diff --git a/policy-f23-base.patch b/policy-f23-base.patch index dcb6d6c..566dec2 100644 --- a/policy-f23-base.patch +++ b/policy-f23-base.patch @@ -15375,7 +15375,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..f1378d6 100644 +index 8416beb..b66e93a 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15823,7 +15823,7 @@ index 8416beb..f1378d6 100644 ## ## ## -@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',` +@@ -1878,117 +2085,190 @@ interface(`fs_search_fusefs',` ## ## # @@ -15993,93 +15993,83 @@ index 8416beb..f1378d6 100644 -## read, write, and delete files -## on a FUSEFS filesystem. +## Unmount a FUSE filesystem. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` ++## ++## ++# +interface(`fs_unmount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem unmount; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mounton a FUSEFS filesystem. - ## - ## - ## -@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mounton_fusefs',` - gen_require(` - type fusefs_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:dir mounton; - ') - - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. ++') ++ ++######################################## ++## +## Search directories +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_getattr_hugetlbfs',` -+interface(`fs_search_fusefs',` - gen_require(` -- type hugetlbfs_t; -+ type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; -+ allow $1 fusefs_t:dir search_dir_perms; - ') - - ######################################## - ## --## List hugetlbfs. -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`fs_dontaudit_list_fusefs',` ++interface(`fs_search_fusefs',` + gen_require(` + type fusefs_t; + ') + -+ dontaudit $1 fusefs_t:dir list_dir_perms; ++ allow $1 fusefs_t:dir search_dir_perms; +') + +######################################## +## ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. + ## + ## + ## +@@ -1996,91 +2276,173 @@ interface(`fs_manage_fusefs_files',` + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_dontaudit_list_fusefs',` + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; ++ dontaudit $1 fusefs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. +## Create, read, write, and delete directories +## on a FUSEFS filesystem. ## @@ -16090,20 +16080,21 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_list_hugetlbfs',` +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_manage_fusefs_dirs',` gen_require(` -- type hugetlbfs_t; -+ type fusefs_t; + type fusefs_t; ') -- allow $1 hugetlbfs_t:dir list_dir_perms; +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## --## Manage hugetlbfs dirs. +-## Get the attributes of an hugetlbfs +-## filesystem. +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. @@ -16133,20 +16124,20 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_manage_hugetlbfs_dirs',` +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_read_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:filesystem getattr; + read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Read and write hugetlbfs files. +-## List hugetlbfs. +## Execute files on a FUSEFS filesystem. ## ## @@ -16156,69 +16147,58 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_rw_hugetlbfs_files',` +-interface(`fs_list_hugetlbfs',` +interface(`fs_exec_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:dir list_dir_perms; + exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Allow the type to associate to hugetlbfs filesystems. +-## Manage hugetlbfs dirs. +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## --## ++## +## - ## --## The type of the object to be associated. ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_associate_hugetlbfs',` ++## ++## ++# +interface(`fs_fusefs_entry_type',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem associate; ++ ') ++ + domain_entry_file($1, fusefs_t) - ') - - ######################################## - ## --## Search inotifyfs filesystem. ++') ++ ++######################################## ++## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_search_inotifyfs',` ++## ++## ++# +interface(`fs_fusefs_entrypoint',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 inotifyfs_t:dir search_dir_perms; ++ ') ++ + allow $1 fusefs_t:file entrypoint; - ') - - ######################################## - ## --## List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Create, read, write, and delete files +## on a FUSEFS filesystem. ## @@ -16229,85 +16209,87 @@ index 8416beb..f1378d6 100644 ## +## # --interface(`fs_list_inotifyfs',` +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_manage_fusefs_files',` gen_require(` -- type inotifyfs_t; +- type hugetlbfs_t; + type fusefs_t; ') -- allow $1 inotifyfs_t:dir list_dir_perms; +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Dontaudit List inotifyfs filesystem. +-## Read and write hugetlbfs files. +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read symbolic links on a FUSEFS filesystem. ## ## ## -@@ -2160,53 +2432,626 @@ interface(`fs_list_inotifyfs',` +@@ -2088,53 +2450,100 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # --interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_dontaudit_manage_fusefs_files',` +-interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_read_fusefs_symlinks',` gen_require(` -- type inotifyfs_t; +- type hugetlbfs_t; + type fusefs_t; ') -- dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 fusefs_t:file manage_file_perms; +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. -+## Read symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## +-## Allow the type to associate to hugetlbfs filesystems. +## Manage symbolic links on a FUSEFS filesystem. -+## + ## +-## +## ## --## The type of the object to be created. +-## The type of the object to be associated. +## Domain allowed access. ## ## --## -+# + # +-interface(`fs_associate_hugetlbfs',` +interface(`fs_manage_fusefs_symlinks',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem associate; + manage_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search inotifyfs filesystem. +## Execute a file on a FUSE filesystem +## in the specified domain. +## @@ -16331,15 +16313,12 @@ index 8416beb..f1378d6 100644 +##

+## +## - ## --## The object class of the object being created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +## - ## --## The name of the object being created. ++## +## The type of the new process. +## +## @@ -16356,61 +16335,75 @@ index 8416beb..f1378d6 100644 +######################################## +## +## Get the attributes of a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_search_inotifyfs',` +interface(`fs_getattr_fusefs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; + allow $1 fusefs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List inotifyfs filesystem. +## Get the attributes of an hugetlbfs +## filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2142,71 +2551,527 @@ interface(`fs_search_inotifyfs',` + ## + ## + # +-interface(`fs_list_inotifyfs',` +interface(`fs_getattr_hugetlbfs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type hugetlbfs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir list_dir_perms; + allow $1 hugetlbfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. +## List hugetlbfs. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_list_inotifyfs',` +interface(`fs_list_hugetlbfs',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type hugetlbfs_t; -+ ') -+ + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; + allow $1 hugetlbfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. +## Manage hugetlbfs dirs. +## +## @@ -16868,19 +16861,55 @@ index 8416beb..f1378d6 100644 +## +## +## Domain allowed access. ++## ++## ++# ++interface(`fs_delete_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## ++## Manage kdbusfs directories. + ## + ## + ## + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_delete_kdbus_dirs', ` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; - ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16889,24 +16918,25 @@ index 8416beb..f1378d6 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Manage kdbusfs directories. ++## Read kdbusfs files. ## ## ## -@@ -2214,19 +3059,19 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3079,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_read_kdbus_files',` gen_require(` - type iso9660_t; -- ') -+ type kdbusfs_t; ++ type cgroup_t; ++ + ') - allow $1 iso9660_t:filesystem mount; -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16916,25 +16946,23 @@ index 8416beb..f1378d6 100644 -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Read kdbusfs files. ++## Write kdbusfs files. ## ## ## -@@ -2234,18 +3079,21 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3101,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16943,23 +16971,25 @@ index 8416beb..f1378d6 100644 ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Write kdbusfs files. ++## Read and write kdbusfs files. ## ## ## -@@ -2253,38 +3101,61 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3121,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # -interface(`fs_unmount_iso9660_fs',` -+interface(`fs_write_kdbus_files', ` ++interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem unmount; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16968,54 +16998,33 @@ index 8416beb..f1378d6 100644 ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Read and write kdbusfs files. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_rw_kdbus_files',` ++interface(`fs_dontaudit_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; -+ ') - allow $1 iso9660_t:filesystem getattr; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_rw_kdbus_files',` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:file rw_file_perms; -+') -+ -+######################################## -+## +## Manage kdbusfs files. ## ## @@ -17417,79 +17426,47 @@ index 8416beb..f1378d6 100644 ## ## ## -@@ -3743,25 +4807,61 @@ interface(`fs_getattr_rpc_pipefs',` - - ######################################### - ## --## Read and write RPC pipe filesystem named pipes. -+## Read and write RPC pipe filesystem named pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_rpc_named_pipes',` +@@ -3769,17 +4833,53 @@ interface(`fs_rw_rpc_named_pipes',` + ## + ## + # +-interface(`fs_mount_tmpfs',` ++interface(`fs_mount_tmpfs',` + gen_require(` -+ type rpc_pipefs_t; ++ type tmpfs_t; + ') + -+ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ++ allow $1 tmpfs_t:filesystem mount; +') + +######################################## +## -+## Mount a tmpfs filesystem. ++## Dontaudit remount a tmpfs filesystem. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`fs_mount_tmpfs',` ++interface(`fs_dontaudit_remount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:filesystem mount; ++ dontaudit $1 tmpfs_t:filesystem remount; +') + +######################################## +## -+## Dontaudit remount a tmpfs filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`fs_rw_rpc_named_pipes',` -+interface(`fs_dontaudit_remount_tmpfs',` - gen_require(` -- type rpc_pipefs_t; -+ type tmpfs_t; - ') - -- allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; -+ dontaudit $1 tmpfs_t:filesystem remount; - ') - - ######################################## - ## --## Mount a tmpfs filesystem. +## Remount a tmpfs filesystem. - ## - ## - ## -@@ -3769,17 +4869,17 @@ interface(`fs_rw_rpc_named_pipes',` - ## - ## - # --interface(`fs_mount_tmpfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_remount_tmpfs',` gen_require(` type tmpfs_t; @@ -17935,7 +17912,7 @@ index 8416beb..f1378d6 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6218,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +6218,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -17979,6 +17956,26 @@ index 8416beb..f1378d6 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') ++ ++####################################### ++## ++## Read files in efivarfs ++## - contains Linux Kernel configuration options for UEFI systems ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_read_efivarfs_files',` ++ gen_require(` ++ type efivarfs_t; ++ ') ++ ++ read_files_pattern($1, efivarfs_t, efivarfs_t) ++') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index e7d1738..3e3ed4e 100644 --- a/policy/modules/kernel/filesystem.te @@ -18152,7 +18149,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..d2fc766 100644 +index e100d88..65a3b6d 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -18783,7 +18780,7 @@ index e100d88..d2fc766 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3284,628 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -19146,12 +19143,14 @@ index e100d88..d2fc766 100644 +interface(`kernel_read_security_state',` + gen_require(` + type proc_t, proc_security_t; ++ attribute sysctl_type; + ') + + read_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + + list_dirs_pattern($1, proc_t, proc_security_t) ++ allow $1 sysctl_type:dir search_dir_perms; +') + +######################################## @@ -44709,10 +44708,10 @@ index 0000000..cde0261 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..8209291 +index 0000000..92de375 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,725 @@ +@@ -0,0 +1,728 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -44821,6 +44820,9 @@ index 0000000..8209291 +fs_mount_tmpfs(systemd_logind_t) +fs_unmount_tmpfs(systemd_logind_t) +fs_list_tmpfs(systemd_logind_t) ++ ++fs_read_efivarfs_files(systemd_logind_t) ++ +fs_manage_fusefs_dirs(systemd_logind_t) +fs_manage_fusefs_files(systemd_logind_t) + diff --git a/policy-f23-contrib.patch b/policy-f23-contrib.patch index 38a8f9b..7ffc5ed 100644 --- a/policy-f23-contrib.patch +++ b/policy-f23-contrib.patch @@ -6,10 +6,10 @@ index 0000000..bea5755 @@ -0,0 +1 @@ +TAGS diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..f2b26f5 100644 +index 1a93dc5..e948aef 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,31 +1,46 @@ +@@ -1,31 +1,47 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -38,10 +38,8 @@ index 1a93dc5..f2b26f5 100644 -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - --/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) --/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) --/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) ++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) ++ +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) @@ -55,7 +53,10 @@ index 1a93dc5..f2b26f5 100644 +/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -+ + +-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) +-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) @@ -9516,7 +9517,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..cce7112 100644 +index 1241123..5336071 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9572,7 +9573,12 @@ index 1241123..cce7112 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -144,6 +146,7 @@ corenet_tcp_sendrecv_all_ports(named_t) +@@ -141,9 +143,12 @@ corenet_sendrecv_all_client_packets(named_t) + corenet_tcp_connect_all_ports(named_t) + corenet_tcp_sendrecv_all_ports(named_t) + ++corenet_tcp_bind_all_ephemeral_ports(named_t) ++ dev_read_sysfs(named_t) dev_read_rand(named_t) dev_read_urand(named_t) @@ -9580,7 +9586,7 @@ index 1241123..cce7112 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +178,19 @@ tunable_policy(`named_write_master_zones',` +@@ -175,6 +180,19 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -9600,7 +9606,7 @@ index 1241123..cce7112 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +203,13 @@ optional_policy(` +@@ -187,7 +205,13 @@ optional_policy(` ') optional_policy(` @@ -9614,7 +9620,7 @@ index 1241123..cce7112 100644 kerberos_use(named_t) ') -@@ -215,7 +237,8 @@ optional_policy(` +@@ -215,7 +239,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9624,7 +9630,7 @@ index 1241123..cce7112 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +252,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +254,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9636,7 +9642,7 @@ index 1241123..cce7112 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +264,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +266,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9646,7 +9652,7 @@ index 1241123..cce7112 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +282,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +284,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -20430,7 +20436,7 @@ index 3023be7..0317731 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..84c4ee4 100644 +index c91813c..999581c 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -20530,7 +20536,7 @@ index c91813c..84c4ee4 100644 type ptal_t; type ptal_exec_t; -@@ -97,21 +99,49 @@ ifdef(`enable_mls',` +@@ -97,21 +99,50 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') @@ -20578,13 +20584,14 @@ index c91813c..84c4ee4 100644 +allow cupsd_t self:process { getpgid setpgid setsched }; allow cupsd_t self:unix_stream_socket { accept connectto listen }; allow cupsd_t self:netlink_selinux_socket create_socket_perms; ++allow cupsd_t self:socket connect; allow cupsd_t self:shm create_shm_perms; allow cupsd_t self:sem create_sem_perms; -allow cupsd_t self:tcp_socket { accept listen }; allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,11 +151,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -20599,7 +20606,7 @@ index c91813c..84c4ee4 100644 allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -136,22 +170,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -20627,7 +20634,7 @@ index c91813c..84c4ee4 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -159,11 +194,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -20639,7 +20646,7 @@ index c91813c..84c4ee4 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -186,12 +219,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -20664,7 +20671,7 @@ index c91813c..84c4ee4 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -203,7 +244,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -20672,7 +20679,7 @@ index c91813c..84c4ee4 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t) +@@ -212,17 +252,19 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -20694,7 +20701,7 @@ index c91813c..84c4ee4 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) -@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -232,6 +274,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -20703,7 +20710,7 @@ index c91813c..84c4ee4 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -20736,7 +20743,7 @@ index c91813c..84c4ee4 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -272,6 +320,8 @@ optional_policy(` +@@ -272,6 +321,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -20745,7 +20752,7 @@ index c91813c..84c4ee4 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -279,11 +329,17 @@ optional_policy(` +@@ -279,11 +330,17 @@ optional_policy(` ') optional_policy(` @@ -20763,7 +20770,7 @@ index c91813c..84c4ee4 100644 ') ') -@@ -296,8 +352,8 @@ optional_policy(` +@@ -296,8 +353,8 @@ optional_policy(` ') optional_policy(` @@ -20773,7 +20780,7 @@ index c91813c..84c4ee4 100644 ') optional_policy(` -@@ -306,7 +362,6 @@ optional_policy(` +@@ -306,7 +363,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -20781,7 +20788,7 @@ index c91813c..84c4ee4 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -316,6 +371,10 @@ optional_policy(` +@@ -316,6 +372,10 @@ optional_policy(` ') optional_policy(` @@ -20792,7 +20799,7 @@ index c91813c..84c4ee4 100644 samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) -@@ -334,7 +393,11 @@ optional_policy(` +@@ -334,7 +394,11 @@ optional_policy(` ') optional_policy(` @@ -20805,7 +20812,7 @@ index c91813c..84c4ee4 100644 ') ######################################## -@@ -342,12 +405,11 @@ optional_policy(` +@@ -342,12 +406,11 @@ optional_policy(` # Configuration daemon local policy # @@ -20821,7 +20828,7 @@ index c91813c..84c4ee4 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -372,18 +434,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -20842,7 +20849,7 @@ index c91813c..84c4ee4 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +452,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -20863,7 +20870,7 @@ index c91813c..84c4ee4 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +469,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -20875,7 +20882,7 @@ index c91813c..84c4ee4 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +496,12 @@ optional_policy(` +@@ -449,9 +497,12 @@ optional_policy(` ') optional_policy(` @@ -20889,7 +20896,7 @@ index c91813c..84c4ee4 100644 ') optional_policy(` -@@ -467,6 +517,10 @@ optional_policy(` +@@ -467,6 +518,10 @@ optional_policy(` ') optional_policy(` @@ -20900,7 +20907,7 @@ index c91813c..84c4ee4 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +541,6 @@ optional_policy(` +@@ -487,10 +542,6 @@ optional_policy(` # Lpd local policy # @@ -20911,7 +20918,7 @@ index c91813c..84c4ee4 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +558,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -20929,7 +20936,7 @@ index c91813c..84c4ee4 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +587,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -20939,7 +20946,7 @@ index c91813c..84c4ee4 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +597,6 @@ optional_policy(` +@@ -550,7 +598,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -20947,7 +20954,7 @@ index c91813c..84c4ee4 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +612,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21099,7 +21106,7 @@ index c91813c..84c4ee4 100644 ######################################## # -@@ -735,7 +656,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21107,7 +21114,7 @@ index c91813c..84c4ee4 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +665,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21121,7 +21128,7 @@ index c91813c..84c4ee4 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +677,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21130,7 +21137,7 @@ index c91813c..84c4ee4 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +689,4 @@ optional_policy(` +@@ -773,3 +690,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -38125,7 +38132,7 @@ index 1a35420..8101022 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..989eba9 100644 +index ca020fa..d546e07 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -38146,7 +38153,7 @@ index ca020fa..989eba9 100644 type iscsi_lock_t; files_lock_file(iscsi_lock_t) -@@ -32,8 +35,7 @@ files_pid_file(iscsi_var_run_t) +@@ -32,13 +35,13 @@ files_pid_file(iscsi_var_run_t) # Local policy # @@ -38156,7 +38163,13 @@ index ca020fa..989eba9 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; -@@ -55,20 +57,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) + allow iscsid_t self:sem create_sem_perms; + allow iscsid_t self:shm create_shm_perms; ++allow iscsid_t self:netlink_iscsi_socket create_socket_perms; + allow iscsid_t self:netlink_socket create_socket_perms; + allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; + allow iscsid_t self:netlink_route_socket nlmsg_write; +@@ -55,20 +58,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file }) @@ -38184,7 +38197,7 @@ index ca020fa..989eba9 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,22 +89,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -66361,10 +66374,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..5b5747f +index 0000000..b7242be --- /dev/null +++ b/pcp.te -@@ -0,0 +1,264 @@ +@@ -0,0 +1,266 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -66625,6 +66638,8 @@ index 0000000..5b5747f + +allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto; + ++kernel_read_system_state(pcp_pmlogger_t) ++ +corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t) +corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t) +corenet_tcp_bind_generic_node(pcp_pmlogger_t) @@ -93313,7 +93328,7 @@ index 0000000..3e89d71 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..7a8e744 +index 0000000..c9449b4 --- /dev/null +++ b/sandboxX.te @@ -0,0 +1,505 @@ @@ -93611,8 +93626,8 @@ index 0000000..7a8e744 +userdom_use_user_ptys(sandbox_x_t) + +#1103622 -+corenet_tcp_connect_xserver_port(sandbox_x_t) -+xserver_stream_connect(sandbox_x_t) ++corenet_tcp_connect_xserver_port(sandbox_x_domain) ++xserver_stream_connect(sandbox_x_domain) + +######################################## +# diff --git a/selinux-policy.spec b/selinux-policy.spec index d770b8a..50506b8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 149%{?dist} +Release: 150%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -656,6 +656,18 @@ exit 0 %endif %changelog +* Thu Oct 08 2015 Lukas Vrabec 3.13.1-150 +- Allow pcp_pmlogger to read system state. BZ(1258699) +- Allow cupsd to connect on socket. BZ(1258089) +- Allow named to bind on ephemeral ports. BZ(#1259766) +- Allow iscsid create netlink iscsid sockets. +- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. +- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs. +- Allow search dirs in sysfs types in kernel_read_security_state. +- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. +- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) +- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) + * Fri Oct 02 2015 Lukas Vrabec 3.13.1-149 - Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. - We need to require sandbox_web_type attribute in sandbox_x_domain_template().