## +## Create objects in tftpdir directories +## with specified types. +## @@ -128880,10 +129103,28 @@ index 38bb312..0fee098 100644 + +######################################## +## ++## Transition to tftp named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_filetrans_named_content',` ++ gen_require(` ++ type tftpd_etc_t; ++ ') ++ ++ files_etc_filetrans($1, tftpd_etc_t, file, "tftp") ++') ++ ++######################################## ++## ## All of the rules required to administrate ## an tftp environment ## -@@ -55,9 +109,13 @@ interface(`tftp_admin',` +@@ -55,13 +164,19 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') @@ -128898,8 +129139,14 @@ index 38bb312..0fee098 100644 admin_pattern($1, tftpdir_rw_t) admin_pattern($1, tftpdir_t) + + files_list_pids($1) + admin_pattern($1, tftpd_var_run_t) ++ ++ tftp_manage_config($1) + ') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te -index d50c10d..97ce79e 100644 +index d50c10d..e0c6d19 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0) @@ -128917,7 +129164,16 @@ index d50c10d..97ce79e 100644 ## gen_tunable(tftp_anon_write, false) -@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t) +@@ -26,21 +26,26 @@ files_type(tftpdir_t) + type tftpdir_rw_t; + files_type(tftpdir_rw_t) + ++type tftpd_etc_t; ++files_config_file(tftpd_etc_t) ++ + ######################################## + # + # Local policy # allow tftpd_t self:capability { setgid setuid sys_chroot }; @@ -128932,10 +129188,12 @@ index d50c10d..97ce79e 100644 allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file { getattr read }; +allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; ++ ++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -@@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',` +@@ -94,6 +99,10 @@ tunable_policy(`tftp_anon_write',` ') optional_policy(` @@ -130765,7 +131023,7 @@ index 7c5d8d8..c542fe7 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..b1d885a 100644 +index 3eca020..9ad0913 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0) @@ -131345,7 +131603,7 @@ index 3eca020..b1d885a 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +650,412 @@ files_search_all(virt_domain) +@@ -440,25 +650,409 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -131691,9 +131949,6 @@ index 3eca020..b1d885a 100644 +corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_network_state(svirt_lxc_net_t) + -+domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t) -+domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t) -+corecmd_shell_domtrans(virtd_lxc_t, svirt_lxc_net_t) +fs_noxattr_type(svirt_lxc_file_t) +term_pty(svirt_lxc_file_t) + @@ -139822,7 +140077,7 @@ index ddbd8be..fad18e0 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..989999b 100644 +index 560dc48..e644b1e 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -28,26 +28,24 @@ ifdef(`distro_redhat',` @@ -140143,7 +140398,7 @@ index 560dc48..989999b 100644 ') dnl end distro_redhat # -@@ -312,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +313,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -140170,6 +140425,7 @@ index 560dc48..989999b 100644 +/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) +/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -145539,10 +145795,10 @@ index 0000000..a7e3666 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..609e0e1 +index 0000000..b8f7f45 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,411 @@ +@@ -0,0 +1,412 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -145761,7 +146017,7 @@ index 0000000..609e0e1 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -145772,6 +146028,7 @@ index 0000000..609e0e1 +dev_relabel_all_sysfs(systemd_tmpfiles_t) +dev_relabel_cpu_online(systemd_tmpfiles_t) +dev_read_cpu_online(systemd_tmpfiles_t) ++dev_manage_printer(systemd_tmpfiles_t) + +domain_obj_id_change_exemption(systemd_tmpfiles_t) + @@ -145880,7 +146137,7 @@ index 0000000..609e0e1 +# +# systemd_notify local policy +# -+allow systemd_notify_t self:capability { chown }; ++allow systemd_notify_t self:capability chown; +allow systemd_notify_t self:process { fork setfscreate setsockcreate }; + +allow systemd_notify_t self:fifo_file rw_fifo_file_perms; @@ -145955,7 +146212,7 @@ index 0000000..609e0e1 + +miscfiles_read_localization(systemctl_domain) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 0291685..741f594 100644 +index 0291685..2c9eba5 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,8 @@ @@ -145978,11 +146235,13 @@ index 0291685..741f594 100644 /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -@@ -20,5 +23,19 @@ +@@ -20,5 +23,21 @@ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + +/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -147237,7 +147496,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..2361c4e 100644 +index 4b2878a..3b7131a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -149234,7 +149493,7 @@ index 4b2878a..2361c4e 100644 ## ## ## -@@ -2580,96 +3221,141 @@ interface(`userdom_use_user_ttys',` +@@ -2580,83 +3221,151 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -149344,15 +149603,10 @@ index 4b2878a..2361c4e 100644 +## +# +interface(`userdom_use_inherited_user_terminals',` - gen_require(` -- attribute userdomain; ++ gen_require(` + type user_tty_device_t, user_devpts_t; - ') - -- corecmd_shell_spec_domtrans($1, userdomain) -- allow userdomain $1:fd use; -- allow userdomain $1:fifo_file rw_file_perms; -- allow userdomain $1:process sigchld; ++ ') ++ + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') @@ -149375,11 +149629,10 @@ index 4b2878a..2361c4e 100644 + + allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; - ') - - ######################################## - ## --## Execute an Xserver session in all unprivileged user domains. This ++') ++ ++######################################## ++## +## Do not audit attempts to read and write +## a user domain tty and pty. +## @@ -149420,83 +149673,61 @@ index 4b2878a..2361c4e 100644 +######################################## +## +## Execute a shell in all user domains. This - ## is an explicit transition, requiring the - ## caller to use setexeccon(). - ## -@@ -2679,12 +3365,12 @@ interface(`userdom_spec_domtrans_all_users',` - ## - ## - # --interface(`userdom_xsession_spec_domtrans_all_users',` ++## is an explicit transition, requiring the ++## caller to use setexeccon(). ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# +interface(`userdom_spec_domtrans_all_users',` gen_require(` attribute userdomain; ') - -- xserver_xsession_spec_domtrans($1, userdomain) -+ corecmd_shell_spec_domtrans($1, userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; -@@ -2692,7 +3378,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',` - - ######################################## - ## --## Execute a shell in all unprivileged user domains. This -+## Execute an Xserver session in all unprivileged user domains. This - ## is an explicit transition, requiring the - ## caller to use setexeccon(). - ## -@@ -2702,20 +3388,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',` - ## - ## - # --interface(`userdom_spec_domtrans_unpriv_users',` -+interface(`userdom_xsession_spec_domtrans_all_users',` - gen_require(` -- attribute unpriv_userdomain; -+ attribute userdomain; - ') - -- corecmd_shell_spec_domtrans($1, unpriv_userdomain) -- allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -- allow unpriv_userdomain $1:process sigchld; -+ xserver_xsession_spec_domtrans($1, userdomain) -+ allow userdomain $1:fd use; -+ allow userdomain $1:fifo_file rw_file_perms; -+ allow userdomain $1:process sigchld; +@@ -2713,69 +3422,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` + allow unpriv_userdomain $1:process sigchld; ') - ######################################## +-######################################## ++##################################### ## -## Execute an Xserver session in all unprivileged user domains. This -+## Execute a shell in all unprivileged user domains. This - ## is an explicit transition, requiring the - ## caller to use setexeccon(). +-## is an explicit transition, requiring the +-## caller to use setexeccon(). ++## Allow domain dyntrans to unpriv userdomain. ## -@@ -2725,57 +3411,61 @@ interface(`userdom_spec_domtrans_unpriv_users',` - ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed access. ++## ## # -interface(`userdom_xsession_spec_domtrans_unpriv_users',` -+interface(`userdom_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') +- gen_require(` +- attribute unpriv_userdomain; +- ') ++interface(`userdom_dyntransition_unpriv_users',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') - xserver_xsession_spec_domtrans($1, unpriv_userdomain) -+ corecmd_shell_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; +- allow unpriv_userdomain $1:fd use; +- allow unpriv_userdomain $1:fifo_file rw_file_perms; +- allow unpriv_userdomain $1:process sigchld; ++ allow $1 unpriv_userdomain:process dyntransition; ') -####################################### -+##################################### ++#################################### ## -## Read and write unpriviledged user SysV sempaphores. -+## Allow domain dyntrans to unpriv userdomain. ++## Allow domain dyntrans to admin userdomain. ## ## -## @@ -149511,13 +149742,13 @@ index 4b2878a..2361c4e 100644 - gen_require(` - attribute unpriv_userdomain; - ') -+interface(`userdom_dyntransition_unpriv_users',` ++interface(`userdom_dyntransition_admin_users',` + gen_require(` -+ attribute unpriv_userdomain; ++ attribute admindomain; + ') - allow $1 unpriv_userdomain:sem rw_sem_perms; -+ allow $1 unpriv_userdomain:process dyntransition; ++ allow $1 admindomain:process dyntransition; ') ######################################## @@ -149556,7 +149787,7 @@ index 4b2878a..2361c4e 100644 ## ## ## -@@ -2783,12 +3473,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2783,12 +3491,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -149571,7 +149802,7 @@ index 4b2878a..2361c4e 100644 ') ######################################## -@@ -2852,7 +3542,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3560,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -149580,7 +149811,7 @@ index 4b2878a..2361c4e 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3558,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3576,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -149614,7 +149845,7 @@ index 4b2878a..2361c4e 100644 ') ######################################## -@@ -2972,7 +3646,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3664,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -149623,7 +149854,7 @@ index 4b2878a..2361c4e 100644 ') ######################################## -@@ -3027,7 +3701,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3719,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -149670,7 +149901,7 @@ index 4b2878a..2361c4e 100644 ') ######################################## -@@ -3045,7 +3757,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3775,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -149679,7 +149910,7 @@ index 4b2878a..2361c4e 100644 ') ######################################## -@@ -3064,6 +3776,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3794,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -149687,7 +149918,7 @@ index 4b2878a..2361c4e 100644 kernel_search_proc($1) ') -@@ -3140,6 +3853,42 @@ interface(`userdom_signal_all_users',` +@@ -3140,6 +3871,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -149730,7 +149961,7 @@ index 4b2878a..2361c4e 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3160,6 +3909,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3927,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -149755,7 +149986,7 @@ index 4b2878a..2361c4e 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3961,1291 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3979,1291 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 67c134f..3b704d0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 116%{?dist} +Release: 117%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -490,6 +490,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Sun Apr 22 2012 Miroslav Grepl 3.10.0-117 +- Add policy for abrt-watch-log +- Add definitions for jboss_messaging ports +- Allow systemd_tmpfiles to manage printer devices +- Allow oddjob to use nsswitch +- Fix labeling of log files for postgresql +- Allow mozilla_plugin_t to execmem and execstack by default +- Allow firewalld to execute shell +- Fix /etc/wicd content files to get created with the correct label +- Allow mcelog to exec shell +- Add ~/.orc as a gstreamer_home_t +- /var/spool/postfix/lib64 should be labeled lib_t +- mpreaper should be able to list all file system labeled directories +- Add support for apache to use openstack +- Add labeling for /etc/zipl.conf and zipl binary +- Turn on allow_execstack and turn off telepathy transition for final release + * Mon Apr 15 2012 Miroslav Grepl 3.10.0-116 - More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat