diff --git a/policy-F15.patch b/policy-F15.patch index b84e047..c00c6be 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1973,7 +1973,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 975af1a..30a7f38 100644 +index 975af1a..bae65ee 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -2023,7 +2023,7 @@ index 975af1a..30a7f38 100644 userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) -+ userdom_signal_unpriv_users($1_sudo_t) ++ userdom_signal_all_users($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) + userdom_search_user_home_content($1_sudo_t) @@ -2962,10 +2962,10 @@ index 00a19e3..1354800 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..bb2528e 100644 +index f5afe78..61398d8 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,43 +1,507 @@ +@@ -1,43 +1,511 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -3031,6 +3031,7 @@ index f5afe78..bb2528e 100644 + attribute gnome_domain; + type gnome_home_t; + type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; ++ class dbus send_msg; + ') + + type gkeyringd_$1_t, gnome_domain, gkeyringd_domain; @@ -3054,15 +3055,18 @@ index f5afe78..bb2528e 100644 + + dontaudit $3 gkeyringd_exec_t:file entrypoint; + ++ allow gkeyringd_$1_t $3:dbus send_msg; ++ allow $3 gkeyringd_$1_t:dbus send_msg; ++ + optional_policy(` -+ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t) -+ dbus_session_bus_client(gkeyringd_$1_t) -+ gnome_home_dir_filetrans(gkeyringd_$1_t) -+ gnome_manage_generic_home_dirs(gkeyringd_$1_t) ++ dbus_session_domain(gkeyringd_$1_t, gkeyringd_exec_t) ++ dbus_session_bus_client(gkeyringd_$1_t) ++ gnome_home_dir_filetrans(gkeyringd_$1_t) ++ gnome_manage_generic_home_dirs(gkeyringd_$1_t) + -+ optional_policy(` ++ optional_policy(` + telepathy_mission_control_read_state(gkeyringd_$1_t) -+ ') ++ ') + ') +') + @@ -3490,7 +3494,7 @@ index f5afe78..bb2528e 100644 ## in the caller domain. ## ## -@@ -56,27 +520,26 @@ interface(`gnome_exec_gconf',` +@@ -56,27 +524,26 @@ interface(`gnome_exec_gconf',` ######################################## ## @@ -3526,7 +3530,7 @@ index f5afe78..bb2528e 100644 ## ## ## -@@ -84,37 +547,41 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +551,41 @@ template(`gnome_read_gconf_config',` ## ## # @@ -3579,7 +3583,7 @@ index f5afe78..bb2528e 100644 ## ## ## -@@ -122,12 +589,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +593,13 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -3596,7 +3600,7 @@ index f5afe78..bb2528e 100644 ') ######################################## -@@ -151,40 +619,258 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +623,258 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -3866,7 +3870,7 @@ index f5afe78..bb2528e 100644 userdom_search_user_home_dirs($1) ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..78e50a6 100644 +index 2505654..fd62ccc 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) @@ -3937,7 +3941,7 @@ index 2505654..78e50a6 100644 ############################## # # Local Policy -@@ -75,3 +106,147 @@ optional_policy(` +@@ -75,3 +106,149 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -4066,6 +4070,8 @@ index 2505654..78e50a6 100644 + +selinux_getattr_fs(gkeyringd_domain) + ++auth_use_nsswitch(gkeyringd_domain) ++ +logging_send_syslog_msg(gkeyringd_domain) + +miscfiles_read_localization(gkeyringd_domain) @@ -6937,10 +6943,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..5f09eb9 +index 0000000..0fedd57 --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,335 @@ +@@ -0,0 +1,305 @@ + +## policy for sandbox + @@ -6963,9 +6969,9 @@ index 0000000..5f09eb9 +interface(`sandbox_transition',` + gen_require(` + type sandbox_xserver_t; ++ type sandbox_file_t; + attribute sandbox_domain; + attribute sandbox_x_domain; -+ attribute sandbox_file_type; + attribute sandbox_tmpfs_type; + ') + @@ -6997,17 +7003,18 @@ index 0000000..5f09eb9 + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; + -+ can_exec($1, sandbox_file_type) -+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type) -+ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ can_exec($1, sandbox_file_t) ++ allow $1 sandbox_file_t:filesystem getattr; ++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); ++ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ++ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -7025,7 +7032,7 @@ index 0000000..5f09eb9 + + gen_require(` + attribute sandbox_domain; -+ attribute sandbox_file_type; ++ type sandbox_file_t; + attribute sandbox_type; + ') + type $1_t, sandbox_domain, sandbox_type; @@ -7034,16 +7041,6 @@ index 0000000..5f09eb9 + + mls_rangetrans_target($1_t) + mcs_untrusted_proc($1_t) -+ -+ type $1_file_t, sandbox_file_type; -+ files_type($1_file_t) -+ -+ can_exec($1_t, $1_file_t) -+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) +') + +######################################## @@ -7063,7 +7060,7 @@ index 0000000..5f09eb9 + type sandbox_xserver_t; + type sandbox_exec_t; + attribute sandbox_domain, sandbox_x_domain; -+ attribute sandbox_file_type, sandbox_tmpfs_type; ++ attribute sandbox_tmpfs_type; + attribute sandbox_type; + ') + @@ -7071,16 +7068,6 @@ index 0000000..5f09eb9 + application_type($1_t) + mcs_untrusted_proc($1_t) + -+ type $1_file_t, sandbox_file_type; -+ files_type($1_file_t) -+ -+ can_exec($1_t, $1_file_t) -+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) -+ + # window manager + miscfiles_setattr_fonts_cache_dirs($1_t) + allow $1_t self:capability setuid; @@ -7110,23 +7097,12 @@ index 0000000..5f09eb9 + # Random tmpfs_t that gets created when you run X. + fs_rw_tmpfs_files($1_t) + -+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) -+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) -+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; + ps_process_pattern(sandbox_xserver_t, $1_client_t) + ps_process_pattern(sandbox_xserver_t, $1_t) + allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; + allow sandbox_xserver_t $1_t:shm rw_shm_perms; + allow $1_client_t $1_t:unix_stream_socket connectto; + allow $1_t $1_client_t:unix_stream_socket connectto; -+ -+ can_exec($1_client_t, $1_file_t) -+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) +') + +######################################## @@ -7198,10 +7174,10 @@ index 0000000..5f09eb9 +# +interface(`sandbox_delete_files',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ delete_files_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -7216,10 +7192,10 @@ index 0000000..5f09eb9 +# +interface(`sandbox_delete_sock_files',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type) ++ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -7235,10 +7211,10 @@ index 0000000..5f09eb9 +# +interface(`sandbox_setattr_dirs',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ allow $1 sandbox_file_type:dir setattr; ++ allow $1 sandbox_file_t:dir setattr; +') + +######################################## @@ -7253,10 +7229,10 @@ index 0000000..5f09eb9 +# +interface(`sandbox_delete_dirs',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) ++ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t) +') + +######################################## @@ -7271,29 +7247,33 @@ index 0000000..5f09eb9 +# +interface(`sandbox_list',` + gen_require(` -+ attribute sandbox_file_type; ++ type sandbox_file_t; + ') + -+ allow $1 sandbox_file_type:dir list_dir_perms; ++ allow $1 sandbox_file_t:dir list_dir_perms; +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..fc8db7d +index 0000000..e6e9f42 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,449 @@ +@@ -0,0 +1,465 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; +attribute sandbox_x_domain; -+attribute sandbox_file_type; +attribute sandbox_web_type; ++attribute sandbox_file_type; +attribute sandbox_tmpfs_type; +attribute sandbox_type; + +type sandbox_exec_t; +files_type(sandbox_exec_t) + ++type sandbox_file_t, sandbox_file_type; ++files_type(sandbox_file_t) ++typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t }; ++ +######################################## +# +# Declarations @@ -7325,6 +7305,11 @@ index 0000000..fc8db7d +allow sandbox_xserver_t self:shm create_shm_perms; +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t) ++allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms; ++ +manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) @@ -7402,6 +7387,14 @@ index 0000000..fc8db7d +dev_rw_all_inherited_chr_files(sandbox_domain) +dev_rw_all_inherited_blk_files(sandbox_domain) + ++can_exec(sandbox_domain, sandbox_file_t) ++allow sandbox_domain sandbox_file_t:filesystem getattr; ++manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++ +gen_require(` + type usr_t, lib_t, locale_t; + type var_t, var_run_t, rpm_log_t, locale_t; @@ -7730,7 +7723,6 @@ index 0000000..fc8db7d + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') -+ diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc index 1f2cde4..7227631 100644 --- a/policy/modules/apps/screen.fc @@ -10121,7 +10113,7 @@ index 3517db2..f798a69 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ed203b2..45fe4f9 100644 +index ed203b2..03346fd 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -10223,7 +10215,32 @@ index ed203b2..45fe4f9 100644 ## List the contents of the root directory. ## ## -@@ -1854,6 +1924,25 @@ interface(`files_relabelfrom_boot_files',` +@@ -1731,6 +1801,24 @@ interface(`files_list_boot',` + allow $1 boot_t:dir list_dir_perms; + ') + ++####################################### ++## ++## Dontaudit List the /boot directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_list_boot',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ dontaudit $1 boot_t:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Create directories in /boot +@@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10249,7 +10266,7 @@ index ed203b2..45fe4f9 100644 ######################################## ## ## Read and write symbolic links -@@ -2453,6 +2542,24 @@ interface(`files_delete_etc_files',` +@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10274,7 +10291,7 @@ index ed203b2..45fe4f9 100644 ## Execute generic files in /etc. ## ## -@@ -2583,6 +2690,31 @@ interface(`files_create_boot_flag',` +@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',` ######################################## ## @@ -10306,7 +10323,7 @@ index ed203b2..45fe4f9 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2623,6 +2755,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -10331,7 +10348,7 @@ index ed203b2..45fe4f9 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -3104,6 +3254,7 @@ interface(`files_getattr_home_dir',` +@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -10339,7 +10356,7 @@ index ed203b2..45fe4f9 100644 ') ######################################## -@@ -3124,6 +3275,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -10347,7 +10364,7 @@ index ed203b2..45fe4f9 100644 ') ######################################## -@@ -3287,6 +3439,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` +@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` dontaudit $1 lost_found_t:dir getattr; ') @@ -10372,7 +10389,7 @@ index ed203b2..45fe4f9 100644 ######################################## ## ## Create, read, write, and delete objects in -@@ -3365,6 +3535,24 @@ interface(`files_list_mnt',` +@@ -3365,6 +3553,24 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -10397,7 +10414,7 @@ index ed203b2..45fe4f9 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3438,6 +3626,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3644,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -10422,7 +10439,7 @@ index ed203b2..45fe4f9 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3935,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3953,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10522,7 +10539,7 @@ index ed203b2..45fe4f9 100644 ######################################## ## ## Allow the specified type to associate -@@ -3914,6 +4213,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4231,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -10555,7 +10572,7 @@ index ed203b2..45fe4f9 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3968,7 +4293,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,7 +4311,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -10564,7 +10581,7 @@ index ed203b2..45fe4f9 100644 ## ## ## -@@ -3976,17 +4301,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3976,17 +4319,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -10586,7 +10603,7 @@ index ed203b2..45fe4f9 100644 ## ## ## -@@ -3994,74 +4319,77 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -3994,74 +4337,77 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -10682,34 +10699,29 @@ index ed203b2..45fe4f9 100644 ## ## ## -@@ -4069,25 +4397,100 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +@@ -4069,7 +4415,82 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` ## ## # -interface(`files_read_all_tmp_files',` +interface(`files_list_all_tmp',` - gen_require(` - attribute tmpfile; - ') - -- read_files_pattern($1, tmpfile, tmpfile) ++ gen_require(` ++ attribute tmpfile; ++ ') ++ + allow $1 tmpfile:dir list_dir_perms; - ') - - ######################################## - ## --## Create an object in the tmp directories, with a private --## type using a type transition. ++') ++ ++######################################## ++## +## Do not audit attempts to get the attributes +## of all tmp files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain not to audit. - ## - ## --## ++## ++## +# +interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` @@ -10768,28 +10780,10 @@ index ed203b2..45fe4f9 100644 +## +# +interface(`files_read_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ read_files_pattern($1, tmpfile, tmpfile) -+') -+ -+######################################## -+## -+## Create an object in the tmp directories, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - ## - ## The type of the object to be created. - ## -@@ -4127,6 +4530,13 @@ interface(`files_purge_tmp',` + gen_require(` + attribute tmpfile; + ') +@@ -4127,6 +4548,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10803,7 +10797,7 @@ index ed203b2..45fe4f9 100644 ') ######################################## -@@ -4736,6 +5146,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5164,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -10828,7 +10822,7 @@ index ed203b2..45fe4f9 100644 ## Read and write files in the /var directory. ## ## -@@ -5071,6 +5499,24 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5517,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -10853,7 +10847,7 @@ index ed203b2..45fe4f9 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5156,12 +5602,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5620,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -10870,7 +10864,7 @@ index ed203b2..45fe4f9 100644 ') ######################################## -@@ -5207,6 +5653,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5671,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -10898,7 +10892,7 @@ index ed203b2..45fe4f9 100644 ## Read all lock files. ## ## -@@ -5335,6 +5802,43 @@ interface(`files_search_pids',` +@@ -5335,6 +5820,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -10942,7 +10936,7 @@ index ed203b2..45fe4f9 100644 ######################################## ## ## Do not audit attempts to search -@@ -5542,6 +6046,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6064,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11005,7 +10999,7 @@ index ed203b2..45fe4f9 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6119,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6137,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -11050,7 +11044,7 @@ index ed203b2..45fe4f9 100644 ') ######################################## -@@ -5844,3 +6442,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6460,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15440,10 +15434,10 @@ index 0000000..aeb1888 +/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if new file mode 100644 -index 0000000..8e6e2c3 +index 0000000..0f3fc36 --- /dev/null +++ b/policy/modules/services/ajaxterm.if -@@ -0,0 +1,68 @@ +@@ -0,0 +1,86 @@ +## policy for ajaxterm + +######################################## @@ -15482,6 +15476,24 @@ index 0000000..8e6e2c3 + init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t) +') + ++####################################### ++## ++## Read and write the ajaxterm pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ajaxterm_rw_ptys',` ++ gen_require(` ++ type ajaxterm_devpts_t; ++ ') ++ ++ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms; ++') ++ +######################################## +## +## All of the rules required to administrate @@ -15514,10 +15526,10 @@ index 0000000..8e6e2c3 +') diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te new file mode 100644 -index 0000000..ffdcad1 +index 0000000..3d0fd88 --- /dev/null +++ b/policy/modules/services/ajaxterm.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,64 @@ +policy_module(ajaxterm, 1.0.0) + +######################################## @@ -15573,8 +15585,13 @@ index 0000000..ffdcad1 + +sysnet_dns_name_resolve(ajaxterm_t) + ++####################################### ++# ++# SSH component local policy ++# ++ +optional_policy(` -+ ssh_domtrans(ajaxterm_t) ++ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r) +') + diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if @@ -15591,9 +15608,18 @@ index ceb2142..e31d92a 100644 ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index c3a1903..a65e930 100644 +index c3a1903..0140399 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te +@@ -47,7 +47,7 @@ files_type(amavis_spool_t) + + allow amavis_t self:capability { kill chown dac_override setgid setuid }; + dontaudit amavis_t self:capability sys_tty_config; +-allow amavis_t self:process { signal sigchld signull }; ++allow amavis_t self:process { signal sigchld sigkill signull }; + allow amavis_t self:fifo_file rw_fifo_file_perms; + allow amavis_t self:unix_stream_socket create_stream_socket_perms; + allow amavis_t self:unix_dgram_socket create_socket_perms; @@ -76,7 +76,7 @@ files_search_spool(amavis_t) # tmp files @@ -27170,10 +27196,10 @@ index 0000000..68ad33f +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 -index 0000000..6395ec8 +index 0000000..f60483e --- /dev/null +++ b/policy/modules/services/mock.if -@@ -0,0 +1,254 @@ +@@ -0,0 +1,272 @@ +## policy for mock + +######################################## @@ -27327,6 +27353,24 @@ index 0000000..6395ec8 + manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + ++####################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mock_dontaudit_leaks',` ++ gen_require(` ++ type mock_tmp_t; ++ ') ++ ++ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms; ++') ++ +######################################## +## +## Execute mock in the mock domain, and @@ -27430,12 +27474,19 @@ index 0000000..6395ec8 +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..5576314 +index 0000000..b7d8f2f --- /dev/null +++ b/policy/modules/services/mock.te -@@ -0,0 +1,102 @@ +@@ -0,0 +1,123 @@ +policy_module(mock,1.0.0) + ++## ++##

++## Allow mock to read files in home directories. ++##

++## ++gen_tunable(mock_enable_homedirs, false) ++ +######################################## +# +# Declarations @@ -27486,10 +27537,14 @@ index 0000000..5576314 +manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) ++manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) +can_exec(mock_t, mock_var_lib_t) +allow mock_t mock_var_lib_t:dir mounton; ++allow mock_t mock_var_lib_t:dir relabel_dir_perms; ++allow mock_t mock_var_lib_t:file relabel_file_perms; ++ + +kernel_list_proc(mock_t) +kernel_read_irq_sysctls(mock_t) @@ -27503,20 +27558,24 @@ index 0000000..5576314 +corenet_tcp_connect_http_port(mock_t) + +dev_read_urand(mock_t) ++dev_read_sysfs(mock_t) + +domain_read_all_domains_state(mock_t) +domain_use_interactive_fds(mock_t) + +files_read_etc_files(mock_t) +files_read_usr_files(mock_t) ++files_dontaudit_list_boot(mock_t) + +fs_getattr_all_fs(mock_t) ++fs_manage_cgroup_dirs(mock_t) + +selinux_get_enforce_mode(mock_t) + +auth_use_nsswitch(mock_t) + +init_exec(mock_t) ++init_dontaudit_stream_connect(mock_t) + +libs_domtrans_ldconfig(mock_t) + @@ -27527,6 +27586,12 @@ index 0000000..5576314 + +mount_domtrans(mock_t) + ++userdom_use_user_ptys(mock_t) ++ ++tunable_policy(`mock_enable_homedirs',` ++ userdom_read_user_home_content_files(mock_t) ++') ++ +optional_policy(` + rpm_exec(mock_t) + rpm_manage_db(mock_t) @@ -28355,7 +28420,7 @@ index 343cee3..2f948ad 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..8974c28 100644 +index 64268e4..0d7da33 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -28519,7 +28584,18 @@ index 64268e4..8974c28 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -249,11 +250,16 @@ optional_policy(` +@@ -242,6 +243,10 @@ optional_policy(` + ') + + optional_policy(` ++ logwatch_search_cache_dir(mailserver_delivery) ++') ++ ++optional_policy(` + # so MTA can access /var/lib/mailman/mail/wrapper + files_search_var_lib(mailserver_delivery) + +@@ -249,11 +254,16 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -28536,7 +28612,7 @@ index 64268e4..8974c28 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +298,44 @@ optional_policy(` +@@ -292,3 +302,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -33452,7 +33528,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..1a07760 100644 +index 64c5f95..dbac1d4 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -33528,8 +33604,11 @@ index 64c5f95..1a07760 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -214,13 +226,32 @@ domain_read_all_domains_state(puppetmaster_t) +@@ -212,15 +224,35 @@ dev_read_urand(puppetmaster_t) + domain_read_all_domains_state(puppetmaster_t) + files_read_etc_files(puppetmaster_t) ++files_read_usr_files(puppetmaster_t) files_search_var_lib(puppetmaster_t) +selinux_validate_context(puppetmaster_t) @@ -33561,7 +33640,7 @@ index 64c5f95..1a07760 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +262,8 @@ optional_policy(` +@@ -231,3 +263,8 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -36503,7 +36582,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..395fafb 100644 +index e30bb63..00a9125 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -36681,7 +36760,7 @@ index e30bb63..395fafb 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,14 +809,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +809,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -36699,9 +36778,11 @@ index e30bb63..395fafb 100644 -files_pid_filetrans(winbind_t, winbind_var_run_t, file) +files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) ++kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +836,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) + +@@ -833,6 +837,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -36709,7 +36790,7 @@ index e30bb63..395fafb 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +926,18 @@ optional_policy(` +@@ -922,6 +927,18 @@ optional_policy(` # optional_policy(` @@ -36728,7 +36809,7 @@ index e30bb63..395fafb 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +948,12 @@ optional_policy(` +@@ -932,9 +949,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -38868,7 +38949,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..12d37a2 100644 +index 8ffa257..44cbef4 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -38894,15 +38975,20 @@ index 8ffa257..12d37a2 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,6 +50,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) ++corenet_udp_bind_generic_port(sssd_t) ++corenet_dontaudit_udp_bind_all_ports(sssd_t) ++ corecmd_exec_bin(sssd_t) -@@ -60,6 +63,7 @@ domain_obj_id_change_exemption(sssd_t) + + dev_read_urand(sssd_t) +@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) @@ -38910,17 +38996,16 @@ index 8ffa257..12d37a2 100644 fs_list_inotifyfs(sssd_t) -@@ -69,7 +73,8 @@ seutil_read_file_contexts(sssd_t) +@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) -auth_use_nsswitch(sssd_t) -+ +# auth_use_nsswitch(sssd_t) auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -@@ -79,6 +84,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -38933,7 +39018,7 @@ index 8ffa257..12d37a2 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -88,3 +99,11 @@ optional_policy(` +@@ -88,3 +101,11 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) ') @@ -44702,7 +44787,7 @@ index 6fed22c..06e5395 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..341c578 100644 +index cc83689..2657c0b 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -44907,7 +44992,32 @@ index cc83689..341c578 100644 mls_rangetrans_target($1) ') ') -@@ -688,19 +796,24 @@ interface(`init_telinit',` +@@ -525,6 +633,24 @@ interface(`init_stream_connect',` + allow $1 init_t:unix_stream_socket connectto; + ') + ++####################################### ++## ++## Dontaudit Connect to init with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dontaudit_stream_connect',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:unix_stream_socket connectto; ++') ++ + ######################################## + ## + ## Inherit and use file descriptors from init. +@@ -688,19 +814,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -44933,7 +45043,7 @@ index cc83689..341c578 100644 ') ') -@@ -773,18 +886,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +904,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -44957,7 +45067,7 @@ index cc83689..341c578 100644 ') ') -@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +932,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -45003,7 +45113,7 @@ index cc83689..341c578 100644 ') ######################################## -@@ -868,9 +1004,14 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1022,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -45018,7 +45128,7 @@ index cc83689..341c578 100644 files_search_etc($1) ') -@@ -1079,6 +1220,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1238,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -45043,7 +45153,7 @@ index cc83689..341c578 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1289,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1307,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -45057,7 +45167,7 @@ index cc83689..341c578 100644 ') ######################################## -@@ -1375,6 +1529,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1547,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -45085,7 +45195,7 @@ index cc83689..341c578 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1636,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1654,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -45111,7 +45221,7 @@ index cc83689..341c578 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1886,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -45120,7 +45230,7 @@ index cc83689..341c578 100644 ') ######################################## -@@ -1749,3 +1943,93 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +1961,93 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -45215,7 +45325,7 @@ index cc83689..341c578 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 77e8ca8..c50cbb7 100644 +index 77e8ca8..7984537 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -45393,8 +45503,8 @@ index 77e8ca8..c50cbb7 100644 + dev_manage_generic_dirs(init_t) + dev_manage_generic_files(init_t) + dev_read_generic_chr_files(init_t) -+ dev_relabelfrom_generic_chr_files(init_t) -+ dev_relabel_autofs_dev(init_t) ++ dev_relabel_generic_dev_dirs(init_t) ++ dev_relabel_all_dev_nodes(init_t) + dev_manage_sysfs_dirs(init_t) + + files_mounton_all_mountpoints(init_t) @@ -46971,21 +47081,22 @@ index 2b7e5f3..76b4ce1 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 571599b..b323b73 100644 +index 571599b..7e33883 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -17,6 +17,10 @@ +@@ -17,6 +17,11 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -25,6 +29,7 @@ +@@ -25,6 +30,7 @@ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -46993,7 +47104,7 @@ index 571599b..b323b73 100644 /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) ifdef(`distro_suse', ` -@@ -54,18 +59,24 @@ ifdef(`distro_redhat',` +@@ -54,18 +60,24 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') @@ -47383,7 +47494,7 @@ index 58bc27f..b95f0c0 100644 + allow $1 clvmd_tmpfs_t:file unlink; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..402f69e 100644 +index a0a0ebf..1440818 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -47524,6 +47635,17 @@ index a0a0ebf..402f69e 100644 modutils_domtrans_insmod(lvm_t) ') +@@ -339,6 +367,10 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_passwd_agent_dev_template(lvm) ++') ++ ++optional_policy(` + udev_read_db(lvm_t) + ') + diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 172287e..2683ce9 100644 --- a/policy/modules/system/miscfiles.fc @@ -49791,10 +49913,10 @@ index 0000000..64fc1a5 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..5f0352b +index 0000000..344c2e8 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,92 @@ +@@ -0,0 +1,121 @@ +## SELinux policy for systemd components + +####################################### @@ -49887,12 +50009,41 @@ index 0000000..5f0352b + allow $2 systemd_passwd_agent_t:process signal; +') + ++ ++###################################### ++## ++## Template for temporary sockets and files in /dev/.systemd/ask-password ++## which are used by systemd-passwd-agent ++## ++## ++## ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). ++## ++## ++# ++interface(`systemd_passwd_agent_dev_template',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ ') ++ ++ type systemd_$1_device_t; ++ files_type(systemd_$1_device_t) ++ dev_associate(systemd_$1_device_t) ++ ++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) ++ allow $1_t systemd_$1_device_t:file manage_file_perms; ++ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms; ++ ++ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto; ++ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..4d7a07a +index 0000000..d09b523 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,107 @@ +@@ -0,0 +1,108 @@ + +policy_module(systemd, 1.0.0) + @@ -49930,6 +50081,7 @@ index 0000000..4d7a07a +# +allow systemd_passwd_agent_t self:capability chown; +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; ++allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + +allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms; +dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file) @@ -49954,11 +50106,11 @@ index 0000000..4d7a07a + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; + -+files_read_etc_files(systemd_tmpfiles_t) ++kernel_read_network_state(systemd_tmpfiles_t) + ++files_read_etc_files(systemd_tmpfiles_t) +files_getattr_all_dirs(systemd_tmpfiles_t) +files_getattr_all_files(systemd_tmpfiles_t) -+ +files_relabel_all_lock_dirs(systemd_tmpfiles_t) +files_relabel_all_pid_dirs(systemd_tmpfiles_t) +files_relabel_all_pid_files(systemd_tmpfiles_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 40e7cbd..475734b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.15 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,22 @@ exit 0 %endif %changelog +* Fri Feb 25 2011 Miroslav Grepl 3.9.15-3 +- gnome-keyring-daemon needs nsswitch getpw calls +- Symantic places a pipe in the /opt directory tree that it expects syslogd to be able to write to +- keyringd daemon sends/recieves dbus messages from user types +- sudo domains need to be able to signal all users "sysadm_t" +- allow systemd-ask-passwd to create unix dgram socket +- allow puppet master to read usr files +- fixes for mock policy +- Add mock_enable_homedirs boolean +- Allow systemd to relabel /dev +- Moving to only one file type sandbox_file_t +- mta search /var/lib/logcheck +- sssd needs to bind to random UDP ports +- Allow amavis sigkill +- Add systemd_passwd_agent_dev_template interface and use it for lvm + * Mon Feb 21 2011 Miroslav Grepl 3.9.15-2 - Allow usbhid-ups to read hardware state information - systemd-tmpfiles has moved