diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 2dee3f2..7f547f8 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58436,6 +58436,20 @@ index f477c7f..d80599b 100644 + (( h1 dom h2 ) or ( t1 == mcsnetwrite )); + ') dnl end enable_mcs +diff --git a/policy/mls b/policy/mls +index d218387..c406594 100644 +--- a/policy/mls ++++ b/policy/mls +@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s + (( l1 eq l2 ) or + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or +- ( t1 == mlsnetwrite )); ++ ( t1 == mlsnetwrite ) or ++ ( t2 == mlstrustedobject )); + + # used by netlabel to restrict normal domains to same level connections + mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 7a6f06f..48fc840 100644 --- a/policy/modules/admin/bootloader.fc @@ -58906,10 +58920,18 @@ index c6ca761..46e0767 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index e0791b9..9f49d01 100644 +index e0791b9..98d188e 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te -@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) +@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms; + allow netutils_t self:udp_socket create_socket_perms; + allow netutils_t self:tcp_socket create_stream_socket_perms; + allow netutils_t self:socket create_socket_perms; ++allow netutils_t self:netlink_socket create_socket_perms; + + manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) + manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) +@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) kernel_read_all_sysctls(netutils_t) @@ -58918,7 +58940,7 @@ index e0791b9..9f49d01 100644 corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) -@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t) +@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) @@ -58928,7 +58950,7 @@ index e0791b9..9f49d01 100644 fs_getattr_xattr_fs(netutils_t) -@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t) +@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) term_dontaudit_use_console(netutils_t) @@ -58937,7 +58959,7 @@ index e0791b9..9f49d01 100644 userdom_use_all_users_fds(netutils_t) optional_policy(` -@@ -104,6 +109,8 @@ optional_policy(` +@@ -104,6 +110,8 @@ optional_policy(` # allow ping_t self:capability { setuid net_raw }; @@ -58946,7 +58968,7 @@ index e0791b9..9f49d01 100644 dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; -@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t) +@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) @@ -58955,7 +58977,7 @@ index e0791b9..9f49d01 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',` +@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -58981,7 +59003,7 @@ index e0791b9..9f49d01 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -157,6 +176,10 @@ optional_policy(` +@@ -157,6 +177,10 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -58992,7 +59014,7 @@ index e0791b9..9f49d01 100644 ######################################## # # Traceroute local policy -@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -59000,7 +59022,7 @@ index e0791b9..9f49d01 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t) +@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -59359,6 +59381,18 @@ index 1bd7d84..4f57935 100644 +optional_policy(` + fprintd_dbus_chat(sudodomain) +') +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index f82f0ce..204bdc8 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',` + /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 98b8b2d..da75471 100644 --- a/policy/modules/admin/usermanage.if @@ -60162,7 +60196,7 @@ index 7590165..59539e8 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..b77f19f 100644 +index db981df..b0ff71c 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -60240,7 +60274,7 @@ index db981df..b77f19f 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',` +@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -60261,7 +60295,8 @@ index db981df..b77f19f 100644 -/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0) +/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -60334,7 +60369,7 @@ index db981df..b77f19f 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',` +@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -60350,7 +60385,7 @@ index db981df..b77f19f 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',` +@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -60370,7 +60405,7 @@ index db981df..b77f19f 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',` +@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -60381,7 +60416,7 @@ index db981df..b77f19f 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',` +@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -60402,7 +60437,7 @@ index db981df..b77f19f 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +366,12 @@ ifdef(`distro_redhat', ` +@@ -314,8 +367,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -60415,7 +60450,7 @@ index db981df..b77f19f 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +381,11 @@ ifdef(`distro_redhat', ` +@@ -325,9 +382,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -60427,7 +60462,7 @@ index db981df..b77f19f 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +434,14 @@ ifdef(`distro_suse', ` +@@ -376,11 +435,14 @@ ifdef(`distro_suse', ` # # /var # @@ -60443,7 +60478,7 @@ index db981df..b77f19f 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +451,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +452,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -72824,10 +72859,10 @@ index fe0c682..93ec53f 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..d193a52 100644 +index b17e27a..9dbbafe 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0) +@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) # ## @@ -72872,13 +72907,14 @@ index b17e27a..d193a52 100644 type sshd_exec_t; corecmd_executable_file(sshd_exec_t) -@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t) + ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) - ++mls_trusted_object(sshd_t) ++ +type sshd_initrc_exec_t; +init_script_file(sshd_initrc_exec_t) -+ + type sshd_key_t; files_type(sshd_key_t) @@ -72893,7 +72929,7 @@ index b17e27a..d193a52 100644 type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -73,6 +79,11 @@ type ssh_home_t; +@@ -73,6 +80,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -72905,7 +72941,7 @@ index b17e27a..d193a52 100644 ############################## # -@@ -83,6 +94,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -72913,7 +72949,7 @@ index b17e27a..d193a52 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -90,15 +102,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -72930,7 +72966,7 @@ index b17e27a..d193a52 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -108,20 +116,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -108,20 +117,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -72960,7 +72996,7 @@ index b17e27a..d193a52 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -133,7 +147,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -133,7 +148,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -72972,7 +73008,7 @@ index b17e27a..d193a52 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -157,37 +175,36 @@ logging_read_generic_logs(ssh_t) +@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -73027,7 +73063,7 @@ index b17e27a..d193a52 100644 ') optional_policy(` -@@ -195,28 +212,24 @@ optional_policy(` +@@ -195,28 +213,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -73060,7 +73096,7 @@ index b17e27a..d193a52 100644 ################################# # # sshd local policy -@@ -227,33 +240,46 @@ optional_policy(` +@@ -227,33 +241,46 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -73116,7 +73152,7 @@ index b17e27a..d193a52 100644 ') optional_policy(` -@@ -261,11 +287,24 @@ optional_policy(` +@@ -261,11 +288,24 @@ optional_policy(` ') optional_policy(` @@ -73142,7 +73178,7 @@ index b17e27a..d193a52 100644 ') optional_policy(` -@@ -283,6 +322,15 @@ optional_policy(` +@@ -283,6 +323,15 @@ optional_policy(` ') optional_policy(` @@ -73158,7 +73194,7 @@ index b17e27a..d193a52 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -290,6 +338,29 @@ optional_policy(` +@@ -290,6 +339,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -73188,7 +73224,7 @@ index b17e27a..d193a52 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +369,26 @@ optional_policy(` +@@ -298,19 +370,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -73216,7 +73252,7 @@ index b17e27a..d193a52 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -73230,7 +73266,7 @@ index b17e27a..d193a52 100644 ') optional_policy(` -@@ -339,3 +419,83 @@ optional_policy(` +@@ -339,3 +420,83 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -73315,7 +73351,7 @@ index b17e27a..d193a52 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..f393f76 100644 +index fc86b7c..3347d48 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -73421,11 +73457,12 @@ index fc86b7c..f393f76 100644 -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -77506,7 +77543,7 @@ index d2e40b8..3ba2e4c 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..3ff8fef 100644 +index d26fe81..3f3a57f 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -77748,7 +77785,7 @@ index d26fe81..3ff8fef 100644 # interface(`init_exec',` gen_require(` -@@ -451,6 +522,29 @@ interface(`init_exec',` +@@ -451,6 +522,48 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -77760,6 +77797,25 @@ index d26fe81..3ff8fef 100644 + +####################################### +## ++## Check access to the init/systemd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_access_check',` ++ gen_require(` ++ type init_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 init_exec_t:file { getattr_file_perms execute }; ++') ++ ++####################################### ++## +## Dontaudit getattr on the init program. +## +## @@ -77778,7 +77834,7 @@ index d26fe81..3ff8fef 100644 ') ######################################## -@@ -539,6 +633,24 @@ interface(`init_sigchld',` +@@ -539,6 +652,24 @@ interface(`init_sigchld',` ######################################## ## @@ -77803,7 +77859,7 @@ index d26fe81..3ff8fef 100644 ## Connect to init with a unix socket. ## ## -@@ -549,10 +661,66 @@ interface(`init_sigchld',` +@@ -549,10 +680,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -77872,7 +77928,7 @@ index d26fe81..3ff8fef 100644 ') ######################################## -@@ -718,19 +886,25 @@ interface(`init_telinit',` +@@ -718,19 +905,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -77899,7 +77955,7 @@ index d26fe81..3ff8fef 100644 ') ') -@@ -760,7 +934,7 @@ interface(`init_rw_initctl',` +@@ -760,7 +953,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -77908,7 +77964,7 @@ index d26fe81..3ff8fef 100644 ## ## # -@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',` +@@ -803,11 +996,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -77923,7 +77979,7 @@ index d26fe81..3ff8fef 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',` +@@ -818,11 +1012,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -77937,7 +77993,7 @@ index d26fe81..3ff8fef 100644 ') ') -@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',` +@@ -838,19 +1032,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -77983,7 +78039,7 @@ index d26fe81..3ff8fef 100644 ') ######################################## -@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',` +@@ -906,9 +1122,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -77998,7 +78054,7 @@ index d26fe81..3ff8fef 100644 files_search_etc($1) ') -@@ -999,7 +1201,9 @@ interface(`init_ptrace',` +@@ -999,7 +1220,9 @@ interface(`init_ptrace',` type init_t; ') @@ -78009,7 +78065,7 @@ index d26fe81..3ff8fef 100644 ') ######################################## -@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',` +@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -78034,7 +78090,7 @@ index d26fe81..3ff8fef 100644 ## Dontaudit read all init script files. ## ## -@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',` +@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -78048,7 +78104,7 @@ index d26fe81..3ff8fef 100644 ') ######################################## -@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',` +@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -78076,7 +78132,7 @@ index d26fe81..3ff8fef 100644 ## init scripts over dbus. ## ## -@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',` +@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -78102,7 +78158,7 @@ index d26fe81..3ff8fef 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -78127,7 +78183,7 @@ index d26fe81..3ff8fef 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',` +@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -78171,7 +78227,7 @@ index d26fe81..3ff8fef 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -78180,7 +78236,7 @@ index d26fe81..3ff8fef 100644 ') ######################################## -@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -78309,7 +78365,7 @@ index d26fe81..3ff8fef 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -81014,7 +81070,7 @@ index 02f4c97..54c74fe 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..4d8e1a9 100644 +index 321bb13..e9c2da9 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -81099,10 +81155,17 @@ index 321bb13..4d8e1a9 100644 ######################################## ## ## Send system log messages. -@@ -550,6 +607,45 @@ interface(`logging_send_syslog_msg',` - - ######################################## - ## +@@ -546,6 +603,48 @@ interface(`logging_send_syslog_msg',` + # will write to the console. + term_write_console($1) + term_dontaudit_read_console($1) ++ ifdef(`hide_broken_symptoms',` ++ kernel_dgram_send($1) ++ ') ++') ++ ++######################################## ++## +## Connect to the syslog control unix stream socket. +## +## @@ -81138,14 +81201,10 @@ index 321bb13..4d8e1a9 100644 + + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) -+') -+ -+######################################## -+## - ## Read the auditd configuration files. - ## - ## -@@ -739,7 +835,25 @@ interface(`logging_append_all_logs',` + ') + + ######################################## +@@ -739,7 +838,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -81172,7 +81231,7 @@ index 321bb13..4d8e1a9 100644 ') ######################################## -@@ -822,7 +936,7 @@ interface(`logging_manage_all_logs',` +@@ -822,7 +939,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -81181,7 +81240,7 @@ index 321bb13..4d8e1a9 100644 ') ######################################## -@@ -848,6 +962,44 @@ interface(`logging_read_generic_logs',` +@@ -848,6 +965,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -81226,7 +81285,7 @@ index 321bb13..4d8e1a9 100644 ## Write generic log files. ## ## -@@ -947,11 +1099,16 @@ interface(`logging_admin_audit',` +@@ -947,11 +1102,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -81244,7 +81303,7 @@ index 321bb13..4d8e1a9 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -967,6 +1124,33 @@ interface(`logging_admin_audit',` +@@ -967,6 +1127,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -81278,7 +81337,7 @@ index 321bb13..4d8e1a9 100644 ') ######################################## -@@ -995,10 +1179,15 @@ interface(`logging_admin_syslog',` +@@ -995,10 +1182,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -81296,7 +81355,7 @@ index 321bb13..4d8e1a9 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1020,6 +1209,8 @@ interface(`logging_admin_syslog',` +@@ -1020,6 +1212,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -81305,7 +81364,7 @@ index 321bb13..4d8e1a9 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1048,3 +1239,25 @@ interface(`logging_admin',` +@@ -1048,3 +1242,25 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 374402d..9b32038 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..979a48d 100644 +index 30861ec..9522c1a 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -481,7 +481,7 @@ index 30861ec..979a48d 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +203,30 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +203,31 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -494,6 +494,7 @@ index 30861ec..979a48d 100644 miscfiles_read_generic_certs(abrt_t) -miscfiles_read_localization(abrt_t) ++miscfiles_read_public_files(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) @@ -517,7 +518,7 @@ index 30861ec..979a48d 100644 ') optional_policy(` -@@ -167,6 +247,7 @@ optional_policy(` +@@ -167,6 +248,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -525,7 +526,7 @@ index 30861ec..979a48d 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,9 +259,32 @@ optional_policy(` +@@ -178,9 +260,32 @@ optional_policy(` ') optional_policy(` @@ -558,7 +559,7 @@ index 30861ec..979a48d 100644 ######################################## # # abrt--helper local policy -@@ -200,23 +304,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +305,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -587,7 +588,7 @@ index 30861ec..979a48d 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +328,146 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1319,14 +1320,14 @@ index d362d9c..230a2f6 100644 + +/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) diff --git a/alsa.if b/alsa.if -index 1392679..25e02df 100644 +index 1392679..64e685f 100644 --- a/alsa.if +++ b/alsa.if @@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',` userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file manage_file_perms; -+ alsa_filetrans_home_content(unpriv_userdomain) ++ alsa_filetrans_home_content($1) ') ######################################## @@ -1472,10 +1473,18 @@ index bec220e..1d26add 100644 + fstools_signal(amanda_t) +') diff --git a/amavis.if b/amavis.if -index e31d92a..e515cb8 100644 +index e31d92a..1aa0718 100644 --- a/amavis.if +++ b/amavis.if -@@ -231,9 +231,13 @@ interface(`amavis_admin',` +@@ -202,6 +202,7 @@ interface(`amavis_create_pid_files',` + type amavis_var_run_t; + ') + ++ allow $1 amavis_var_run_t:dir rw_dir_perms; + allow $1 amavis_var_run_t:file create_file_perms; + files_search_pids($1) + ') +@@ -231,9 +232,13 @@ interface(`amavis_admin',` type amavis_initrc_exec_t; ') @@ -1491,7 +1500,7 @@ index e31d92a..e515cb8 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 5a9b451..f94bd50 100644 +index 5a9b451..c4b2eec 100644 --- a/amavis.te +++ b/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -1503,7 +1512,29 @@ index 5a9b451..f94bd50 100644 ######################################## # -@@ -128,15 +128,16 @@ corenet_tcp_connect_razor_port(amavis_t) +@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid }; + dontaudit amavis_t self:capability sys_tty_config; + allow amavis_t self:process { signal sigchld sigkill signull }; + allow amavis_t self:fifo_file rw_fifo_file_perms; +-allow amavis_t self:unix_stream_socket create_stream_socket_perms; ++allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow amavis_t self:unix_dgram_socket create_socket_perms; + allow amavis_t self:tcp_socket { listen accept }; + allow amavis_t self:netlink_route_socket r_netlink_socket_perms; +@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) + files_search_spool(amavis_t) + + # tmp files ++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) + manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) ++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) + allow amavis_t amavis_tmp_t:dir setattr_dir_perms; +-files_tmp_filetrans(amavis_t, amavis_tmp_t, file) ++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir } ) + + # var/lib files for amavis + manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +@@ -128,17 +130,19 @@ corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) dev_read_urand(amavis_t) @@ -1520,8 +1551,11 @@ index 5a9b451..f94bd50 100644 +auth_use_nsswitch(amavis_t) auth_dontaudit_read_shadow(amavis_t) ++init_read_state(amavis_t) # uses uptime which reads utmp - redhat bug 561383 -@@ -148,29 +149,32 @@ logging_send_syslog_msg(amavis_t) + init_read_utmp(amavis_t) + init_stream_connect_script(amavis_t) +@@ -148,29 +152,32 @@ logging_send_syslog_msg(amavis_t) miscfiles_read_generic_certs(amavis_t) miscfiles_read_localization(amavis_t) @@ -1597,7 +1631,7 @@ index e81bdbd..63ab279 100644 optional_policy(` diff --git a/apache.fc b/apache.fc -index fd9fa07..95f6a90 100644 +index fd9fa07..b289cef 100644 --- a/apache.fc +++ b/apache.fc @@ -1,39 +1,54 @@ @@ -1688,7 +1722,7 @@ index fd9fa07..95f6a90 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,31 +92,44 @@ ifdef(`distro_suse', ` +@@ -73,31 +92,43 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -1715,7 +1749,6 @@ index fd9fa07..95f6a90 100644 +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -1737,7 +1770,7 @@ index fd9fa07..95f6a90 100644 /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -@@ -109,3 +141,25 @@ ifdef(`distro_debian', ` +@@ -109,3 +140,25 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -5673,10 +5706,10 @@ index 0000000..e59e51b +/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if new file mode 100644 -index 0000000..6d7e034 +index 0000000..9d891b7 --- /dev/null +++ b/boinc.if -@@ -0,0 +1,189 @@ +@@ -0,0 +1,188 @@ +## policy for boinc + +######################################## @@ -5811,7 +5844,6 @@ index 0000000..6d7e034 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) + allow $1 boinc_unit_file_t:file read_file_perms; + allow $1 boinc_unit_file_t:service manage_service_perms; + @@ -7528,7 +7560,7 @@ index b6bb46c..645d203 100644 /var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/cgroup.if b/cgroup.if -index 33facaf..1d39797 100644 +index 33facaf..c624aaa 100644 --- a/cgroup.if +++ b/cgroup.if @@ -171,15 +171,27 @@ interface(`cgroup_admin',` @@ -7541,7 +7573,7 @@ index 33facaf..1d39797 100644 - allow $1 cgconfig_t:process { ptrace signal_perms }; + tunable_policy(`deny_ptrace',`',` -+ allow $1 cglear_t:process ptrace; ++ allow $1 cglcear_t:process ptrace; + ') + + allow $1 cgconfig_t:process signal_perms; @@ -8395,7 +8427,7 @@ index bbac14a..87840b4 100644 + ') diff --git a/clamav.te b/clamav.te -index 5b7a1d7..d5c0e45 100644 +index 5b7a1d7..0bcee92 100644 --- a/clamav.te +++ b/clamav.te @@ -1,9 +1,23 @@ @@ -8546,15 +8578,16 @@ index 5b7a1d7..d5c0e45 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +227,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +227,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_connect_clamd_port(freshclam_t) ++corenet_tcp_connect_squid_port(freshclam_t) corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -196,7 +235,6 @@ dev_read_urand(freshclam_t) +@@ -196,7 +236,6 @@ dev_read_urand(freshclam_t) domain_use_interactive_fds(freshclam_t) @@ -8562,7 +8595,7 @@ index 5b7a1d7..d5c0e45 100644 files_read_etc_runtime_files(freshclam_t) auth_use_nsswitch(freshclam_t) -@@ -207,16 +245,22 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +246,22 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -8589,7 +8622,7 @@ index 5b7a1d7..d5c0e45 100644 ######################################## # # clamscam local policy -@@ -242,17 +286,34 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,17 +287,36 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -8616,6 +8649,8 @@ index 5b7a1d7..d5c0e45 100644 + +tunable_policy(`clamscan_can_scan_system',` + files_read_non_security_files(clamscan_t) ++ files_getattr_all_pipes(clamscan_t) ++ files_getattr_all_sockets(clamscan_t) +') + kernel_read_kernel_sysctls(clamscan_t) @@ -8625,7 +8660,7 @@ index 5b7a1d7..d5c0e45 100644 files_read_etc_runtime_files(clamscan_t) files_search_var_lib(clamscan_t) -@@ -264,10 +325,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -8658,10 +8693,10 @@ index b40f3f7..3676ecc 100644 # diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..7182054 +index 0000000..e59cc85 --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,19 @@ +@@ -0,0 +1,20 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + @@ -8677,6 +8712,7 @@ index 0000000..7182054 +/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) +/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0) +/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) ++/var/log/aeolus-conductor/dbomatic\.log -- gen_context(system_u:object_r:mongod_log_t,s0) + +/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) @@ -8729,10 +8765,10 @@ index 0000000..7f55959 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..da2404c +index 0000000..ebf11b1 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,198 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -8838,6 +8874,8 @@ index 0000000..da2404c +corenet_tcp_bind_generic_node(deltacloudd_t) +corenet_tcp_bind_generic_port(deltacloudd_t) + ++auth_use_nsswitch(deltacloudd_t) ++ +files_read_usr_files(deltacloudd_t) + +logging_send_syslog_msg(deltacloudd_t) @@ -8891,6 +8929,7 @@ index 0000000..da2404c + +manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) +manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) ++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log") + +manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) +manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) @@ -10329,10 +10368,10 @@ index 0000000..168f664 +') diff --git a/condor.te b/condor.te new file mode 100644 -index 0000000..1bba4b7 +index 0000000..40f65d5 --- /dev/null +++ b/condor.te -@@ -0,0 +1,232 @@ +@@ -0,0 +1,239 @@ +policy_module(condor, 1.0.0) + +######################################## @@ -10560,6 +10599,13 @@ index 0000000..1bba4b7 +optional_policy(` + ssh_basic_client_template(condor_startd, condor_startd_t, system_r) + ssh_domtrans(condor_startd_t) ++ ++ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) ++ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) ++ ++ optional_policy(` ++ kerberos_use(condor_startd_ssh_t) ++ ') +') + +optional_policy(` @@ -13029,7 +13075,7 @@ index 0000000..284fbae + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/cups.fc b/cups.fc -index 848bb92..25c56f7 100644 +index 848bb92..7d949a9 100644 --- a/cups.fc +++ b/cups.fc @@ -19,7 +19,10 @@ @@ -13051,7 +13097,7 @@ index 848bb92..25c56f7 100644 /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -@@ -60,10 +64,16 @@ +@@ -60,10 +64,18 @@ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -13069,6 +13115,8 @@ index 848bb92..25c56f7 100644 +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if index 305ddf4..11d010a 100644 --- a/cups.if @@ -14164,7 +14212,7 @@ index fb4bf82..115133d 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 8e7ba54..9201358 100644 +index 8e7ba54..ffc5025 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -14238,7 +14286,7 @@ index 8e7ba54..9201358 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -135,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t) +@@ -135,11 +143,31 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) @@ -14249,6 +14297,10 @@ index 8e7ba54..9201358 100644 ') optional_policy(` ++ bluetooth_stream_connect(system_dbusd_t) ++') ++ ++optional_policy(` + gnome_exec_gconf(system_dbusd_t) + gnome_read_inherited_home_icc_data_files(system_dbusd_t) +') @@ -14266,7 +14318,7 @@ index 8e7ba54..9201358 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -150,12 +174,160 @@ optional_policy(` +@@ -150,12 +178,160 @@ optional_policy(` ') optional_policy(` @@ -20942,7 +20994,7 @@ index 00a19e3..17006fc 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..8da3abc 100644 +index f5afe78..7861fc8 100644 --- a/gnome.if +++ b/gnome.if @@ -1,44 +1,937 @@ @@ -20989,6 +21041,11 @@ index f5afe78..8da3abc 100644 +## +## The role template for the gnome-keyring-daemon. +## ++## ++## ++## The user domain associated with the role. ++## ++## +## +## +## The user prefix. @@ -20999,11 +21056,6 @@ index f5afe78..8da3abc 100644 +## The user role. +## +## -+## -+## -+## The user domain associated with the role. -+## -+## +# +interface(`gnome_role_gkeyringd',` + gen_require(` @@ -25394,10 +25446,10 @@ index 0000000..868c7d0 +') diff --git a/jockey.te b/jockey.te new file mode 100644 -index 0000000..efa139b +index 0000000..56b4856 --- /dev/null +++ b/jockey.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,43 @@ +policy_module(jockey, 1.0.0) + +######################################## @@ -25438,6 +25490,7 @@ index 0000000..efa139b +domain_use_interactive_fds(jockey_t) + +files_read_etc_files(jockey_t) ++files_read_usr_files(jockey_t) + +miscfiles_read_localization(jockey_t) diff --git a/kde.fc b/kde.fc @@ -26882,7 +26935,7 @@ index 0000000..6b27066 +/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tpd.if b/l2tpd.if new file mode 100644 -index 0000000..8bc2c6d +index 0000000..562d25b --- /dev/null +++ b/l2tpd.if @@ -0,0 +1,178 @@ @@ -27039,7 +27092,7 @@ index 0000000..8bc2c6d +# +interface(`l2tpd_admin',` + gen_require(` -+ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t; ++ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; + type l2tp_etc_t, l2tpd_tmp_t; + ') + @@ -28362,7 +28415,7 @@ index a4f32f5..628b63c 100644 ## in the caller domain. ## diff --git a/lpd.te b/lpd.te -index a03b63a..9b3ca81 100644 +index a03b63a..bee4750 100644 --- a/lpd.te +++ b/lpd.te @@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -28436,7 +28489,7 @@ index a03b63a..9b3ca81 100644 # for test print files_read_usr_files(lpr_t) #Added to cover read_content macro -@@ -275,19 +273,20 @@ miscfiles_read_localization(lpr_t) +@@ -275,19 +273,21 @@ miscfiles_read_localization(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -28445,6 +28498,7 @@ index a03b63a..9b3ca81 100644 userdom_read_user_home_content_files(lpr_t) userdom_read_user_tmp_files(lpr_t) +userdom_write_user_tmp_sockets(lpr_t) ++userdom_stream_connect(lpr_t) tunable_policy(`use_lpd_server',` # lpr can run in lightweight mode, without a local print spooler. @@ -28462,7 +28516,7 @@ index a03b63a..9b3ca81 100644 # Send SIGHUP to lpd. allow lpr_t lpd_t:process signal; -@@ -305,17 +304,7 @@ tunable_policy(`use_lpd_server',` +@@ -305,17 +305,7 @@ tunable_policy(`use_lpd_server',` read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') @@ -28481,7 +28535,7 @@ index a03b63a..9b3ca81 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +313,13 @@ optional_policy(` +@@ -324,5 +314,13 @@ optional_policy(` ') optional_policy(` @@ -30473,7 +30527,7 @@ index b3ace16..83392b6 100644 optional_policy(` udev_read_db(modemmanager_t) diff --git a/mojomojo.if b/mojomojo.if -index 657a9fc..6be094b 100644 +index 657a9fc..7022903 100644 --- a/mojomojo.if +++ b/mojomojo.if @@ -10,27 +10,26 @@ @@ -30495,7 +30549,7 @@ index 657a9fc..6be094b 100644 - type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; + type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; + type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t; -+ type httpd_mojomojo_script_exec_t; ++ type httpd_mojomojo_script_exec_t, httpd_mojomo_script_t; ') - allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; @@ -35409,7 +35463,7 @@ index 0000000..415b098 +') + diff --git a/nscd.if b/nscd.if -index 85188dc..783accb 100644 +index 85188dc..2b37836 100644 --- a/nscd.if +++ b/nscd.if @@ -116,7 +116,26 @@ interface(`nscd_socket_use',` @@ -35527,8 +35581,8 @@ index 85188dc..783accb 100644 admin_pattern($1, nscd_var_run_t) + + nscd_systemctl($1) -+ admin_pattern($1, ncsd_unit_file_t) -+ allow $1 ncsd_unit_file_t:service all_service_perms; ++ admin_pattern($1, nscd_unit_file_t) ++ allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te index 7936e09..d1861d5 100644 @@ -38525,6 +38579,253 @@ index 3185114..6fc91e8 100644 + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') +diff --git a/phpfpm.fc b/phpfpm.fc +new file mode 100644 +index 0000000..4c64b13 +--- /dev/null ++++ b/phpfpm.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/php-fpm.service -- gen_context(system_u:object_r:phpfpm_unit_file_t,s0) ++ ++/usr/sbin/php-fpm -- gen_context(system_u:object_r:phpfpm_exec_t,s0) ++ ++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_log_t,s0) ++ ++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0) +diff --git a/phpfpm.if b/phpfpm.if +new file mode 100644 +index 0000000..9dcdaa8 +--- /dev/null ++++ b/phpfpm.if +@@ -0,0 +1,168 @@ ++ ++## PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. ++ ++######################################## ++## ++## Execute php-fpm in the phpfpm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`phpfpm_domtrans',` ++ gen_require(` ++ type phpfpm_t, phpfpm_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, phpfpm_exec_t, phpfpm_t) ++') ++ ++######################################## ++## ++## Read phpfpm's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`phpfpm_read_log',` ++ gen_require(` ++ type phpfpm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, phpfpm_log_t, phpfpm_log_t) ++') ++ ++######################################## ++## ++## Append to phpfpm log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`phpfpm_append_log',` ++ gen_require(` ++ type phpfpm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, phpfpm_log_t, phpfpm_log_t) ++') ++ ++######################################## ++## ++## Manage phpfpm log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`phpfpm_manage_log',` ++ gen_require(` ++ type phpfpm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, phpfpm_log_t, phpfpm_log_t) ++ manage_files_pattern($1, phpfpm_log_t, phpfpm_log_t) ++ manage_lnk_files_pattern($1, phpfpm_log_t, phpfpm_log_t) ++') ++ ++######################################## ++## ++## Read phpfpm PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`phpfpm_read_pid_files',` ++ gen_require(` ++ type phpfpm_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 phpfpm_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute phpfpm server in the phpfpm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`phpfpm_systemctl',` ++ gen_require(` ++ type phpfpm_t; ++ type phpfpm_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 phpfpm_unit_file_t:file read_file_perms; ++ allow $1 phpfpm_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, phpfpm_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an phpfpm environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`phpfpm_admin',` ++ gen_require(` ++ type phpfpm_t; ++ type phpfpm_log_t; ++ type phpfpm_var_run_t; ++ type phpfpm_unit_file_t; ++ ') ++ ++ allow $1 phpfpm_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, phpfpm_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, phpfpm_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, phpfpm_var_run_t) ++ ++ phpfpm_systemctl($1) ++ admin_pattern($1, phpfpm_unit_file_t) ++ allow $1 phpfpm_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/phpfpm.te b/phpfpm.te +new file mode 100644 +index 0000000..ae5bdb2 +--- /dev/null ++++ b/phpfpm.te +@@ -0,0 +1,54 @@ ++policy_module(phpfpm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type phpfpm_t; ++type phpfpm_exec_t; ++init_daemon_domain(phpfpm_t, phpfpm_exec_t) ++ ++type phpfpm_log_t; ++logging_log_file(phpfpm_log_t) ++ ++type phpfpm_var_run_t; ++files_pid_file(phpfpm_var_run_t) ++ ++type phpfpm_unit_file_t; ++systemd_unit_file(phpfpm_unit_file_t) ++ ++######################################## ++# ++# phpfpm local policy ++# ++ ++allow phpfpm_t self:capability { chown kill setgid setuid sys_chroot sys_nice }; ++allow phpfpm_t self:process { setsched setrlimit signal sigkill }; ++ ++allow phpfpm_t self:fifo_file rw_fifo_file_perms; ++allow phpfpm_t self:tcp_socket { accept listen }; ++allow phpfpm_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) ++manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) ++ ++manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) ++manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) ++files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir ) ++ ++kernel_read_kernel_sysctls(phpfpm_t) ++ ++corenet_tcp_bind_generic_port(phpfpm_t) ++ ++domain_use_interactive_fds(phpfpm_t) ++ ++files_read_etc_files(phpfpm_t) ++ ++auth_use_nsswitch(phpfpm_t) ++ ++logging_send_syslog_msg(phpfpm_t) ++ ++miscfiles_read_localization(phpfpm_t) ++ ++sysnet_dns_name_resolve(phpfpm_t) diff --git a/pingd.if b/pingd.if index 8688aae..cf34fc1 100644 --- a/pingd.if @@ -49496,7 +49797,7 @@ index 69a6074..c9dbc93 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 82cb169..9642fe3 100644 +index 82cb169..987239e 100644 --- a/samba.if +++ b/samba.if @@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',` @@ -49786,7 +50087,17 @@ index 82cb169..9642fe3 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -727,4 +886,9 @@ interface(`samba_admin',` +@@ -709,9 +868,6 @@ interface(`samba_admin',` + admin_pattern($1, samba_var_t) + files_list_var($1) + +- admin_pattern($1, smbd_spool_t) +- files_list_spool($1) +- + admin_pattern($1, smbd_var_run_t) + files_list_pids($1) + +@@ -727,4 +883,9 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -50367,10 +50678,10 @@ index fc22785..98b89c4 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index 1898dbd..1651a2f 100644 +index 1898dbd..fc38344 100644 --- a/sambagui.te +++ b/sambagui.te -@@ -27,16 +27,19 @@ corecmd_exec_bin(sambagui_t) +@@ -27,16 +27,21 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -50381,6 +50692,8 @@ index 1898dbd..1651a2f 100644 auth_use_nsswitch(sambagui_t) +auth_dontaudit_read_shadow(sambagui_t) ++ ++init_access_check(sambagui_t) logging_send_syslog_msg(sambagui_t) @@ -50391,7 +50704,7 @@ index 1898dbd..1651a2f 100644 optional_policy(` consoletype_exec(sambagui_t) ') -@@ -56,6 +59,7 @@ optional_policy(` +@@ -56,6 +61,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -54783,10 +55096,10 @@ index 0000000..5ab0840 +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) diff --git a/svnserve.if b/svnserve.if new file mode 100644 -index 0000000..19d13a7 +index 0000000..dd2ac36 --- /dev/null +++ b/svnserve.if -@@ -0,0 +1,119 @@ +@@ -0,0 +1,118 @@ + +## policy for svnserve + @@ -54846,7 +55159,6 @@ index 0000000..19d13a7 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) + allow $1 svnserve_unit_file_t:file read_file_perms; + allow $1 svnserve_unit_file_t:service manage_service_perms; + @@ -55656,7 +55968,7 @@ index 25eee43..621f343 100644 /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) diff --git a/tftp.if b/tftp.if -index 38bb312..cab8c77 100644 +index 38bb312..0a40bc5 100644 --- a/tftp.if +++ b/tftp.if @@ -13,9 +13,33 @@ @@ -55793,7 +56105,7 @@ index 38bb312..cab8c77 100644 + allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) + tunable_policy(`deny_ptrace',`',` -+ allow $1 tftp_t:process ptrace; ++ allow $1 tftpd_t:process ptrace; + ') + + files_list_var_lib($1) @@ -55925,12 +56237,13 @@ index 80fe75c..cdeafc5 100644 +') diff --git a/thin.fc b/thin.fc new file mode 100644 -index 0000000..62d2c77 +index 0000000..8954083 --- /dev/null +++ b/thin.fc -@@ -0,0 +1,10 @@ +@@ -0,0 +1,11 @@ +/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) -+/usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0) ++ ++/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0) + +/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0) + @@ -55989,10 +56302,10 @@ index 0000000..6de86e5 +') diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..d1903e6 +index 0000000..1ed278e --- /dev/null +++ b/thin.te -@@ -0,0 +1,105 @@ +@@ -0,0 +1,106 @@ +policy_module(thin, 1.0) + +######################################## @@ -56036,6 +56349,7 @@ index 0000000..d1903e6 +kernel_read_system_state(thin_domain) + +corecmd_exec_bin(thin_domain) ++corecmd_exec_shell(thin_domain) + +dev_read_rand(thin_domain) +dev_read_urand(thin_domain) @@ -56505,10 +56819,10 @@ index 0000000..a8385bc +/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) diff --git a/tomcat.if b/tomcat.if new file mode 100644 -index 0000000..23251b7 +index 0000000..56f9936 --- /dev/null +++ b/tomcat.if -@@ -0,0 +1,353 @@ +@@ -0,0 +1,352 @@ + +## policy for tomcat + @@ -56804,7 +57118,6 @@ index 0000000..23251b7 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) + allow $1 tomcat_unit_file_t:file read_file_perms; + allow $1 tomcat_unit_file_t:service manage_service_perms; + @@ -56990,10 +57303,10 @@ index e2e06b2..6752bc3 100644 /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) diff --git a/tor.if b/tor.if -index 904f13e..26f16dd 100644 +index 904f13e..5801347 100644 --- a/tor.if +++ b/tor.if -@@ -18,6 +18,30 @@ interface(`tor_domtrans',` +@@ -18,6 +18,29 @@ interface(`tor_domtrans',` domtrans_pattern($1, tor_exec_t, tor_t) ') @@ -57014,7 +57327,6 @@ index 904f13e..26f16dd 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) + allow $1 tor_unit_file_t:file read_file_perms; + allow $1 tor_unit_file_t:service manage_service_perms; + @@ -57024,7 +57336,7 @@ index 904f13e..26f16dd 100644 ######################################## ## ## All of the rules required to administrate -@@ -40,10 +64,14 @@ interface(`tor_admin',` +@@ -40,10 +63,14 @@ interface(`tor_admin',` type tor_t, tor_var_log_t, tor_etc_t; type tor_var_lib_t, tor_var_run_t; type tor_initrc_exec_t; @@ -57040,7 +57352,7 @@ index 904f13e..26f16dd 100644 init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) -@@ -61,4 +89,13 @@ interface(`tor_admin',` +@@ -61,4 +88,13 @@ interface(`tor_admin',` files_list_pids($1) admin_pattern($1, tor_var_run_t) @@ -57195,7 +57507,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..28c4b84 100644 +index db9d2a5..288ada9 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -57211,13 +57523,14 @@ index db9d2a5..28c4b84 100644 type tuned_log_t; logging_log_file(tuned_log_t) -@@ -23,30 +29,49 @@ files_pid_file(tuned_var_run_t) +@@ -22,31 +28,49 @@ files_pid_file(tuned_var_run_t) + # # tuned local policy # - -+allow tuned_t self:process signal; -+ +- ++allow tuned_t self:capability { sys_admin sys_nice }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; ++allow tuned_t self:process signal; +allow tuned_t self:fifo_file rw_fifo_file_perms; +allow tuned_t self:udp_socket create_socket_perms; + @@ -57266,7 +57579,7 @@ index db9d2a5..28c4b84 100644 logging_send_syslog_msg(tuned_t) miscfiles_read_localization(tuned_t) -@@ -58,6 +83,14 @@ optional_policy(` +@@ -58,6 +82,14 @@ optional_policy(` fstools_domtrans(tuned_t) ') @@ -57945,10 +58258,15 @@ index 5d43bd5..879a5cb 100644 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/varnishd.if b/varnishd.if -index 93975d6..7a665ff 100644 +index 93975d6..bd248ce 100644 --- a/varnishd.if +++ b/varnishd.if -@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',` +@@ -151,12 +151,16 @@ interface(`varnishd_manage_log',` + # + interface(`varnishd_admin_varnishlog',` + gen_require(` ++ type varnishd_t; + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; type varnishlog_var_run_t; ') @@ -57961,7 +58279,7 @@ index 93975d6..7a665ff 100644 init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) domain_system_change_exemption($1) -@@ -194,8 +197,11 @@ interface(`varnishd_admin',` +@@ -194,8 +198,11 @@ interface(`varnishd_admin',` type varnishd_initrc_exec_t; ') @@ -58334,7 +58652,7 @@ index 2124b6a..5072bd7 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/virt.if b/virt.if -index 7c5d8d8..85b7d8b 100644 +index 7c5d8d8..9883b66 100644 --- a/virt.if +++ b/virt.if @@ -13,39 +13,45 @@ @@ -58759,8 +59077,8 @@ index 7c5d8d8..85b7d8b 100644 + allow $1 virtd_t:process signal_perms; ps_process_pattern($1, virtd_t) + tunable_policy(`deny_ptrace',`',` -+ allow $1 virtd_t:process ptrace_perms_perms; -+ allow $1 virt_lxc_t:process ptrace_perms_perms; ++ allow $1 virtd_t:process ptrace_perms; ++ allow $1 virt_lxc_t:process ptrace_perms; + ') + + allow $1 virt_lxc_t:process signal_perms; @@ -60916,7 +61234,7 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index d995c70..1282d4c 100644 +index d995c70..17e2d43 100644 --- a/xen.te +++ b/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.11.1) @@ -60975,7 +61293,22 @@ index d995c70..1282d4c 100644 # internal communication is often done using fifo and unix sockets. allow xend_t self:fifo_file rw_fifo_file_perms; allow xend_t self:unix_stream_socket create_stream_socket_perms; -@@ -299,7 +303,6 @@ dev_rw_sysfs(xend_t) +@@ -219,6 +223,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms; + allow xend_t self:netlink_route_socket r_netlink_socket_perms; + allow xend_t self:tcp_socket create_stream_socket_perms; + allow xend_t self:packet_socket create_socket_perms; ++allow xend_t self:tun_socket create_socket_perms; + + allow xend_t xen_image_t:dir list_dir_perms; + manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) +@@ -294,12 +299,13 @@ corenet_sendrecv_soundd_server_packets(xend_t) + corenet_rw_tun_tap_dev(xend_t) + + dev_read_urand(xend_t) ++# run lsscsi ++dev_getattr_all_chr_files(xend_t) + dev_filetrans_xen(xend_t) + dev_rw_sysfs(xend_t) dev_rw_xen(xend_t) domain_dontaudit_read_all_domains_state(xend_t) @@ -60983,7 +61316,7 @@ index d995c70..1282d4c 100644 files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) -@@ -320,13 +323,9 @@ locallogin_dontaudit_use_fds(xend_t) +@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -60997,7 +61330,7 @@ index d995c70..1282d4c 100644 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) sysnet_domtrans_ifconfig(xend_t) -@@ -339,8 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -61006,7 +61339,7 @@ index d995c70..1282d4c 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +346,23 @@ optional_policy(` +@@ -349,6 +349,23 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -61030,7 +61363,7 @@ index d995c70..1282d4c 100644 ######################################## # # Xen console local policy -@@ -374,8 +388,6 @@ dev_rw_xen(xenconsoled_t) +@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -61039,7 +61372,7 @@ index d995c70..1282d4c 100644 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) -@@ -413,9 +425,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -61051,7 +61384,7 @@ index d995c70..1282d4c 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +455,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -61063,7 +61396,7 @@ index d995c70..1282d4c 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +472,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +475,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -61160,7 +61493,7 @@ index d995c70..1282d4c 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +487,4 @@ optional_policy(` +@@ -559,8 +490,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index dbdbe76..1544972 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,37 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 11 2012 Miroslav Grepl 3.11.0-9 +- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t +- Add init_access_check() interface +- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t +- Allow tcpdump to create a netlink_socket +- Label newusers like useradd +- Change xdm log files to be labeled xdm_log_t +- Allow sshd_t with privsep to work in MLS +- Allow freshclam to update databases thru HTTP proxy +- Allow s-m-config to access check on systemd +- Allow abrt to read public files by default +- Fix amavis_create_pid_files() interface +- Add labeling and filename transition for dbomatic.log +- Allow system_dbusd_t to stream connect to bluetooth, and use its socket +- Allow amavisd to execute fsav +- Allow tuned to use sys_admin and sys_nice capabilities +- Add php-fpm policy from Bryan +- Add labeling for aeolus-configserver-thinwrapper +- Allow thin domains to execute shell +- Fix gnome_role_gkeyringd() interface description +- Lot of interface fixes +- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files +- Allow OpenMPI job to use kerberos +- Make deltacloudd_t as nsswitch_domain +- Allow xend_t to run lsscsi +- Allow qemu-dm running as xend_t to create tun_socket +- Add labeling for /opt/brother/Printers(.*/)?inf +- Allow jockey-backend to read pyconfig-64.h labeled as usr_t +- Fix clamscan_can_scan_system boolean +- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11 + * Tue Jul 3 2012 Miroslav Grepl 3.11.0-8 - initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift.