diff --git a/policy-rawhide.patch b/policy-rawhide.patch index d5b5832..99a9d9d 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -100967,7 +100967,7 @@ index db981df..0b6597c 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..c4dc1b6 100644 +index 9e9263a..2a7d3c1 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -122,6 +122,7 @@ interface(`corecmd_search_bin',` @@ -101048,10 +101048,10 @@ index 9e9263a..c4dc1b6 100644 read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) -+ #ifdef(`enable_mls',`',` -+ # files_exec_usr_files($1) -+ # libs_exec_lib_files($1) -+ #') ++ ++ ifdef(`enable_mls',`',` ++ files_exec_all_base_ro_files($1) ++ ') ') ######################################## @@ -101105,18 +101105,27 @@ index 9e9263a..c4dc1b6 100644 manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 1dd0427..a4ba874 100644 +index 1dd0427..6d6f456 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te -@@ -13,7 +13,7 @@ attribute exec_type; +@@ -13,7 +13,8 @@ attribute exec_type; # # bin_t is the type of files in the system bin/sbin directories. # -type bin_t alias { ls_exec_t sbin_t }; +type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t }; ++files_ro_base_file(bin_t) corecmd_executable_file(bin_t) dev_associate(bin_t) #For /dev/MAKEDEV +@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV + # shell_exec_t is the type of user shells such as /bin/bash. + # + type shell_exec_t; ++files_ro_base_file(shell_exec_t) + corecmd_executable_file(shell_exec_t) + + type chroot_exec_t; diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc index f9b25c1..9af1f7a 100644 --- a/policy/modules/kernel/corenetwork.fc @@ -104653,10 +104662,16 @@ index d820975..21a21e4 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 06eda45..7fa1559 100644 +index 06eda45..0018592 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te -@@ -20,6 +20,7 @@ files_mountpoint(device_t) +@@ -15,11 +15,12 @@ attribute devices_unconfined_type; + # + type device_t; + fs_associate_tmpfs(device_t) +-files_type(device_t) ++files_base_file(device_t) + files_mountpoint(device_t) files_associate_tmp(device_t) fs_type(device_t) fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); @@ -104862,7 +104877,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..1e017ad 100644 +index cf04cb5..26c940c 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.11.0) @@ -104887,7 +104902,7 @@ index cf04cb5..1e017ad 100644 ## ##

-@@ -86,23 +101,41 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +101,42 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -104920,6 +104935,7 @@ index cf04cb5..1e017ad 100644 +files_search_default(domain) +files_read_inherited_tmp_files(domain) +files_append_inherited_tmp_files(domain) ++files_read_all_base_ro_files(domain) + +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) @@ -104930,7 +104946,7 @@ index cf04cb5..1e017ad 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +154,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +155,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -104949,7 +104965,7 @@ index cf04cb5..1e017ad 100644 ') optional_policy(` -@@ -133,6 +176,8 @@ optional_policy(` +@@ -133,6 +177,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -104958,7 +104974,7 @@ index cf04cb5..1e017ad 100644 ') ######################################## -@@ -147,12 +192,18 @@ optional_policy(` +@@ -147,12 +193,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -104978,7 +104994,7 @@ index cf04cb5..1e017ad 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +217,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +218,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -105452,7 +105468,7 @@ index 8796ca3..10f0231 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..13c475a 100644 +index e1e814d..8e5d231 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -106937,7 +106953,7 @@ index e1e814d..13c475a 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6467,3 +7384,346 @@ interface(`files_unconfined',` +@@ -6467,3 +7384,439 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -107284,11 +107300,111 @@ index e1e814d..13c475a 100644 + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") +') ++ ++######################################## ++##

++## Make the specified type a ++## base file. ++## ++## ++##

++## Identify file type as base file type. Tools will use this attribute, ++## to help users diagnose problems. ++##

++## ++## ++## ++## Type to be used as a base files. ++## ++## ++## ++# ++interface(`files_base_file',` ++ gen_require(` ++ attribute base_file_type; ++ ') ++ files_type($1) ++ typeattribute $1 base_file_type; ++') ++ ++######################################## ++## ++## Make the specified type a ++## base read only file. ++## ++## ++##

++## Make the specified type readable for all domains. ++##

++## ++## ++## ++## Type to be used as a base read only files. ++## ++## ++## ++# ++interface(`files_ro_base_file',` ++ gen_require(` ++ attribute base_ro_file_type; ++ ') ++ files_base_file($1) ++ typeattribute $1 base_ro_file_type; ++') ++ ++######################################## ++## ++## Read all ro base files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_all_base_ro_files',` ++ gen_require(` ++ attribute base_ro_file_type; ++ ') ++ ++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) ++ read_files_pattern($1, base_ro_file_type, base_ro_file_type) ++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) ++') ++ ++######################################## ++## ++## Execute all base ro files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_exec_all_base_ro_files',` ++ gen_require(` ++ attribute base_ro_file_type; ++ ') ++ ++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) ++ read_files_pattern($1, base_ro_file_type, base_ro_file_type) ++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 52ef84e..59b37a3 100644 +index 52ef84e..45cb0bc 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te -@@ -10,7 +10,9 @@ attribute files_unconfined_type; +@@ -5,12 +5,16 @@ policy_module(files, 1.17.0) + # Declarations + # + ++attribute base_file_type; ++attribute base_ro_file_type; + attribute file_type; + attribute files_unconfined_type; attribute lockfile; attribute mountpoint; attribute pidfile; @@ -107298,7 +107414,27 @@ index 52ef84e..59b37a3 100644 # For labeling types that are to be polyinstantiated attribute polydir; -@@ -64,12 +66,21 @@ files_type(etc_t) +@@ -48,28 +52,40 @@ attribute usercanread; + # + type boot_t; + files_mountpoint(boot_t) ++files_ro_base_file(boot_t) + + # default_t is the default type for files that do not + # match any specification in the file_contexts configuration + # other than the generic /.* specification. + type default_t; + files_mountpoint(default_t) ++files_base_file(default_t) + + # + # etc_t is the type of the system etc directories. + # + type etc_t, configfile; +-files_type(etc_t) ++files_ro_base_file(etc_t) ++ + # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -107321,7 +107457,53 @@ index 52ef84e..59b37a3 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -139,6 +150,7 @@ files_mountpoint(src_t) +@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t; + # + type file_t; + files_mountpoint(file_t) ++files_base_file(file_t) + kernel_rootfs_mountpoint(file_t) + sid file gen_context(system_u:object_r:file_t,s0) + +@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0) + # are created + # + type home_root_t; ++files_base_file(home_root_t) + files_mountpoint(home_root_t) + files_poly_parent(home_root_t) + +@@ -96,12 +114,13 @@ files_poly_parent(home_root_t) + # lost_found_t is the type for the lost+found directories. + # + type lost_found_t; +-files_type(lost_found_t) ++files_base_file(lost_found_t) + + # + # mnt_t is the type for mount points such as /mnt/cdrom + # + type mnt_t; ++files_base_file(mnt_t) + files_mountpoint(mnt_t) + + # +@@ -123,6 +142,7 @@ files_type(readable_t) + # root_t is the type for rootfs and the root directory. + # + type root_t; ++files_base_file(root_t) + files_mountpoint(root_t) + files_poly_parent(root_t) + kernel_rootfs_mountpoint(root_t) +@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) + # + type src_t; + files_mountpoint(src_t) ++files_ro_base_file(src_t) + + # + # system_map_t is for the system.map files in /boot # type system_map_t; files_type(system_map_t) @@ -107329,7 +107511,11 @@ index 52ef84e..59b37a3 100644 genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) # -@@ -149,6 +161,7 @@ files_tmp_file(tmp_t) + # tmp_t is the type of the temporary directories + # + type tmp_t; ++files_base_file(tmp_t) + files_tmp_file(tmp_t) files_mountpoint(tmp_t) files_poly(tmp_t) files_poly_parent(tmp_t) @@ -107337,9 +107523,23 @@ index 52ef84e..59b37a3 100644 # # usr_t is the type for /usr. -@@ -167,12 +180,14 @@ files_mountpoint(var_t) + # + type usr_t; ++files_ro_base_file(usr_t) + files_mountpoint(usr_t) + + # + # var_t is the type of /var + # + type var_t; ++files_base_file(var_t) + files_mountpoint(var_t) + + # + # var_lib_t is the type of /var/lib # type var_lib_t; ++files_base_file(var_lib_t) files_mountpoint(var_lib_t) +files_poly(var_lib_t) @@ -107347,20 +107547,30 @@ index 52ef84e..59b37a3 100644 # var_lock_t is tye type of /var/lock # type var_lock_t; ++files_base_file(var_lock_t) files_lock_file(var_lock_t) +files_mountpoint(var_lock_t) # # var_run_t is the type of /var/run, usually -@@ -187,6 +202,7 @@ files_mountpoint(var_run_t) + # used for pid and other runtime files. + # + type var_run_t; ++files_base_file(var_run_t) + files_pid_file(var_run_t) + files_mountpoint(var_run_t) + +@@ -186,7 +217,9 @@ files_mountpoint(var_run_t) + # var_spool_t is the type of /var/spool # type var_spool_t; ++files_base_file(var_spool_t) files_tmp_file(var_spool_t) +files_spool_file(var_spool_t) ######################################## # -@@ -225,10 +241,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile) # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; @@ -119256,65 +119466,23 @@ index d2e40b8..084ee57 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..c932f74 100644 +index d26fe81..29f6683 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -79,6 +79,38 @@ interface(`init_script_domain',` - domtrans_pattern(init_run_all_scripts_domain, $2, $1) - ') - -+ -+####################################### -+## -+## Create a domain which can be started by init. -+## -+## -+## -+## Type to be used as a domain. -+## -+## -+## -+## -+## Type of the program to be used as an entry point to this domain. -+## -+## -+# -+interface(`init_systemd_domain',` -+ gen_require(` -+ type init_t; -+ role system_r; -+ ') -+ -+ domain_type($1) -+ domain_entry_file($1,$2) -+ -+ role system_r types $1; -+ -+ tunable_policy(`init_systemd',` -+ domtrans_pattern(init_t,$2,$1) -+ ') -+') -+ - ######################################## - ## - ## Create a domain which can be started by init. -@@ -105,7 +137,11 @@ interface(`init_domain',` - +@@ -106,6 +106,8 @@ interface(`init_domain',` role system_r types $1; -- domtrans_pattern(init_t, $2, $1) -+ tunable_policy(`init_systemd',`', ` -+ domtrans_pattern(init_t, $2, $1) -+ allow init_t $1:unix_stream_socket create_stream_socket_perms; -+ allow $1 init_t:unix_dgram_socket sendto; -+ ') + domtrans_pattern(init_t, $2, $1) ++ allow init_t $1:unix_stream_socket create_stream_socket_perms; ++ allow $1 init_t:unix_dgram_socket sendto; ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -193,8 +229,11 @@ interface(`init_daemon_domain',` +@@ -192,50 +194,43 @@ interface(`init_ranged_domain',` + interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; - type initrc_t; +- type initrc_t; + type init_t; role system_r; attribute daemon; @@ -119323,7 +119491,8 @@ index d26fe81..c932f74 100644 ') typeattribute $1 daemon; -@@ -202,40 +241,38 @@ interface(`init_daemon_domain',` ++ typeattribute $2 direct_init_entry; + domain_type($1) domain_entry_file($1, $2) @@ -119339,18 +119508,19 @@ index d26fe81..c932f74 100644 - # init script ptys are the stdin/out/err - # when using run_init - init_use_script_ptys($1) -+ domtrans_pattern(initrc_t,$2,$1) -+ domtrans_pattern(initrc_domain, $2,$1) ++ type_transition initrc_domain $2:process $1; ifdef(`direct_sysadm_daemon',` - domtrans_pattern(direct_run_init, $2, $1) +- domtrans_pattern(direct_run_init, $2, $1) - allow direct_run_init $1:process { noatsecure siginh rlimitinh }; - +- ++ type_transition direct_run_init $2:process $1; typeattribute $1 direct_init; - typeattribute $2 direct_init_entry; +- typeattribute $2 direct_init_entry; - - userdom_dontaudit_use_user_terminals($1) ') ++') - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray @@ -119358,14 +119528,6 @@ index d26fe81..c932f74 100644 - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') -+ tunable_policy(`init_upstart || init_systemd',` -+ # Handle upstart direct transition to a executable -+ domtrans_pattern(init_t,$2,$1) - ') -+') - -- optional_policy(` -- nscd_socket_use($1) - ') +####################################### +## @@ -119381,12 +119543,15 @@ index d26fe81..c932f74 100644 + gen_require(` + attribute initrc_domain; + ') -+ + +- optional_policy(` +- nscd_socket_use($1) +- ') + typeattribute $1 initrc_domain; ') ######################################## -@@ -283,17 +320,20 @@ interface(`init_daemon_domain',` +@@ -283,17 +278,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -119408,40 +119573,38 @@ index d26fe81..c932f74 100644 ') ') -@@ -336,22 +376,25 @@ interface(`init_ranged_daemon_domain',` +@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` +- type initrc_t; + type init_t; - type initrc_t; role system_r; + attribute initrc_transition_domain; -+ attribute systemprocess; ++ attribute systemprocess, systemprocess_entry; + attribute initrc_domain; ') + typeattribute $1 systemprocess; application_domain($1, $2) - +- role system_r types $1; ++ typeattribute $2 systemprocess_entry; - domtrans_pattern(initrc_t, $2, $1) -+ domtrans_pattern(initrc_t,$2,$1) -+ domtrans_pattern(initrc_domain, $2,$1) - +- - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') -+ tunable_policy(`init_systemd',` -+ # Handle upstart/systemd direct transition to a executable -+ domtrans_pattern(init_t,$2,$1) - ') +- ') ++ type_transition initrc_domain $2:process $1; ') -@@ -401,20 +444,41 @@ interface(`init_system_domain',` + ######################################## +@@ -401,20 +395,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -119483,7 +119646,7 @@ index d26fe81..c932f74 100644 ######################################## ## ## Execute init (/sbin/init) with a domain transition. -@@ -442,7 +506,6 @@ interface(`init_domtrans',` +@@ -442,7 +457,6 @@ interface(`init_domtrans',` ## Domain allowed access. ## ## @@ -119491,12 +119654,12 @@ index d26fe81..c932f74 100644 # interface(`init_exec',` gen_require(` -@@ -451,6 +514,48 @@ interface(`init_exec',` +@@ -451,6 +465,48 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) + -+ tunable_policy(`init_systemd',` ++ optional_policy(` + systemd_exec_systemctl($1) + ') +') @@ -119540,7 +119703,7 @@ index d26fe81..c932f74 100644 ') ######################################## -@@ -539,6 +644,24 @@ interface(`init_sigchld',` +@@ -539,6 +595,24 @@ interface(`init_sigchld',` ######################################## ## @@ -119565,7 +119728,7 @@ index d26fe81..c932f74 100644 ## Connect to init with a unix socket. ## ## -@@ -549,10 +672,66 @@ interface(`init_sigchld',` +@@ -549,10 +623,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -119634,8 +119797,11 @@ index d26fe81..c932f74 100644 ') ######################################## -@@ -718,19 +897,25 @@ interface(`init_telinit',` +@@ -716,22 +846,23 @@ interface(`init_write_initctl',` + interface(`init_telinit',` + gen_require(` type initctl_t; ++ type init_t; ') + corecmd_exec_bin($1) @@ -119646,22 +119812,25 @@ index d26fe81..c932f74 100644 init_exec($1) - tunable_policy(`init_upstart',` -+ tunable_policy(`init_upstart || init_systemd',` - gen_require(` - type init_t; - ') - -+ ps_process_pattern($1, init_t) -+ allow $1 init_t:process signal; - # upstart uses a datagram socket instead of initctl pipe - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; -+ #576913 -+ allow $1 init_t:unix_stream_socket connectto; - ') +- gen_require(` +- type init_t; +- ') +- +- # upstart uses a datagram socket instead of initctl pipe +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 init_t:unix_dgram_socket sendto; +- ') ++ ps_process_pattern($1, init_t) ++ allow $1 init_t:process signal; ++ # upstart uses a datagram socket instead of initctl pipe ++ allow $1 self:unix_dgram_socket create_socket_perms; ++ allow $1 init_t:unix_dgram_socket sendto; ++ #576913 ++ allow $1 init_t:unix_stream_socket connectto; ') -@@ -760,7 +945,7 @@ interface(`init_rw_initctl',` + ######################################## +@@ -760,7 +891,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -119670,7 +119839,7 @@ index d26fe81..c932f74 100644 ## ## # -@@ -803,11 +988,12 @@ interface(`init_script_file_entry_type',` +@@ -803,11 +934,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -119685,7 +119854,7 @@ index d26fe81..c932f74 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -818,11 +1004,11 @@ interface(`init_spec_domtrans_script',` +@@ -818,11 +950,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -119699,7 +119868,7 @@ index d26fe81..c932f74 100644 ') ') -@@ -838,19 +1024,41 @@ interface(`init_spec_domtrans_script',` +@@ -838,19 +970,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -119745,7 +119914,7 @@ index d26fe81..c932f74 100644 ') ######################################## -@@ -906,9 +1114,14 @@ interface(`init_script_file_domtrans',` +@@ -906,9 +1060,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -119760,7 +119929,7 @@ index d26fe81..c932f74 100644 files_search_etc($1) ') -@@ -999,7 +1212,9 @@ interface(`init_ptrace',` +@@ -999,7 +1158,9 @@ interface(`init_ptrace',` type init_t; ') @@ -119771,7 +119940,7 @@ index d26fe81..c932f74 100644 ') ######################################## -@@ -1098,6 +1313,25 @@ interface(`init_getattr_all_script_files',` +@@ -1098,6 +1259,25 @@ interface(`init_getattr_all_script_files',` ######################################## ## @@ -119797,7 +119966,7 @@ index d26fe81..c932f74 100644 ## Read all init script files. ## ## -@@ -1117,6 +1351,24 @@ interface(`init_read_all_script_files',` +@@ -1117,6 +1297,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -119822,7 +119991,7 @@ index d26fe81..c932f74 100644 ## Dontaudit read all init script files. ## ## -@@ -1168,12 +1420,7 @@ interface(`init_read_script_state',` +@@ -1168,12 +1366,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -119836,7 +120005,7 @@ index d26fe81..c932f74 100644 ') ######################################## -@@ -1413,6 +1660,27 @@ interface(`init_dbus_send_script',` +@@ -1413,6 +1606,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -119864,7 +120033,7 @@ index d26fe81..c932f74 100644 ## init scripts over dbus. ## ## -@@ -1499,6 +1767,25 @@ interface(`init_getattr_script_status_files',` +@@ -1499,6 +1713,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -119890,7 +120059,7 @@ index d26fe81..c932f74 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1557,6 +1844,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1557,6 +1790,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -119915,7 +120084,7 @@ index d26fe81..c932f74 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1629,6 +1934,43 @@ interface(`init_read_utmp',` +@@ -1629,6 +1880,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -119959,7 +120128,7 @@ index d26fe81..c932f74 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1717,7 +2059,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1717,7 +2005,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -119968,10 +120137,11 @@ index d26fe81..c932f74 100644 ') ######################################## -@@ -1758,6 +2100,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1758,7 +2046,129 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') +-######################################## +###################################### +## +## Allow search directory in the /run/systemd directory. @@ -120094,10 +120264,11 @@ index d26fe81..c932f74 100644 + filetrans_pattern($1, init_var_run_t, $2, $3, $4) +') + - ######################################## ++######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1792,3 +2256,286 @@ interface(`init_udp_recvfrom_all_daemons',` + ## +@@ -1792,3 +2202,286 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -120385,25 +120556,18 @@ index d26fe81..c932f74 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..b6196d7 100644 +index 4a88fa1..7d77221 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -16,6 +16,34 @@ gen_require(` - ## - gen_tunable(init_upstart, false) +@@ -11,10 +11,24 @@ gen_require(` -+## -+##

-+## Enable support for systemd as the init program. -+##

-+## -+gen_tunable(init_systemd, false) -+ -+## -+##

+ ## + ##

+-## Enable support for upstart as the init program. +## Allow all daemons to use tcp wrappers. -+##

-+## + ##

+ ## +-gen_tunable(init_upstart, false) +gen_tunable(daemons_use_tcp_wrapper, false) + +## @@ -120419,11 +120583,10 @@ index 4a88fa1..b6196d7 100644 +##

+## +gen_tunable(daemons_dump_core, false) -+ + # used for direct running of init scripts # by admin domains - attribute direct_run_init; -@@ -25,14 +53,21 @@ attribute direct_init_entry; +@@ -25,19 +39,28 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; @@ -120434,6 +120597,7 @@ index 4a88fa1..b6196d7 100644 # Mark process types as daemons attribute daemon; +attribute systemprocess; ++attribute systemprocess_entry; + +# Mark process types as initrc domain +attribute initrc_domain; @@ -120446,7 +120610,13 @@ index 4a88fa1..b6196d7 100644 type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) -@@ -46,6 +81,15 @@ type init_var_run_t; + kernel_domtrans_to(init_t, init_exec_t) + role system_r types init_t; ++init_initrc_domain(init_t) + + # + # init_var_run_t is the type for /var/run/shutdown.pid. +@@ -46,6 +69,15 @@ type init_var_run_t; files_pid_file(init_var_run_t) # @@ -120462,7 +120632,16 @@ index 4a88fa1..b6196d7 100644 # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -@@ -63,6 +107,8 @@ role system_r types initrc_t; +@@ -54,7 +86,7 @@ type initctl_t; + files_type(initctl_t) + mls_trusted_object(initctl_t) + +-type initrc_t, init_script_domain_type, init_run_all_scripts_domain; ++type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain; + type initrc_exec_t, init_script_file_type; + domain_type(initrc_t) + domain_entry_file(initrc_t, initrc_exec_t) +@@ -63,6 +95,8 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -120471,7 +120650,7 @@ index 4a88fa1..b6196d7 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -95,7 +141,8 @@ ifdef(`enable_mls',` +@@ -95,7 +129,8 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -120481,7 +120660,7 @@ index 4a88fa1..b6196d7 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -107,12 +154,32 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -120520,7 +120699,7 @@ index 4a88fa1..b6196d7 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -122,28 +189,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -120560,7 +120739,7 @@ index 4a88fa1..b6196d7 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -152,6 +229,8 @@ fs_list_inotifyfs(init_t) +@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -120569,7 +120748,7 @@ index 4a88fa1..b6196d7 100644 mcs_process_set_categories(init_t) mcs_killall(init_t) -@@ -159,22 +238,40 @@ mls_file_read_all_levels(init_t) +@@ -159,22 +226,40 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -120601,18 +120780,18 @@ index 4a88fa1..b6196d7 100644 seutil_read_config(init_t) +seutil_read_module_store(init_t) - --miscfiles_read_localization(init_t) ++ +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) + +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -183,12 +280,19 @@ ifdef(`distro_gentoo',` +@@ -183,29 +268,174 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -120629,14 +120808,13 @@ index 4a88fa1..b6196d7 100644 ') -tunable_policy(`init_upstart',` -+tunable_policy(`init_upstart || init_systemd',` - corecmd_shell_domtrans(init_t, initrc_t) - ',` - # Run the shell in the sysadm role for single-user mode. -@@ -196,16 +300,166 @@ tunable_policy(`init_upstart',` - sysadm_shell_domtrans(init_t) - ') - +- corecmd_shell_domtrans(init_t, initrc_t) +-',` +- # Run the shell in the sysadm role for single-user mode. +- # causes problems with upstart +- sysadm_shell_domtrans(init_t) ++corecmd_shell_domtrans(init_t, initrc_t) ++ +storage_raw_rw_fixed_disk(init_t) + +optional_policy(` @@ -120654,128 +120832,122 @@ index 4a88fa1..b6196d7 100644 + mta_read_aliases(init_t) +') + -+tunable_policy(`init_systemd',` -+ allow init_t self:system all_system_perms; -+ allow init_t self:unix_dgram_socket { create_socket_perms sendto }; -+ allow init_t self:process { setsockcreate setfscreate setrlimit }; -+ allow init_t self:process { getcap setcap }; -+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms; -+ allow init_t self:netlink_selinux_socket create_socket_perms; -+ # Until systemd is fixed -+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; -+ allow init_t self:udp_socket create_socket_perms; -+ allow init_t self:netlink_route_socket create_netlink_socket_perms; -+ -+ allow init_t initrc_t:unix_dgram_socket create_socket_perms; -+ -+ kernel_list_unlabeled(init_t) -+ kernel_read_network_state(init_t) -+ kernel_rw_kernel_sysctl(init_t) -+ kernel_rw_net_sysctls(init_t) -+ kernel_read_all_sysctls(init_t) -+ kernel_read_software_raid_state(init_t) -+ kernel_unmount_debugfs(init_t) -+ kernel_setsched(init_t) -+ -+ dev_write_kmsg(init_t) -+ dev_write_urand(init_t) -+ dev_rw_lvm_control(init_t) -+ dev_rw_autofs(init_t) -+ dev_manage_generic_symlinks(init_t) -+ dev_manage_generic_dirs(init_t) -+ dev_manage_generic_files(init_t) -+ dev_read_generic_chr_files(init_t) -+ dev_relabel_generic_dev_dirs(init_t) -+ dev_relabel_all_dev_nodes(init_t) -+ dev_relabel_all_dev_files(init_t) -+ dev_manage_sysfs_dirs(init_t) -+ dev_relabel_sysfs_dirs(init_t) -+ -+ files_search_all(init_t) -+ files_mounton_all_mountpoints(init_t) -+ files_unmount_all_file_type_fs(init_t) -+ files_manage_all_pid_dirs(init_t) -+ files_manage_etc_dirs(init_t) -+ files_manage_generic_tmp_dirs(init_t) -+ files_relabel_all_pid_dirs(init_t) -+ files_relabel_all_pid_files(init_t) -+ files_create_all_pid_sockets(init_t) -+ files_delete_all_pids(init_t) -+ files_exec_generic_pid_files(init_t) -+ files_create_all_pid_pipes(init_t) -+ files_create_all_spool_sockets(init_t) -+ files_delete_all_spool_sockets(init_t) -+ files_manage_urandom_seed(init_t) -+ files_list_locks(init_t) -+ files_list_spool(init_t) -+ files_list_var(init_t) -+ files_list_boot(init_t) -+ files_list_home(init_t) -+ files_create_lock_dirs(init_t) -+ files_relabel_all_lock_dirs(init_t) -+ files_read_kernel_modules(init_t) -+ -+ fs_getattr_all_fs(init_t) -+ fs_manage_cgroup_dirs(init_t) -+ fs_manage_cgroup_files(init_t) -+ fs_manage_hugetlbfs_dirs(init_t) -+ fs_manage_tmpfs_dirs(init_t) -+ fs_relabel_tmpfs_dirs(init_t) -+ fs_relabel_tmpfs_files(init_t) -+ fs_relabel_tmpfs_fifo_files(init_t) -+ fs_mount_all_fs(init_t) -+ fs_unmount_all_fs(init_t) -+ fs_remount_all_fs(init_t) -+ fs_list_auto_mountpoints(init_t) -+ fs_register_binary_executable_type(init_t) -+ fs_relabel_tmpfs_sock_file(init_t) -+ fs_rw_tmpfs_files(init_t) -+ fs_relabel_cgroup_dirs(init_t) -+ fs_search_cgroup_dirs(init_t) -+ -+ -+ selinux_compute_access_vector(init_t) -+ selinux_compute_create_context(init_t) -+ selinux_validate_context(init_t) -+ selinux_unmount_fs(init_t) -+ -+ storage_getattr_removable_dev(init_t) -+ -+ term_relabel_ptys_dirs(init_t) -+ -+ auth_relabel_login_records(init_t) -+ auth_relabel_pam_console_data_dirs(init_t) -+ -+ clock_read_adjtime(init_t) -+ -+ init_read_script_state(init_t) -+ -+ modutils_read_module_config(init_t) -+ -+ seutil_read_file_contexts(init_t) -+ -+ systemd_exec_systemctl(init_t) -+ systemd_manage_unit_dirs(init_t) -+ systemd_manage_all_unit_files(init_t) -+ systemd_logger_stream_connect(init_t) -+ systemd_config_all_services(init_t) -+ systemd_relabelto_fifo_file_passwd_run(init_t) -+ systemd_relabel_unit_dirs(init_t) -+ systemd_relabel_unit_files(init_t) -+ systemd_config_all_services(initrc_t) -+ -+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) -+ -+') ++allow init_t self:system all_system_perms; ++allow init_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow init_t self:process { setsockcreate setfscreate setrlimit }; ++allow init_t self:process { getcap setcap }; ++allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow init_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow init_t self:netlink_selinux_socket create_socket_perms; ++# Until systemd is fixed ++allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; ++allow init_t self:udp_socket create_socket_perms; ++allow init_t self:netlink_route_socket create_netlink_socket_perms; ++ ++allow init_t initrc_t:unix_dgram_socket create_socket_perms; ++ ++kernel_list_unlabeled(init_t) ++kernel_read_network_state(init_t) ++kernel_rw_kernel_sysctl(init_t) ++kernel_rw_net_sysctls(init_t) ++kernel_read_all_sysctls(init_t) ++kernel_read_software_raid_state(init_t) ++kernel_unmount_debugfs(init_t) ++kernel_setsched(init_t) ++ ++dev_write_kmsg(init_t) ++dev_write_urand(init_t) ++dev_rw_lvm_control(init_t) ++dev_rw_autofs(init_t) ++dev_manage_generic_symlinks(init_t) ++dev_manage_generic_dirs(init_t) ++dev_manage_generic_files(init_t) ++dev_read_generic_chr_files(init_t) ++dev_relabel_generic_dev_dirs(init_t) ++dev_relabel_all_dev_nodes(init_t) ++dev_relabel_all_dev_files(init_t) ++dev_manage_sysfs_dirs(init_t) ++dev_relabel_sysfs_dirs(init_t) ++ ++files_search_all(init_t) ++files_mounton_all_mountpoints(init_t) ++files_unmount_all_file_type_fs(init_t) ++files_manage_all_pid_dirs(init_t) ++files_manage_etc_dirs(init_t) ++files_manage_generic_tmp_dirs(init_t) ++files_relabel_all_pid_dirs(init_t) ++files_relabel_all_pid_files(init_t) ++files_create_all_pid_sockets(init_t) ++files_delete_all_pids(init_t) ++files_exec_generic_pid_files(init_t) ++files_create_all_pid_pipes(init_t) ++files_create_all_spool_sockets(init_t) ++files_delete_all_spool_sockets(init_t) ++files_manage_urandom_seed(init_t) ++files_list_locks(init_t) ++files_list_spool(init_t) ++files_list_var(init_t) ++files_list_boot(init_t) ++files_list_home(init_t) ++files_create_lock_dirs(init_t) ++files_relabel_all_lock_dirs(init_t) ++files_read_kernel_modules(init_t) ++fs_getattr_all_fs(init_t) ++fs_manage_cgroup_dirs(init_t) ++fs_manage_cgroup_files(init_t) ++fs_manage_hugetlbfs_dirs(init_t) ++fs_manage_tmpfs_dirs(init_t) ++fs_relabel_tmpfs_dirs(init_t) ++fs_relabel_tmpfs_files(init_t) ++fs_relabel_tmpfs_fifo_files(init_t) ++fs_mount_all_fs(init_t) ++fs_unmount_all_fs(init_t) ++fs_remount_all_fs(init_t) ++fs_list_auto_mountpoints(init_t) ++fs_register_binary_executable_type(init_t) ++fs_relabel_tmpfs_sock_file(init_t) ++fs_rw_tmpfs_files(init_t) ++fs_relabel_cgroup_dirs(init_t) ++fs_search_cgroup_dirs(init_t) ++selinux_compute_access_vector(init_t) ++selinux_compute_create_context(init_t) ++selinux_validate_context(init_t) ++selinux_unmount_fs(init_t) ++ ++storage_getattr_removable_dev(init_t) ++ ++term_relabel_ptys_dirs(init_t) ++ ++auth_relabel_login_records(init_t) ++auth_relabel_pam_console_data_dirs(init_t) ++ ++clock_read_adjtime(init_t) ++ ++init_read_script_state(init_t) ++ ++modutils_read_module_config(init_t) ++ ++seutil_read_file_contexts(init_t) ++ ++systemd_exec_systemctl(init_t) ++systemd_manage_unit_dirs(init_t) ++systemd_manage_all_unit_files(init_t) ++systemd_logger_stream_connect(init_t) ++systemd_config_all_services(init_t) ++systemd_relabelto_fifo_file_passwd_run(init_t) ++systemd_relabel_unit_dirs(init_t) ++systemd_relabel_unit_files(init_t) ++systemd_config_all_services(initrc_t) ++ ++create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) + +optional_policy(` + lvm_rw_pipes(init_t) -+') -+ + ') + optional_policy(` - auth_rw_login_records(init_t) + consolekit_manage_log(init_t) @@ -120785,24 +120957,24 @@ index 4a88fa1..b6196d7 100644 + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) - ') - - optional_policy(` -- nscd_socket_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') optional_policy(` -@@ -213,6 +467,22 @@ optional_policy(` +@@ -213,6 +443,22 @@ optional_policy(` ') optional_policy(` @@ -120825,7 +120997,7 @@ index 4a88fa1..b6196d7 100644 unconfined_domain(init_t) ') -@@ -222,8 +492,9 @@ optional_policy(` +@@ -222,8 +468,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -120837,7 +121009,7 @@ index 4a88fa1..b6196d7 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -251,12 +522,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -251,12 +498,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -120853,7 +121025,7 @@ index 4a88fa1..b6196d7 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -272,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -272,23 +522,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -120896,7 +121068,7 @@ index 4a88fa1..b6196d7 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -296,6 +583,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -296,6 +559,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -120904,7 +121076,7 @@ index 4a88fa1..b6196d7 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -306,8 +594,10 @@ dev_write_framebuffer(initrc_t) +@@ -306,8 +570,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -120915,7 +121087,7 @@ index 4a88fa1..b6196d7 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -315,17 +605,16 @@ dev_manage_generic_files(initrc_t) +@@ -315,17 +581,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -120935,7 +121107,7 @@ index 4a88fa1..b6196d7 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -333,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -333,6 +598,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -120943,7 +121115,7 @@ index 4a88fa1..b6196d7 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -340,8 +630,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -340,8 +606,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -120955,7 +121127,7 @@ index 4a88fa1..b6196d7 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -357,8 +649,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -357,8 +625,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -120969,7 +121141,7 @@ index 4a88fa1..b6196d7 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -368,9 +664,12 @@ fs_mount_all_fs(initrc_t) +@@ -368,9 +640,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -120983,7 +121155,7 @@ index 4a88fa1..b6196d7 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -380,6 +679,7 @@ mls_process_read_up(initrc_t) +@@ -380,6 +655,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -120991,7 +121163,7 @@ index 4a88fa1..b6196d7 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,6 +691,7 @@ term_use_all_terms(initrc_t) +@@ -391,6 +667,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -120999,7 +121171,7 @@ index 4a88fa1..b6196d7 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -409,20 +710,18 @@ logging_read_all_logs(initrc_t) +@@ -409,20 +686,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -121023,7 +121195,7 @@ index 4a88fa1..b6196d7 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -476,6 +775,10 @@ ifdef(`distro_gentoo',` +@@ -476,6 +751,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -121034,7 +121206,7 @@ index 4a88fa1..b6196d7 100644 alsa_read_lib(initrc_t) ') -@@ -496,7 +799,7 @@ ifdef(`distro_redhat',` +@@ -496,7 +775,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -121043,7 +121215,7 @@ index 4a88fa1..b6196d7 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -511,6 +814,7 @@ ifdef(`distro_redhat',` +@@ -511,6 +790,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -121051,7 +121223,7 @@ index 4a88fa1..b6196d7 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -531,6 +835,7 @@ ifdef(`distro_redhat',` +@@ -531,6 +811,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -121059,7 +121231,7 @@ index 4a88fa1..b6196d7 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -540,8 +845,39 @@ ifdef(`distro_redhat',` +@@ -540,8 +821,39 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -121099,7 +121271,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -549,14 +885,31 @@ ifdef(`distro_redhat',` +@@ -549,14 +861,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -121131,7 +121303,7 @@ index 4a88fa1..b6196d7 100644 ') ') -@@ -567,6 +920,39 @@ ifdef(`distro_suse',` +@@ -567,6 +896,39 @@ ifdef(`distro_suse',` ') ') @@ -121171,7 +121343,7 @@ index 4a88fa1..b6196d7 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +965,8 @@ optional_policy(` +@@ -579,6 +941,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -121180,7 +121352,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -600,6 +988,7 @@ optional_policy(` +@@ -600,6 +964,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -121188,7 +121360,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -612,6 +1001,17 @@ optional_policy(` +@@ -612,6 +977,17 @@ optional_policy(` ') optional_policy(` @@ -121206,7 +121378,7 @@ index 4a88fa1..b6196d7 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -628,9 +1028,13 @@ optional_policy(` +@@ -628,9 +1004,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -121220,7 +121392,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -655,6 +1059,10 @@ optional_policy(` +@@ -655,6 +1035,10 @@ optional_policy(` ') optional_policy(` @@ -121231,7 +121403,7 @@ index 4a88fa1..b6196d7 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -672,6 +1080,15 @@ optional_policy(` +@@ -672,6 +1056,15 @@ optional_policy(` ') optional_policy(` @@ -121247,7 +121419,7 @@ index 4a88fa1..b6196d7 100644 inn_exec_config(initrc_t) ') -@@ -712,6 +1129,7 @@ optional_policy(` +@@ -712,6 +1105,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -121255,7 +121427,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -729,7 +1147,14 @@ optional_policy(` +@@ -729,7 +1123,14 @@ optional_policy(` ') optional_policy(` @@ -121270,7 +121442,7 @@ index 4a88fa1..b6196d7 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -752,6 +1177,10 @@ optional_policy(` +@@ -752,6 +1153,10 @@ optional_policy(` ') optional_policy(` @@ -121281,7 +121453,7 @@ index 4a88fa1..b6196d7 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -761,10 +1190,20 @@ optional_policy(` +@@ -761,10 +1166,20 @@ optional_policy(` ') optional_policy(` @@ -121302,7 +121474,7 @@ index 4a88fa1..b6196d7 100644 quota_manage_flags(initrc_t) ') -@@ -773,6 +1212,10 @@ optional_policy(` +@@ -773,6 +1188,10 @@ optional_policy(` ') optional_policy(` @@ -121313,7 +121485,7 @@ index 4a88fa1..b6196d7 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -794,8 +1237,6 @@ optional_policy(` +@@ -794,8 +1213,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -121322,7 +121494,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -804,6 +1245,10 @@ optional_policy(` +@@ -804,6 +1221,10 @@ optional_policy(` ') optional_policy(` @@ -121333,7 +121505,7 @@ index 4a88fa1..b6196d7 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -813,10 +1258,12 @@ optional_policy(` +@@ -813,10 +1234,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -121346,7 +121518,7 @@ index 4a88fa1..b6196d7 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -828,8 +1275,6 @@ optional_policy(` +@@ -828,8 +1251,6 @@ optional_policy(` ') optional_policy(` @@ -121355,7 +121527,7 @@ index 4a88fa1..b6196d7 100644 udev_manage_pid_files(initrc_t) udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) -@@ -840,12 +1285,30 @@ optional_policy(` +@@ -840,12 +1261,30 @@ optional_policy(` ') optional_policy(` @@ -121388,7 +121560,7 @@ index 4a88fa1..b6196d7 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -855,6 +1318,18 @@ optional_policy(` +@@ -855,6 +1294,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -121407,7 +121579,7 @@ index 4a88fa1..b6196d7 100644 ') optional_policy(` -@@ -870,6 +1345,10 @@ optional_policy(` +@@ -870,6 +1321,10 @@ optional_policy(` ') optional_policy(` @@ -121418,7 +121590,7 @@ index 4a88fa1..b6196d7 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1359,173 @@ optional_policy(` +@@ -880,3 +1335,177 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -121469,16 +121641,14 @@ index 4a88fa1..b6196d7 100644 +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow daemon initrc_transition_domain:fd use; + -+tunable_policy(`init_systemd',` -+ allow init_t daemon:unix_stream_socket create_stream_socket_perms; -+ allow init_t daemon:unix_dgram_socket create_socket_perms; -+ allow init_t daemon:tcp_socket create_stream_socket_perms; -+ allow init_t daemon:udp_socket create_socket_perms; -+ allow daemon init_t:unix_dgram_socket sendto; -+ # need write to /var/run/systemd/notify -+ init_write_pid_socket(daemon) -+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; -+') ++allow init_t daemon:unix_stream_socket create_stream_socket_perms; ++allow init_t daemon:unix_dgram_socket create_socket_perms; ++allow init_t daemon:tcp_socket create_stream_socket_perms; ++allow init_t daemon:udp_socket create_socket_perms; ++allow daemon init_t:unix_dgram_socket sendto; ++# need write to /var/run/systemd/notify ++init_write_pid_socket(daemon) ++allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; + +# daemons started from init will +# inherit fds from init for the console @@ -121516,32 +121686,19 @@ index 4a88fa1..b6196d7 100644 + +dontaudit systemprocess init_t:unix_stream_socket getattr; + ++allow init_t daemon:unix_stream_socket create_stream_socket_perms; ++allow init_t daemon:unix_dgram_socket create_socket_perms; ++allow daemon init_t:unix_stream_socket ioctl; ++allow daemon init_t:unix_dgram_socket sendto; ++# need write to /var/run/systemd/notify ++init_write_pid_socket(daemon) + -+tunable_policy(`init_systemd',` -+ allow init_t daemon:unix_stream_socket create_stream_socket_perms; -+ allow init_t daemon:unix_dgram_socket create_socket_perms; -+ allow daemon init_t:unix_stream_socket ioctl; -+ allow daemon init_t:unix_dgram_socket sendto; -+ # need write to /var/run/systemd/notify -+ init_write_pid_socket(daemon) -+') -+ -+tunable_policy(`init_systemd',` -+ # Handle upstart/systemd direct transition to a executable -+ allow init_t systemprocess:process { dyntransition siginh }; -+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; -+ allow init_t systemprocess:unix_dgram_socket create_socket_perms; -+ allow systemprocess init_t:unix_dgram_socket sendto; -+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; -+') -+ -+ifdef(`hide_broken_symptoms',` -+ # RHEL4 systems seem to have a stray -+ # fds open from the initrd -+ ifdef(`distro_rhel4',` -+ kernel_dontaudit_use_fds(systemprocess) -+ ') -+') ++# Handle upstart/systemd direct transition to a executable ++allow init_t systemprocess:process { dyntransition siginh }; ++allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; ++allow init_t systemprocess:unix_dgram_socket create_socket_perms; ++allow systemprocess init_t:unix_dgram_socket sendto; ++allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; + +userdom_dontaudit_search_user_home_dirs(systemprocess) +userdom_dontaudit_rw_stream(systemprocess) @@ -121592,6 +121749,25 @@ index 4a88fa1..b6196d7 100644 +#ifdef(`enable_mls',` +# mls_rangetrans_target(systemprocess) +#') ++ ++allow initrc_domain daemon:process transition; ++allow daemon initrc_domain:fd use; ++allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms; ++allow daemon initrc_domain:process sigchld; ++allow initrc_domain direct_init_entry:file { getattr open read execute }; ++ ++allow systemprocess initrc_domain:fd use; ++allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms; ++allow systemprocess initrc_domain:process sigchld; ++allow initrc_domain systemprocess_entry:file { getattr open read execute }; ++allow initrc_domain systemprocess:process transition; ++ ++ifdef(`direct_sysadm_daemon',` ++ allow daemon direct_run_init:fd use; ++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; ++ allow daemon direct_run_init:process sigchld; ++ allow direct_run_init direct_init_entry:file { getattr open read execute }; ++') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index ec85acb..662e79b 100644 --- a/policy/modules/system/ipsec.fc @@ -122521,9 +122697,26 @@ index 808ba93..f94b80a 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index ad01883..8cc29a5 100644 +index ad01883..a003fa8 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te +@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) + # lib_t is the type of files in the system lib directories. + # + type lib_t alias shlib_t; +-files_type(lib_t) ++files_ro_base_file(lib_t) + + # + # textrel_shlib_t is the type of shared objects in the system lib + # directories, which require text relocation. + # + type textrel_shlib_t alias texrel_shlib_t; +-files_type(textrel_shlib_t) ++files_ro_base_file(textrel_shlib_t) + + ifdef(`distro_gentoo',` + # openrc unfortunately mounts a tmpfs @@ -59,9 +59,11 @@ optional_policy(` allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -124661,10 +124854,10 @@ index 72c746e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..5b041ee 100644 +index 4584457..0b81a4b 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if -@@ -16,6 +16,12 @@ interface(`mount_domtrans',` +@@ -16,6 +16,13 @@ interface(`mount_domtrans',` ') domtrans_pattern($1, mount_exec_t, mount_t) @@ -124673,11 +124866,12 @@ index 4584457..5b041ee 100644 + allow $1 mount_t:fd use; + ps_process_pattern(mount_t, $1) + ++ allow mount_t $1:key write; + allow mount_t $1:unix_stream_socket { read write }; ') ######################################## -@@ -38,11 +44,84 @@ interface(`mount_domtrans',` +@@ -38,11 +45,84 @@ interface(`mount_domtrans',` # interface(`mount_run',` gen_require(` @@ -124764,7 +124958,7 @@ index 4584457..5b041ee 100644 ') ######################################## -@@ -91,7 +170,7 @@ interface(`mount_signal',` +@@ -91,7 +171,7 @@ interface(`mount_signal',` ## ## ## @@ -124773,7 +124967,7 @@ index 4584457..5b041ee 100644 ## ## # -@@ -131,45 +210,138 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +211,138 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -128399,10 +128593,10 @@ index 0000000..693ded2 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b7022eb +index 0000000..05da975 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,445 @@ +@@ -0,0 +1,444 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -128416,11 +128610,11 @@ index 0000000..b7022eb + +type systemd_logger_t; +type systemd_logger_exec_t; -+init_systemd_domain(systemd_logger_t, systemd_logger_exec_t) ++init_daemon_domain(systemd_logger_t, systemd_logger_exec_t) + +type systemd_logind_t; +type systemd_logind_exec_t; -+init_systemd_domain(systemd_logind_t, systemd_logind_exec_t) ++init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) + +# /run/systemd/sessions +type systemd_logind_sessions_t; @@ -128446,11 +128640,11 @@ index 0000000..b7022eb +# domain for systemd-tmpfiles component +type systemd_tmpfiles_t; +type systemd_tmpfiles_exec_t; -+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) ++init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) + +type systemd_notify_t; +type systemd_notify_exec_t; -+init_systemd_domain(systemd_notify_t, systemd_notify_exec_t) ++init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) + +# type for systemd unit files +type systemd_unit_file_t; @@ -128847,7 +129041,6 @@ index 0000000..b7022eb +init_read_state(systemctl_domain) +init_list_pid_dirs(systemctl_domain) +init_use_fds(systemctl_domain) -+ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 2575393..49fd32e 100644 --- a/policy/modules/system/udev.fc diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index a687e60..170c14a 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -42140,10 +42140,10 @@ index 0000000..9dcdaa8 +') diff --git a/phpfpm.te b/phpfpm.te new file mode 100644 -index 0000000..a27f1e3 +index 0000000..4e2336b --- /dev/null +++ b/phpfpm.te -@@ -0,0 +1,52 @@ +@@ -0,0 +1,60 @@ +policy_module(phpfpm, 1.0.0) + +######################################## @@ -42193,9 +42193,17 @@ index 0000000..a27f1e3 + +auth_use_nsswitch(phpfpm_t) + ++dev_read_rand(phpfpm_t) ++dev_read_urand(phpfpm_t) ++ +logging_send_syslog_msg(phpfpm_t) + +sysnet_dns_name_resolve(phpfpm_t) ++ ++optional_policy(` ++ mysql_stream_connect(phpfpm_t) ++ mysql_tcp_connect(phpfpm_t) ++') diff --git a/pingd.if b/pingd.if index 8688aae..cf34fc1 100644 --- a/pingd.if diff --git a/selinux-policy.spec b/selinux-policy.spec index f8ca994..4768ecb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 27 2012 Miroslav Grepl 3.11.1-27 +- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes +- Add attribute to all base os types. Allow all domains to read all ro base OS types + * Wed Sep 26 2012 Miroslav Grepl 3.11.1-26 - Additional unit files to be defined as power unit files - Fix more boolean names