diff --git a/abrt.if b/abrt.if
index e380368..058d908 100644
--- a/abrt.if
+++ b/abrt.if
@@ -173,12 +173,30 @@ interface(`abrt_run_helper',`
##
#
interface(`abrt_cache_manage',`
+ refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
+ abrt_manage_cache($1)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## abrt cache content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`abrt_manage_cache',`
gen_require(`
type abrt_var_cache_t;
')
files_search_var($1)
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
')
####################################
diff --git a/abrt.te b/abrt.te
index 8490e9b..a6f1aec 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.3.1)
+policy_module(abrt, 1.3.2)
########################################
#
diff --git a/logrotate.te b/logrotate.te
index c88af3c..ffb4127 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.14.3)
+policy_module(logrotate, 1.14.4)
########################################
#
@@ -124,7 +124,7 @@ ifdef(`distro_debian',`
')
optional_policy(`
- abrt_cache_manage(logrotate_t)
+ abrt_manage_cache(logrotate_t)
')
optional_policy(`
diff --git a/sosreport.fc b/sosreport.fc
index a40478e..704e2da 100644
--- a/sosreport.fc
+++ b/sosreport.fc
@@ -1 +1,3 @@
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
+
+/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
diff --git a/sosreport.if b/sosreport.if
index 94c01b5..634c6b4 100644
--- a/sosreport.if
+++ b/sosreport.if
@@ -1,4 +1,4 @@
-## sosreport - Generate debugging information for system
+## Generate debugging information for system.
########################################
##
@@ -15,13 +15,15 @@ interface(`sosreport_domtrans',`
type sosreport_t, sosreport_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, sosreport_exec_t, sosreport_t)
')
########################################
##
-## Execute sosreport in the sosreport domain, and
-## allow the specified role the sosreport domain.
+## Execute sosreport in the sosreport
+## domain, and allow the specified
+## role the sosreport domain.
##
##
##
@@ -36,25 +38,25 @@ interface(`sosreport_domtrans',`
#
interface(`sosreport_run',`
gen_require(`
- type sosreport_t;
+ attribute_role sosreport_roles;
')
sosreport_domtrans($1)
- role $2 types sosreport_t;
+ roleattribute $2 sospreport_roles;
')
########################################
##
-## Role access for sosreport
+## Role access for sosreport.
##
##
##
-## Role allowed access
+## Role allowed access.
##
##
##
##
-## User domain for the role
+## User domain for the role.
##
##
#
@@ -63,18 +65,15 @@ interface(`sosreport_role',`
type sosreport_t;
')
- role $1 types sosreport_t;
-
- sosreport_domtrans($2)
+ sosreport_run($2, $1)
+ allow $2 sosreport_t:process { ptrace signal_perms };
ps_process_pattern($2, sosreport_t)
- allow $2 sosreport_t:process signal;
')
########################################
##
-## Allow the specified domain to read
-## sosreport tmp files.
+## Read sosreport temporary files.
##
##
##
@@ -93,7 +92,7 @@ interface(`sosreport_read_tmp_files',`
########################################
##
-## Append sosreport tmp files.
+## Append sosreport temporary files.
##
##
##
@@ -106,12 +105,13 @@ interface(`sosreport_append_tmp_files',`
type sosreport_tmp_t;
')
+ files_search_tmp($1)
append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
')
########################################
##
-## Delete sosreport tmp files.
+## Delete sosreport temporary files.
##
##
##
diff --git a/sosreport.te b/sosreport.te
index c6079a5..e832424 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -1,14 +1,17 @@
-policy_module(sosreport, 1.2.0)
+policy_module(sosreport, 1.2.1)
########################################
#
# Declarations
#
+attribute_role sosreport_roles;
+roleattribute system_r sosreport_roles;
+
type sosreport_t;
type sosreport_exec_t;
application_domain(sosreport_t, sosreport_exec_t)
-role system_r types sosreport_t;
+role sosreport_roles types sosreport_t;
type sosreport_tmp_t;
files_tmp_file(sosreport_tmp_t)
@@ -18,21 +21,19 @@ files_tmpfs_file(sosreport_tmpfs_t)
########################################
#
-# sosreport local policy
+# Local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
-allow sosreport_t self:tcp_socket create_stream_socket_perms;
-allow sosreport_t self:udp_socket create_socket_perms;
-allow sosreport_t self:unix_dgram_socket create_socket_perms;
-allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
-allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
+allow sosreport_t self:tcp_socket { accept listen };
+allow sosreport_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
@@ -64,23 +65,22 @@ files_getattr_all_sockets(sosreport_t)
files_exec_etc_files(sosreport_t)
files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
-files_read_etc_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
+files_read_non_auth_files(sosreport_t)
files_read_usr_files(sosreport_t)
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
files_read_all_symlinks(sosreport_t)
-# for blkid.tab
files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
fs_list_inotifyfs(sosreport_t)
-# some config files do not have configfile attribute
-# sosreport needs to read various files on system
-files_read_non_auth_files(sosreport_t)
+storage_dontaudit_read_fixed_disk(sosreport_t)
+storage_dontaudit_read_removable_device(sosreport_t)
+
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
@@ -92,13 +92,11 @@ logging_send_syslog_msg(sosreport_t)
miscfiles_read_localization(sosreport_t)
-# needed by modinfo
modutils_read_module_deps(sosreport_t)
-sysnet_read_config(sosreport_t)
-
optional_policy(`
abrt_manage_pid_files(sosreport_t)
+ abrt_manage_cache(sosreport_t)
')
optional_policy(`
@@ -142,7 +140,3 @@ optional_policy(`
optional_policy(`
xserver_stream_connect(sosreport_t)
')
-
-optional_policy(`
- unconfined_domain(sosreport_t)
-')