diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 2d9fea1..dbb46b8 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 0b207de..1a409ea 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -17855,7 +17855,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..99002ca 100644 +index 8416beb..531dfef 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18007,7 +18007,33 @@ index 8416beb..99002ca 100644 dev_search_sysfs($1) ') -@@ -920,6 +990,24 @@ interface(`fs_getattr_cifs',` +@@ -826,6 +896,25 @@ interface(`fs_mounton_cgroup', ` + + ######################################## + ## ++## Read and write ceph files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_cephfs_files',` ++ gen_require(` ++ type cephfs_t; ++ ++ ') ++ ++ rw_files_pattern($1, cephfs_t, cephfs_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to read + ## dirs on a CIFS or SMB filesystem. + ## +@@ -920,6 +1009,24 @@ interface(`fs_getattr_cifs',` ######################################## ## @@ -18032,7 +18058,7 @@ index 8416beb..99002ca 100644 ## Search directories on a CIFS or SMB filesystem. ## ## -@@ -1107,6 +1195,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1107,6 +1214,24 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -18057,7 +18083,7 @@ index 8416beb..99002ca 100644 ## Do not audit attempts to read all ## noxattrfs files. ## -@@ -1245,7 +1351,7 @@ interface(`fs_append_cifs_files',` +@@ -1245,7 +1370,7 @@ interface(`fs_append_cifs_files',` ######################################## ## @@ -18066,7 +18092,7 @@ index 8416beb..99002ca 100644 ## on a CIFS filesystem. ## ## -@@ -1265,6 +1371,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1265,6 +1390,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -18109,7 +18135,7 @@ index 8416beb..99002ca 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1279,7 +1421,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1279,7 +1440,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -18118,7 +18144,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -1542,6 +1684,63 @@ interface(`fs_cifs_domtrans',` +@@ -1542,6 +1703,63 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -18182,7 +18208,7 @@ index 8416beb..99002ca 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1582,6 +1781,24 @@ interface(`fs_manage_configfs_files',` +@@ -1582,6 +1800,24 @@ interface(`fs_manage_configfs_files',` ######################################## ## @@ -18207,7 +18233,7 @@ index 8416beb..99002ca 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -1793,63 +2010,70 @@ interface(`fs_read_eventpollfs',` +@@ -1793,63 +2029,70 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -18303,7 +18329,7 @@ index 8416beb..99002ca 100644 ## on a FUSEFS filesystem. ## ## -@@ -1859,18 +2083,19 @@ interface(`fs_mounton_fusefs',` +@@ -1859,18 +2102,19 @@ interface(`fs_mounton_fusefs',` ## ## # @@ -18328,7 +18354,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -1878,135 +2103,740 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2122,740 @@ interface(`fs_search_fusefs',` ## ## # @@ -18425,6 +18451,15 @@ index 8416beb..99002ca 100644 +## Execute a file on a FUSE filesystem +## in the specified domain. ## +-## +-## +-## Domain allowed access. +-## +-## +-## +-# +-interface(`fs_exec_fusefs_files',` +- gen_require(` +## +##

+## Execute a file on a FUSE filesystem @@ -18444,17 +18479,11 @@ index 8416beb..99002ca 100644 +## in particular used by the ssh-agent policy. +##

+## - ## - ## --## Domain allowed access. ++## ++## +## Domain allowed to transition. - ## - ## --## --# --interface(`fs_exec_fusefs_files',` -- gen_require(` -- type fusefs_t; ++## ++## +## +## +## The type of the new process. @@ -18813,9 +18842,10 @@ index 8416beb..99002ca 100644 +# +interface(`fs_getattr_fusefs',` + gen_require(` -+ type fusefs_t; -+ ') -+ + type fusefs_t; + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:filesystem getattr; +') + @@ -19049,9 +19079,8 @@ index 8416beb..99002ca 100644 +interface(`fs_hugetlbfs_filetrans',` + gen_require(` + type hugetlbfs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ') @@ -19116,7 +19145,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2014,37 +2844,38 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,37 +2863,38 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # @@ -19165,7 +19194,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2052,17 +2883,19 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +2902,19 @@ interface(`fs_getattr_hugetlbfs',` ## ## # @@ -19189,7 +19218,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2070,17 +2903,20 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +2922,20 @@ interface(`fs_list_hugetlbfs',` ## ## # @@ -19214,7 +19243,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2088,35 +2924,35 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +2943,35 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # @@ -19260,7 +19289,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2124,17 +2960,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +2979,17 @@ interface(`fs_associate_hugetlbfs',` ## ## # @@ -19282,7 +19311,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2142,71 +2978,136 @@ interface(`fs_search_inotifyfs',` +@@ -2142,71 +2997,136 @@ interface(`fs_search_inotifyfs',` ## ## # @@ -19442,7 +19471,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2214,19 +3115,21 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -19470,7 +19499,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2234,18 +3137,19 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -19495,7 +19524,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2253,38 +3157,41 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -19549,7 +19578,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2292,19 +3199,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3218,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19577,7 +19606,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2312,16 +3221,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3240,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19598,7 +19627,7 @@ index 8416beb..99002ca 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2356,44 +3264,62 @@ interface(`fs_remount_nfs',` +@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',` type nfs_t; ') @@ -19669,7 +19698,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -2485,6 +3411,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19677,7 +19706,7 @@ index 8416beb..99002ca 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3450,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19685,7 +19714,7 @@ index 8416beb..99002ca 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3477,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19730,7 +19759,7 @@ index 8416beb..99002ca 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3535,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -19739,7 +19768,7 @@ index 8416beb..99002ca 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3555,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19782,7 +19811,7 @@ index 8416beb..99002ca 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3605,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19791,7 +19820,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -2627,7 +3629,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3648,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19800,7 +19829,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2719,6 +3721,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3740,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -19866,7 +19895,7 @@ index 8416beb..99002ca 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3802,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3821,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19875,7 +19904,7 @@ index 8416beb..99002ca 100644 ## ## # -@@ -2777,7 +3838,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3857,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19884,7 +19913,7 @@ index 8416beb..99002ca 100644 ## ## # -@@ -2970,6 +4031,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4050,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19892,7 +19921,7 @@ index 8416beb..99002ca 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4072,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4091,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19900,7 +19929,7 @@ index 8416beb..99002ca 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4113,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4132,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19908,7 +19937,7 @@ index 8416beb..99002ca 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4201,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4220,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -19933,7 +19962,7 @@ index 8416beb..99002ca 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,7 +4345,25 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -19960,7 +19989,7 @@ index 8416beb..99002ca 100644 ## ## Read and write NFS server files. ## -@@ -3283,6 +4383,59 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +4402,59 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -20020,7 +20049,7 @@ index 8416beb..99002ca 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +4545,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4564,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20029,7 +20058,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3429,7 +4582,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4601,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20038,7 +20067,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3447,7 +4600,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4619,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20047,7 +20076,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3779,6 +4932,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4951,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20072,7 +20101,7 @@ index 8416beb..99002ca 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +4986,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5005,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20097,7 +20126,7 @@ index 8416beb..99002ca 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +5028,76 @@ interface(`fs_getattr_tmpfs',` +@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',` ## ## ## @@ -20183,7 +20212,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3879,36 +5105,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5124,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -20227,7 +20256,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3916,35 +5141,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5160,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20271,7 +20300,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3952,17 +5178,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5197,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20292,7 +20321,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3970,31 +5196,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5215,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20330,7 +20359,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -4105,7 +5330,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5349,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -20339,7 +20368,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -4165,6 +5390,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5409,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -20364,7 +20393,7 @@ index 8416beb..99002ca 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5445,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5464,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -20373,7 +20402,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -4221,6 +5464,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5483,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -20434,7 +20463,7 @@ index 8416beb..99002ca 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5575,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5594,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -20479,7 +20508,7 @@ index 8416beb..99002ca 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5632,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5651,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -20505,7 +20534,7 @@ index 8416beb..99002ca 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5761,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5780,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20531,7 +20560,7 @@ index 8416beb..99002ca 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5876,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5895,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20540,7 +20569,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -4549,7 +5924,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5943,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20549,7 +20578,7 @@ index 8416beb..99002ca 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5971,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5990,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20576,7 +20605,7 @@ index 8416beb..99002ca 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6066,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6085,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20602,7 +20631,7 @@ index 8416beb..99002ca 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6326,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -20667,7 +20696,7 @@ index 8416beb..99002ca 100644 + read_files_pattern($1, efivarfs_t, efivarfs_t) +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..7e37941 100644 +index e7d1738..fc52817 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -20698,7 +20727,7 @@ index e7d1738..7e37941 100644 type bdev_t; fs_type(bdev_t) -@@ -63,16 +69,23 @@ fs_type(binfmt_misc_fs_t) +@@ -63,16 +69,28 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -20714,6 +20743,11 @@ index e7d1738..7e37941 100644 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) -type cgroup_t; ++type cephfs_t; ++fs_type(cephfs_t) ++files_mountpoint(cephfs_t) ++genfscon ceph / gen_context(system_u:object_r:cephfs_t,s0) ++ +type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) files_mountpoint(cgroup_t) @@ -20723,7 +20757,7 @@ index e7d1738..7e37941 100644 type configfs_t; fs_type(configfs_t) -@@ -88,6 +101,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +106,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -20735,7 +20769,7 @@ index e7d1738..7e37941 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +114,7 @@ type hugetlbfs_t; +@@ -96,6 +119,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -20743,7 +20777,7 @@ index e7d1738..7e37941 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -111,6 +130,12 @@ type inotifyfs_t; +@@ -111,6 +135,12 @@ type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -20756,7 +20790,7 @@ index e7d1738..7e37941 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +143,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -20776,7 +20810,7 @@ index e7d1738..7e37941 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,17 +180,16 @@ fs_type(spufs_t) +@@ -150,17 +185,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -20798,7 +20832,7 @@ index e7d1738..7e37941 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -172,6 +201,8 @@ type vxfs_t; +@@ -172,6 +206,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -20807,7 +20841,7 @@ index e7d1738..7e37941 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +213,8 @@ fs_type(tmpfs_t) +@@ -182,6 +218,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -20816,7 +20850,7 @@ index e7d1738..7e37941 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +294,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -20825,7 +20859,7 @@ index e7d1738..7e37941 100644 files_mountpoint(removable_t) # -@@ -280,6 +315,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -20833,7 +20867,7 @@ index e7d1738..7e37941 100644 ######################################## # -@@ -301,9 +337,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -36631,7 +36665,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..b7bc1a9 100644 +index 17eda24..61dae33 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36916,17 +36950,17 @@ index 17eda24..b7bc1a9 100644 +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_transition_login_userdomain(init_t) +userdom_noatsecure_login_userdomain(init_t) +userdom_sigchld_login_userdomain(init_t) -+ + +-miscfiles_read_localization(init_t) +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,252 @@ ifdef(`distro_gentoo',` +@@ -186,29 +323,256 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -36980,17 +37014,20 @@ index 17eda24..b7bc1a9 100644 +') + +optional_policy(` ++ ipa_delete_tmp(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) @@ -37147,13 +37184,14 @@ index 17eda24..b7bc1a9 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -37161,18 +37199,18 @@ index 17eda24..b7bc1a9 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) +') @@ -37188,7 +37226,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -216,7 +576,30 @@ optional_policy(` +@@ -216,7 +580,30 @@ optional_policy(` ') optional_policy(` @@ -37220,7 +37258,7 @@ index 17eda24..b7bc1a9 100644 ') ######################################## -@@ -225,9 +608,9 @@ optional_policy(` +@@ -225,9 +612,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37232,7 +37270,7 @@ index 17eda24..b7bc1a9 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +641,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +645,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37249,7 +37287,7 @@ index 17eda24..b7bc1a9 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +666,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +670,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37292,7 +37330,7 @@ index 17eda24..b7bc1a9 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +703,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +707,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37304,7 +37342,7 @@ index 17eda24..b7bc1a9 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +715,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +719,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37315,7 +37353,7 @@ index 17eda24..b7bc1a9 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +726,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +730,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37325,7 +37363,7 @@ index 17eda24..b7bc1a9 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +735,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +739,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37333,7 +37371,7 @@ index 17eda24..b7bc1a9 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +742,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +746,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37341,7 +37379,7 @@ index 17eda24..b7bc1a9 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +750,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +754,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37359,7 +37397,7 @@ index 17eda24..b7bc1a9 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +768,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +772,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37373,7 +37411,7 @@ index 17eda24..b7bc1a9 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +783,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +787,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37387,7 +37425,7 @@ index 17eda24..b7bc1a9 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +796,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +800,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37398,7 +37436,7 @@ index 17eda24..b7bc1a9 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +809,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +813,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37406,7 +37444,7 @@ index 17eda24..b7bc1a9 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +828,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +832,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37430,7 +37468,7 @@ index 17eda24..b7bc1a9 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +861,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +865,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37438,7 +37476,7 @@ index 17eda24..b7bc1a9 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +895,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +899,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37449,7 +37487,7 @@ index 17eda24..b7bc1a9 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +919,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +923,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37458,7 +37496,7 @@ index 17eda24..b7bc1a9 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +934,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +938,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37466,7 +37504,7 @@ index 17eda24..b7bc1a9 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +955,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +959,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37474,7 +37512,7 @@ index 17eda24..b7bc1a9 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +965,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +969,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37519,7 +37557,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -559,14 +1010,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1014,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37551,7 +37589,7 @@ index 17eda24..b7bc1a9 100644 ') ') -@@ -577,6 +1045,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1049,39 @@ ifdef(`distro_suse',` ') ') @@ -37591,7 +37629,7 @@ index 17eda24..b7bc1a9 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1090,8 @@ optional_policy(` +@@ -589,6 +1094,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37600,7 +37638,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -610,6 +1113,7 @@ optional_policy(` +@@ -610,6 +1117,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37608,7 +37646,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -626,6 +1130,17 @@ optional_policy(` +@@ -626,6 +1134,17 @@ optional_policy(` ') optional_policy(` @@ -37626,7 +37664,7 @@ index 17eda24..b7bc1a9 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1157,13 @@ optional_policy(` +@@ -642,9 +1161,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37640,7 +37678,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -657,15 +1176,11 @@ optional_policy(` +@@ -657,15 +1180,11 @@ optional_policy(` ') optional_policy(` @@ -37658,7 +37696,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -686,6 +1201,15 @@ optional_policy(` +@@ -686,6 +1205,15 @@ optional_policy(` ') optional_policy(` @@ -37674,7 +37712,7 @@ index 17eda24..b7bc1a9 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1250,7 @@ optional_policy(` +@@ -726,6 +1254,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37682,7 +37720,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -743,7 +1268,13 @@ optional_policy(` +@@ -743,7 +1272,13 @@ optional_policy(` ') optional_policy(` @@ -37697,7 +37735,7 @@ index 17eda24..b7bc1a9 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1297,10 @@ optional_policy(` +@@ -766,6 +1301,10 @@ optional_policy(` ') optional_policy(` @@ -37708,7 +37746,7 @@ index 17eda24..b7bc1a9 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1310,20 @@ optional_policy(` +@@ -775,10 +1314,20 @@ optional_policy(` ') optional_policy(` @@ -37729,7 +37767,7 @@ index 17eda24..b7bc1a9 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1332,10 @@ optional_policy(` +@@ -787,6 +1336,10 @@ optional_policy(` ') optional_policy(` @@ -37740,7 +37778,7 @@ index 17eda24..b7bc1a9 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1357,6 @@ optional_policy(` +@@ -808,8 +1361,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37749,7 +37787,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -818,6 +1365,10 @@ optional_policy(` +@@ -818,6 +1369,10 @@ optional_policy(` ') optional_policy(` @@ -37760,7 +37798,7 @@ index 17eda24..b7bc1a9 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1378,12 @@ optional_policy(` +@@ -827,10 +1382,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37773,7 +37811,7 @@ index 17eda24..b7bc1a9 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1410,60 @@ optional_policy(` +@@ -857,21 +1414,60 @@ optional_policy(` ') optional_policy(` @@ -37835,7 +37873,7 @@ index 17eda24..b7bc1a9 100644 ') optional_policy(` -@@ -887,6 +1479,10 @@ optional_policy(` +@@ -887,6 +1483,10 @@ optional_policy(` ') optional_policy(` @@ -37846,7 +37884,7 @@ index 17eda24..b7bc1a9 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1493,218 @@ optional_policy(` +@@ -897,3 +1497,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48095,10 +48133,10 @@ index 0000000..ebd6cc8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f799c5b +index 0000000..0be65c0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,929 @@ +@@ -0,0 +1,930 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48771,6 +48809,7 @@ index 0000000..f799c5b + +kernel_dgram_send(systemd_hostnamed_t) +kernel_read_xen_state(systemd_hostnamed_t) ++kernel_read_sysctl(systemd_hostnamed_t) + +dev_write_kmsg(systemd_hostnamed_t) +dev_read_sysfs(systemd_hostnamed_t) diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index 37ccaec..ea4e912 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -12236,7 +12236,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..943af3b 100644 +index 550b287..ea704c2 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -12273,7 +12273,7 @@ index 550b287..943af3b 100644 corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) +@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) @@ -12297,10 +12297,11 @@ index 550b287..943af3b 100644 -files_read_usr_files(certmonger_t) files_list_tmp(certmonger_t) +files_list_home(certmonger_t) ++files_dontaudit_write_etc_runtime_files(certmonger_t) fs_search_cgroup_dirs(certmonger_t) -@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t) +@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t) init_getattr_all_script_files(certmonger_t) @@ -12325,7 +12326,7 @@ index 550b287..943af3b 100644 ') optional_policy(` -@@ -92,11 +109,58 @@ optional_policy(` +@@ -92,11 +110,58 @@ optional_policy(` ') optional_policy(` @@ -25086,10 +25087,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..73d1b46 +index 0000000..aa290b1 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,196 @@ +@@ -0,0 +1,200 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25243,6 +25244,10 @@ index 0000000..73d1b46 + uuidd_stream_connect_manager(dirsrv_t) +') + ++optional_policy(` ++ systemd_manage_passwd_run(dirsrv_t) ++') ++ +######################################## +# +# dirsrv-snmp local policy @@ -29623,7 +29628,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..2812a63 100644 +index 36838c2..0a8b621 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -29669,10 +29674,12 @@ index 36838c2..2812a63 100644 ## ##

    -@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false) +@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false) + ## + gen_tunable(ftpd_connect_all_unreserved, false) - ## - ##

    +-## +-##

    -## Determine whether ftpd can read and write -## files in user home directories. -##

    @@ -29681,10 +29688,43 @@ index 36838c2..2812a63 100644 - -## -##

    - ## Determine whether sftpd can modify - ## public files used for public file - ## transfer services. Directories/Files must -@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) +-## Determine whether sftpd can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    +-##     +-gen_tunable(sftpd_anon_write, false) +- +-## +-##

    +-## Determine whether sftpd-can read and write +-## files in user home directories. +-##

    +-##     +-gen_tunable(sftpd_enable_homedirs, false) +- +-## +-##

    +-## Determine whether sftpd-can login to +-## local users and read and write all +-## files on the system, governed by DAC. +-##

    +-##     +-gen_tunable(sftpd_full_access, false) +- +-## +-##

    +-## Determine whether sftpd can read and write +-## files in user ssh home directories. +-##

    +-##     +-gen_tunable(sftpd_write_ssh_home, false) +- + attribute_role ftpdctl_roles; + + type anon_sftpd_t; +@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -29694,7 +29734,7 @@ index 36838c2..2812a63 100644 type ftpd_keytab_t; files_type(ftpd_keytab_t) -@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; +@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -29704,7 +29744,7 @@ index 36838c2..2812a63 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -29731,7 +29771,7 @@ index 36838c2..2812a63 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -29745,7 +29785,7 @@ index 36838c2..2812a63 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -29753,7 +29793,7 @@ index 36838c2..2812a63 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t) +@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -29811,7 +29851,7 @@ index 36838c2..2812a63 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',` +@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -29861,7 +29901,7 @@ index 36838c2..2812a63 100644 corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) -@@ -363,9 +365,8 @@ optional_policy(` +@@ -363,9 +330,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -29872,7 +29912,7 @@ index 36838c2..2812a63 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +417,20 @@ optional_policy(` +@@ -416,86 +382,39 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -29893,10 +29933,15 @@ index 36838c2..2812a63 100644 # -files_read_etc_files(anon_sftpd_t) - +- miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',` +-tunable_policy(`sftpd_anon_write',` +- miscfiles_manage_public_files(anon_sftpd_t) +-') +- + ######################################## + # # Sftpd local policy # @@ -29905,26 +29950,12 @@ index 36838c2..2812a63 100644 userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t) -+ -+tunable_policy(`sftpd_full_access',` -+ allow sftpd_t self:capability { dac_override dac_read_search }; -+ fs_read_noxattr_fs_files(sftpd_t) -+ files_manage_non_security_dirs(sftpd_t) -+ files_manage_non_security_files(sftpd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`sftpd_write_ssh_home',` -+ ssh_manage_home_files(sftpd_t) -+ ') -+') -+ + +-tunable_policy(`sftpd_enable_homedirs',` +- allow sftpd_t self:capability { dac_override dac_read_search }; +userdom_filetrans_home_content(sftpd_t) +userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - userdom_manage_user_home_content_dirs(sftpd_t) userdom_manage_user_home_content_files(sftpd_t) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) @@ -29934,22 +29965,35 @@ index 36838c2..2812a63 100644 -',` - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - ') +-') +- +-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` +- fs_manage_nfs_dirs(sftpd_t) +- fs_manage_nfs_files(sftpd_t) +- fs_manage_nfs_symlinks(sftpd_t) +-') - tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',` - tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) -- files_manage_non_auth_files(sftpd_t) -+ files_manage_non_security_files(sftpd_t) - ') +-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +- fs_manage_cifs_dirs(sftpd_t) +- fs_manage_cifs_files(sftpd_t) +- fs_manage_cifs_symlinks(sftpd_t) +-') ++userdom_home_reader(sftpd_t) +-tunable_policy(`sftpd_anon_write',` +- miscfiles_manage_public_files(sftpd_t) +-') +- +-tunable_policy(`sftpd_full_access',` +- allow sftpd_t self:capability { dac_override dac_read_search }; +- fs_read_noxattr_fs_files(sftpd_t) +- files_manage_non_auth_files(sftpd_t) +-') +- -tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) -') -+userdom_home_reader(sftpd_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) @@ -36215,10 +36259,10 @@ index 0000000..2277038 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..bbd5979 +index 0000000..dc1385d --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,70 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -36266,6 +36310,8 @@ index 0000000..bbd5979 + +files_read_etc_files(gssproxy_t) + ++fs_getattr_all_fs(gssproxy_t) ++ +auth_use_nsswitch(gssproxy_t) + +dev_read_urand(gssproxy_t) @@ -38026,10 +38072,10 @@ index 0000000..e1ddda0 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..904782d +index 0000000..ee3a606 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,178 @@ +@@ -0,0 +1,197 @@ +## Policy for IPA services. + +######################################## @@ -38208,12 +38254,31 @@ index 0000000..904782d + + files_pid_filetrans($1, ipa_var_run_t, file, $2) +') ++ ++######################################## ++## ++## Allow domain to manage ipa tmp files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_delete_tmp',` ++ gen_require(` ++ type ipa_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 ipa_tmp_t:file unlink; ++') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..5fad85e +index 0000000..3ca42f7 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,199 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38393,6 +38458,10 @@ index 0000000..5fad85e +sysnet_read_config(ipa_dnskey_t) + +optional_policy(` ++ apache_search_config(ipa_dnskey_t) ++') ++ ++optional_policy(` + bind_domtrans_ndc(ipa_dnskey_t) + bind_read_dnssec_keys(ipa_dnskey_t) + bind_manage_zone(ipa_dnskey_t) @@ -63471,10 +63540,10 @@ index 0000000..08d0e79 +/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) diff --git a/opendnssec.if b/opendnssec.if new file mode 100644 -index 0000000..fb0141d +index 0000000..eac3932 --- /dev/null +++ b/opendnssec.if -@@ -0,0 +1,206 @@ +@@ -0,0 +1,208 @@ + +## policy for opendnssec + @@ -63533,6 +63602,7 @@ index 0000000..fb0141d + ') + + files_search_etc($1) ++ allow $1 opendnssec_conf_t:dir list_dir_perms; + allow $1 opendnssec_conf_t:file read_file_perms; +') + @@ -63553,6 +63623,7 @@ index 0000000..fb0141d + ') + + files_search_etc($1) ++ allow $1 opendnssec_conf_t:dir manage_dir_perms; + allow $1 opendnssec_conf_t:file manage_file_perms; +') + @@ -96494,7 +96565,7 @@ index cd6c213..372c7bb 100644 + ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465..7afb413 100644 +index 0045465..5080a66 100644 --- a/sanlock.te +++ b/sanlock.te @@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0) @@ -96581,7 +96652,7 @@ index 0045465..7afb413 100644 logging_log_filetrans(sanlock_t, sanlock_log_t, file) manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +@@ -65,13 +84,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) @@ -96592,6 +96663,8 @@ index 0045465..7afb413 100644 +files_read_mnt_symlinks(sanlock_t) + ++fs_rw_cephfs_files(sanlock_t) ++ storage_raw_rw_fixed_disk(sanlock_t) +dev_read_rand(sanlock_t) @@ -96601,7 +96674,7 @@ index 0045465..7afb413 100644 auth_use_nsswitch(sanlock_t) init_read_utmp(sanlock_t) -@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +103,29 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -96640,7 +96713,7 @@ index 0045465..7afb413 100644 ') optional_policy(` -@@ -100,7 +131,34 @@ optional_policy(` +@@ -100,7 +133,34 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index f9984ec..3eac2b6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 189%{?dist} +Release: 190%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,17 @@ exit 0 %endif %changelog +* Mon May 30 2016 Lukas Vrabec 3.13.1-190 +- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te +- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs +- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778) +- Allow ipa_dnskey_t search httpd config files. +- Dontaudit certmonger to write to etc_runtime_t +- Add interface ipa_delete_tmp() +- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs. +- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. +- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106) + * Wed May 25 2016 Lukas Vrabec 3.13.1-189 - Add SELinux policy for opendnssec service. BZ(1333106) - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)