diff --git a/policy-f24-base.patch b/policy-f24-base.patch index f8ba6d1..1b54bc8 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -2741,10 +2741,10 @@ index 0960199..2e75ec7 100644 + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..5c4a213 100644 +index d9fce57..8a18a54 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,110 @@ attribute sudodomain; +@@ -7,3 +7,111 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -2849,6 +2849,7 @@ index d9fce57..5c4a213 100644 + + optional_policy(` + systemd_dbus_chat_logind(sudodomain) ++ init_getpgid(sudodomain) + ') +') + @@ -10177,7 +10178,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..8dd0c6b 100644 +index cf04cb5..a9bf132 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10333,7 +10334,7 @@ index cf04cb5..8dd0c6b 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +243,374 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +243,376 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -10543,7 +10544,9 @@ index cf04cb5..8dd0c6b 100644 + +optional_policy(` + sysnet_filetrans_named_content(named_filetrans_domain) -+ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) ++ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain) ++ sysnet_filetrans_named_content(unconfined_domain_type) ++ sysnet_filetrans_named_content_ifconfig(unconfined_domain_type) +') + +optional_policy(` @@ -17922,7 +17925,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..474c726 100644 +index 8416beb..9b4d364 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18421,7 +18424,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',` ## ## # @@ -18527,6 +18530,7 @@ index 8416beb..474c726 100644 -# -interface(`fs_exec_fusefs_files',` - gen_require(` +- type fusefs_t; +## +##

+## Execute a file on a FUSE filesystem @@ -18560,86 +18564,34 @@ index 8416beb..474c726 100644 +interface(`fs_ecryptfs_domtrans',` + gen_require(` + type ecryptfs_t; -+ ') -+ -+ allow $1 ecryptfs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, ecryptfs_t, $2) -+') -+ -+######################################## -+##

-+## Mount a FUSE filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mount_fusefs',` -+ gen_require(` - type fusefs_t; ') - exec_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:filesystem mount; ++ allow $1 ecryptfs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, ecryptfs_t, $2) ') ######################################## ## -## Create, read, write, and delete files -+## Unmount a FUSE filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Mounton a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir mounton; -+') -+ -+######################################## -+## -+## Search directories - ## on a FUSEFS filesystem. +-## on a FUSEFS filesystem. ++## Mount a FUSE filesystem. ## ## -@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',` + ## + ## Domain allowed access. + ## ## - ## +-## # -interface(`fs_manage_fusefs_files',` -+interface(`fs_search_fusefs',` ++interface(`fs_mount_fusefs',` gen_require(` type fusefs_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:dir search_dir_perms; ++ allow $1 fusefs_t:filesystem mount; ') ######################################## @@ -18647,79 +18599,96 @@ index 8416beb..474c726 100644 -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. ++## Unmount a FUSE filesystem. ## ## ## -@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_dontaudit_list_fusefs',` ++interface(`fs_unmount_fusefs',` gen_require(` type fusefs_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ dontaudit $1 fusefs_t:dir list_dir_perms; ++ allow $1 fusefs_t:filesystem unmount; ') ######################################## ## -## Read symbolic links on a FUSEFS filesystem. -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. ++## Mounton a FUSEFS filesystem. ## ## ## - ## Domain allowed access. +@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## -+## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_manage_fusefs_dirs',` ++interface(`fs_mounton_fusefs',` gen_require(` type fusefs_t; ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:dir manage_dir_perms; ++ allow $1 fusefs_t:dir mounton; ') ######################################## ## -## Get the attributes of an hugetlbfs -## filesystem. -+## Do not audit attempts to create, read, -+## write, and delete directories ++## Search directories +## on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -interface(`fs_getattr_hugetlbfs',` -+interface(`fs_dontaudit_manage_fusefs_dirs',` ++interface(`fs_search_fusefs',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:filesystem getattr; -+ dontaudit $1 fusefs_t:dir manage_dir_perms; ++ allow $1 fusefs_t:dir search_dir_perms; ') ######################################## ## -## List hugetlbfs. -+## Read, a FUSEFS filesystem. ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete directories ++## on a FUSEFS filesystem. ## ## ## @@ -18729,20 +18698,40 @@ index 8416beb..474c726 100644 +## # -interface(`fs_list_hugetlbfs',` -+interface(`fs_read_fusefs_files',` ++interface(`fs_manage_fusefs_dirs',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; -+ read_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## -## Manage hugetlbfs dirs. -+## Execute files on a FUSEFS filesystem. ++## Do not audit attempts to create, read, ++## write, and delete directories ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_fusefs_dirs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ++## Read, a FUSEFS filesystem. ## ## ## @@ -18752,38 +18741,37 @@ index 8416beb..474c726 100644 +## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_exec_fusefs_files',` ++interface(`fs_read_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ exec_files_pattern($1, fusefs_t, fusefs_t) ++ read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Read and write hugetlbfs files. -+## Make general progams in FUSEFS an entrypoint for -+## the specified domain. ++## Execute files on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## The domain for which fusefs_t is an entrypoint. + ## Domain allowed access. ## ## ++## # -interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_fusefs_entry_type',` ++interface(`fs_exec_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ domain_entry_file($1, fusefs_t) ++ exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## @@ -18801,94 +18789,93 @@ index 8416beb..474c726 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_fusefs_entrypoint',` ++interface(`fs_fusefs_entry_type',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') - allow $1 hugetlbfs_t:filesystem associate; -+ allow $1 fusefs_t:file entrypoint; ++ domain_entry_file($1, fusefs_t) ') ######################################## ## -## Search inotifyfs filesystem. -+## Create, read, write, and delete files -+## on a FUSEFS filesystem. ++## Make general progams in FUSEFS an entrypoint for ++## the specified domain. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## The domain for which fusefs_t is an entrypoint. ## ## -+## # -interface(`fs_search_inotifyfs',` -+interface(`fs_manage_fusefs_files',` ++interface(`fs_fusefs_entrypoint',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ manage_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:file entrypoint; ') ######################################## ## -## List inotifyfs filesystem. -+## Do not audit attempts to create, -+## read, write, and delete files ++## Create, read, write, and delete files +## on a FUSEFS filesystem. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -interface(`fs_list_inotifyfs',` -+interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_manage_fusefs_files',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 fusefs_t:file manage_file_perms; ++ manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Read symbolic links on a FUSEFS filesystem. ++## Do not audit attempts to create, ++## read, write, and delete files ++## on a FUSEFS filesystem. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',` ## ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_read_fusefs_symlinks',` ++interface(`fs_dontaudit_manage_fusefs_files',` gen_require(` - type inotifyfs_t; + type fusefs_t; ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ dontaudit $1 fusefs_t:file manage_file_perms; ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Manage symbolic links on a FUSEFS filesystem. ++## Read symbolic links on a FUSEFS filesystem. ## ## ## @@ -18897,6 +18884,27 @@ index 8416beb..474c726 100644 ## -## +# ++interface(`fs_read_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## + ## +-## The type of the object to be created. ++## Domain allowed access. + ## + ## +-## ++# +interface(`fs_manage_fusefs_symlinks',` + gen_require(` + type fusefs_t; @@ -18931,78 +18939,84 @@ index 8416beb..474c726 100644 +## +## ## --## The type of the object to be created. +-## The object class of the object being created. +## Domain allowed to transition. ## ## --## +-## +## ## --## The object class of the object being created. +-## The name of the object being created. +## The type of the new process. ## ## --## -+# + # +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_fusefs_domtrans',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## Get the attributes of a FUSEFS filesystem. -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## +## # --interface(`fs_hugetlbfs_filetrans',` +-interface(`fs_mount_iso9660_fs',` +interface(`fs_getattr_fusefs',` gen_require(` -- type hugetlbfs_t; +- type iso9660_t; + type fusefs_t; ') -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) +- allow $1 iso9660_t:filesystem mount; + allow $1 fusefs_t:filesystem getattr; ') ######################################## ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Get the attributes of an hugetlbfs +## filesystem. ## ## ## -@@ -2214,19 +2588,681 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2234,18 +2588,701 @@ interface(`fs_mount_iso9660_fs',` ## ## # --interface(`fs_mount_iso9660_fs',` +-interface(`fs_remount_iso9660_fs',` +interface(`fs_getattr_hugetlbfs',` gen_require(` - type iso9660_t; + type hugetlbfs_t; ') -- allow $1 iso9660_t:filesystem mount; +- allow $1 iso9660_t:filesystem remount; + allow $1 hugetlbfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. +## List hugetlbfs. +## +## @@ -19663,38 +19677,30 @@ index 8416beb..474c726 100644 + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. ++') ++ ++######################################## ++## +## Write kdbusfs files. - ## - ## - ## -@@ -2234,18 +3270,19 @@ interface(`fs_mount_iso9660_fs',` - ## - ## - # --interface(`fs_remount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_write_kdbus_files', ` - gen_require(` -- type iso9660_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 iso9660_t:filesystem remount; ++ ') ++ + write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Unmount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Read and write kdbusfs files. ## ## @@ -20091,22 +20097,11 @@ index 8416beb..474c726 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3190,28 +4405,100 @@ interface(`fs_unmount_nfsd_fs',` - allow $1 nfsd_fs_t:filesystem unmount; - ') - --######################################## -+######################################## -+## -+## Get the attributes of a NFS server -+## pseudo filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# +@@ -3201,17 +4416,107 @@ interface(`fs_unmount_nfsd_fs',` + ## + ## + # +-interface(`fs_getattr_nfsd_fs',` +interface(`fs_getattr_nfsd_fs',` + gen_require(` + type nfsd_fs_t; @@ -20170,81 +20165,68 @@ index 8416beb..474c726 100644 +') + +####################################### - ## --## Get the attributes of a NFS server --## pseudo filesystem. ++## +## read files on an nfsd filesystem - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`fs_getattr_nfsd_fs',` -- gen_require(` -- type nfsd_fs_t; -- ') ++## ++# +interface(`fs_read_nfsd_files',` + gen_require(` + type nfsd_fs_t; + ') - -- allow $1 nfsd_fs_t:filesystem getattr; ++ + read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - --######################################## ++') ++ +####################################### - ## --## Search NFS server directories. ++## +## Read and write NFS server files. - ## - ## - ## -@@ -3219,17 +4506,17 @@ interface(`fs_getattr_nfsd_fs',` - ## - ## - # --interface(`fs_search_nfsd_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_rw_nfsd_fs',` gen_require(` type nfsd_fs_t; ') -- allow $1 nfsd_fs_t:dir search_dir_perms; +- allow $1 nfsd_fs_t:filesystem getattr; + rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ######################################## ## --## List NFS server directories. +-## Search NFS server directories. +## Getattr files on an nsfs filesystem ## ## ## -@@ -3237,35 +4524,34 @@ interface(`fs_search_nfsd_fs',` +@@ -3219,35 +4524,34 @@ interface(`fs_getattr_nfsd_fs',` ## ## # --interface(`fs_list_nfsd_fs',` +-interface(`fs_search_nfsd_fs',` +interface(`fs_getattr_nsfs_files',` gen_require(` - type nfsd_fs_t; + type nsfs_t; ') -- allow $1 nfsd_fs_t:dir list_dir_perms; +- allow $1 nfsd_fs_t:dir search_dir_perms; + getattr_files_pattern($1, nsfs_t, nsfs_t) ') - -######################################## +####################################### ## --## Getattr files on an nfsd filesystem +-## List NFS server directories. +## Read nsfs inodes (e.g. /proc/pid/ns/uts) ## ## @@ -20256,7 +20238,7 @@ index 8416beb..474c726 100644 +## ## # --interface(`fs_getattr_nfsd_files',` +-interface(`fs_list_nfsd_fs',` +interface(`fs_read_nsfs_files',` gen_require(` - type nfsd_fs_t; @@ -20264,33 +20246,79 @@ index 8416beb..474c726 100644 + type nsfs_t; + ') -- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +- allow $1 nfsd_fs_t:dir list_dir_perms; + allow $1 nsfs_t:file read_file_perms; ') ######################################## ## --## Read and write NFS server files. +-## Getattr files on an nfsd filesystem +## Manage NFS server files. ## ## ## -@@ -3273,12 +4559,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3255,35 +4559,35 @@ interface(`fs_list_nfsd_fs',` ## ## # --interface(`fs_rw_nfsd_fs',` +-interface(`fs_getattr_nfsd_files',` +interface(`fs_manage_nfsd_fs',` gen_require(` type nfsd_fs_t; ') -- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ######################################## -@@ -3392,7 +4678,7 @@ interface(`fs_search_ramfs',` + ## +-## Read and write NFS server files. ++## Allow the type to associate to ramfs filesystems. + ## +-## ++## + ## +-## Domain allowed access. ++## The type of the object to be associated. + ## + ## + # +-interface(`fs_rw_nfsd_fs',` ++interface(`fs_associate_ramfs',` + gen_require(` +- type nfsd_fs_t; ++ type ramfs_t; + ') + +- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ allow $1 ramfs_t:filesystem associate; + ') + + ######################################## + ## +-## Allow the type to associate to ramfs filesystems. ++## Allow the type to associate to proc filesystems. + ## + ## + ## +@@ -3291,12 +4595,12 @@ interface(`fs_rw_nfsd_fs',` + ## + ## + # +-interface(`fs_associate_ramfs',` ++interface(`fs_associate_proc',` + gen_require(` +- type ramfs_t; ++ type proc_t; + ') + +- allow $1 ramfs_t:filesystem associate; ++ allow $1 proc_t:filesystem associate; + ') + + ######################################## +@@ -3392,7 +4696,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20299,7 +20327,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3429,7 +4715,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4733,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20308,7 +20336,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3447,7 +4733,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4751,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20317,7 +20345,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3779,6 +5065,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5083,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20342,7 +20370,7 @@ index 8416beb..474c726 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5119,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5137,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20367,7 +20395,7 @@ index 8416beb..474c726 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5230,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5248,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20376,7 +20404,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3916,17 +5238,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5256,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20397,7 +20425,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3934,17 +5256,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5274,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20418,7 +20446,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3952,17 +5274,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5292,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20458,7 +20486,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -3970,31 +5311,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5329,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20514,7 +20542,7 @@ index 8416beb..474c726 100644 ') ######################################## -@@ -4066,33 +5424,161 @@ interface(`fs_tmpfs_filetrans',` +@@ -4066,33 +5442,161 @@ interface(`fs_tmpfs_filetrans',` type tmpfs_t; ') @@ -20685,7 +20713,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -4100,72 +5586,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,72 +5604,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20775,7 +20803,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -4173,17 +5659,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5677,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20797,7 +20825,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -4191,37 +5678,37 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5696,37 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -20843,7 +20871,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -4229,18 +5716,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5734,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20865,7 +20893,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -4248,18 +5735,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5753,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20889,7 +20917,7 @@ index 8416beb..474c726 100644 ## ## ## -@@ -4267,32 +5755,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5773,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -20928,7 +20956,7 @@ index 8416beb..474c726 100644 ') ######################################## -@@ -4407,6 +5894,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5912,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20954,7 +20982,7 @@ index 8416beb..474c726 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6009,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6027,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20963,7 +20991,7 @@ index 8416beb..474c726 100644 ') ######################################## -@@ -4549,7 +6057,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6075,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20972,7 +21000,7 @@ index 8416beb..474c726 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6104,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6122,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20999,7 +21027,7 @@ index 8416beb..474c726 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6199,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6217,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21025,7 +21053,7 @@ index 8416beb..474c726 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6459,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6477,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -25386,10 +25414,10 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..008545e 100644 +index 0fef1fc..59d8b87 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,72 @@ policy_module(staff, 2.4.0) +@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) role staff_r; userdom_unpriv_user_template(staff) @@ -25417,6 +25445,7 @@ index 0fef1fc..008545e 100644 + +fs_read_hugetlbfs_files(staff_t) +files_dontaudit_read_all_symlinks(staff_t) ++fs_read_tmpfs_files(staff_t) + +dev_read_cpuid(staff_t) +dev_read_kmsg(staff_t) @@ -25462,7 +25491,7 @@ index 0fef1fc..008545e 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +83,115 @@ optional_policy(` +@@ -23,11 +84,115 @@ optional_policy(` ') optional_policy(` @@ -25579,7 +25608,7 @@ index 0fef1fc..008545e 100644 ') optional_policy(` -@@ -35,15 +199,31 @@ optional_policy(` +@@ -35,15 +200,31 @@ optional_policy(` ') optional_policy(` @@ -25613,7 +25642,7 @@ index 0fef1fc..008545e 100644 ') optional_policy(` -@@ -52,11 +232,61 @@ optional_policy(` +@@ -52,11 +233,61 @@ optional_policy(` ') optional_policy(` @@ -25676,7 +25705,7 @@ index 0fef1fc..008545e 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +295,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +296,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25687,7 +25716,7 @@ index 0fef1fc..008545e 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +304,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +305,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -25698,7 +25727,7 @@ index 0fef1fc..008545e 100644 ') optional_policy(` -@@ -101,10 +323,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +324,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25709,7 +25738,7 @@ index 0fef1fc..008545e 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +343,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +344,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25720,7 +25749,7 @@ index 0fef1fc..008545e 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +355,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +356,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25731,7 +25760,7 @@ index 0fef1fc..008545e 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +386,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +387,23 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -25751,6 +25780,7 @@ index 0fef1fc..008545e 100644 + dev_rw_kvm(staff_t) + virt_manage_images(staff_t) + virt_stream_connect_svirt(staff_t) ++ virt_rw_stream_sockets_svirt(staff_t) + virt_exec(staff_t) + ') +') @@ -31752,7 +31782,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..97bb1df 100644 +index 8b40377..4deb551 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32262,7 +32292,7 @@ index 8b40377..97bb1df 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -32307,6 +32337,7 @@ index 8b40377..97bb1df 100644 dev_setattr_power_mgmt_dev(xdm_t) +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) ++dev_read_nvme(xdm_t) domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. @@ -32316,7 +32347,7 @@ index 8b40377..97bb1df 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +612,29 @@ files_list_mnt(xdm_t) +@@ -431,9 +613,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -32340,13 +32371,14 @@ index 8b40377..97bb1df 100644 +fs_dontaudit_read_noxattr_fs_files(xdm_t) +fs_manage_cgroup_dirs(xdm_t) +fs_manage_cgroup_files(xdm_t) ++mount_read_pid_files(xdm_t) + +mls_socket_write_to_clearance(xdm_t) +mls_trusted_object(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +643,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -32397,7 +32429,7 @@ index 8b40377..97bb1df 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +691,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -32567,7 +32599,7 @@ index 8b40377..97bb1df 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +860,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -32599,7 +32631,7 @@ index 8b40377..97bb1df 100644 ') optional_policy(` -@@ -518,8 +895,36 @@ optional_policy(` +@@ -518,8 +897,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -32637,7 +32669,7 @@ index 8b40377..97bb1df 100644 ') ') -@@ -530,6 +935,20 @@ optional_policy(` +@@ -530,6 +937,20 @@ optional_policy(` ') optional_policy(` @@ -32658,7 +32690,7 @@ index 8b40377..97bb1df 100644 hostname_exec(xdm_t) ') -@@ -547,28 +966,78 @@ optional_policy(` +@@ -547,28 +968,78 @@ optional_policy(` ') optional_policy(` @@ -32746,7 +32778,7 @@ index 8b40377..97bb1df 100644 ') optional_policy(` -@@ -580,6 +1049,14 @@ optional_policy(` +@@ -580,6 +1051,14 @@ optional_policy(` ') optional_policy(` @@ -32761,7 +32793,7 @@ index 8b40377..97bb1df 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1071,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -32770,7 +32802,7 @@ index 8b40377..97bb1df 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1081,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -32783,7 +32815,7 @@ index 8b40377..97bb1df 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1098,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -32799,7 +32831,7 @@ index 8b40377..97bb1df 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1114,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32810,7 +32842,7 @@ index 8b40377..97bb1df 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1129,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1131,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32847,7 +32879,7 @@ index 8b40377..97bb1df 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1175,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1177,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -32879,7 +32911,7 @@ index 8b40377..97bb1df 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1208,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1210,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32894,7 +32926,7 @@ index 8b40377..97bb1df 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1229,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1231,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32918,7 +32950,7 @@ index 8b40377..97bb1df 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1248,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1250,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -32927,7 +32959,7 @@ index 8b40377..97bb1df 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1292,54 @@ optional_policy(` +@@ -785,17 +1294,54 @@ optional_policy(` ') optional_policy(` @@ -32984,7 +33016,7 @@ index 8b40377..97bb1df 100644 ') optional_policy(` -@@ -803,6 +1347,10 @@ optional_policy(` +@@ -803,6 +1349,10 @@ optional_policy(` ') optional_policy(` @@ -32995,7 +33027,7 @@ index 8b40377..97bb1df 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1366,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1368,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -33020,7 +33052,7 @@ index 8b40377..97bb1df 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1389,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1391,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -33055,7 +33087,7 @@ index 8b40377..97bb1df 100644 ') optional_policy(` -@@ -912,7 +1454,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1456,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -33064,7 +33096,7 @@ index 8b40377..97bb1df 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1508,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1510,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -33096,7 +33128,7 @@ index 8b40377..97bb1df 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1554,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1556,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -37339,7 +37371,7 @@ index 79a45f6..d4f6066 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..d1770c8 100644 +index 17eda24..ead65a8 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37626,12 +37658,12 @@ index 17eda24..d1770c8 100644 +miscfiles_filetrans_named_content(init_t) + +udev_manage_rules_files(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_transition_login_userdomain(init_t) +userdom_noatsecure_login_userdomain(init_t) +userdom_sigchld_login_userdomain(init_t) @@ -37640,7 +37672,7 @@ index 17eda24..d1770c8 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +328,265 @@ ifdef(`distro_gentoo',` +@@ -186,29 +328,269 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37718,6 +37750,10 @@ index 17eda24..d1770c8 100644 + mta_manage_aliases(init_t) +') + ++optional_policy(` ++ systemd_allow_mount_dir(init_t) ++') ++ +allow init_t self:system all_system_perms; +allow init_t self:unix_dgram_socket { create_socket_perms sendto }; +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; @@ -37868,19 +37904,19 @@ index 17eda24..d1770c8 100644 + sysnet_relabelfrom_dhcpc_state(init_t) + sysnet_setattr_dhcp_state(init_t) + ') ++') ++ ++optional_policy(` ++ lvm_rw_pipes(init_t) ++ lvm_read_config(init_t) ') optional_policy(` - auth_rw_login_records(init_t) -+ lvm_rw_pipes(init_t) -+ lvm_read_config(init_t) ++ consolekit_manage_log(init_t) ') optional_policy(` -+ consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -37888,10 +37924,9 @@ index 17eda24..d1770c8 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -37902,9 +37937,10 @@ index 17eda24..d1770c8 100644 +optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) @@ -37915,7 +37951,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -216,7 +594,30 @@ optional_policy(` +@@ -216,7 +598,30 @@ optional_policy(` ') optional_policy(` @@ -37947,7 +37983,7 @@ index 17eda24..d1770c8 100644 ') ######################################## -@@ -225,9 +626,9 @@ optional_policy(` +@@ -225,9 +630,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37959,7 +37995,7 @@ index 17eda24..d1770c8 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +659,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37976,7 +38012,7 @@ index 17eda24..d1770c8 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +684,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38019,7 +38055,7 @@ index 17eda24..d1770c8 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +721,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38031,7 +38067,7 @@ index 17eda24..d1770c8 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +733,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38042,7 +38078,7 @@ index 17eda24..d1770c8 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +744,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38052,7 +38088,7 @@ index 17eda24..d1770c8 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +753,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38060,7 +38096,7 @@ index 17eda24..d1770c8 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +760,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38068,7 +38104,7 @@ index 17eda24..d1770c8 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +768,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38086,7 +38122,7 @@ index 17eda24..d1770c8 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +786,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38100,7 +38136,7 @@ index 17eda24..d1770c8 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +801,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38114,7 +38150,7 @@ index 17eda24..d1770c8 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +814,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38125,7 +38161,7 @@ index 17eda24..d1770c8 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +827,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38133,7 +38169,7 @@ index 17eda24..d1770c8 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +846,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38157,7 +38193,7 @@ index 17eda24..d1770c8 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +879,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38165,7 +38201,7 @@ index 17eda24..d1770c8 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +913,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38176,7 +38212,7 @@ index 17eda24..d1770c8 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +937,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +941,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38185,7 +38221,7 @@ index 17eda24..d1770c8 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +952,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +956,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38193,7 +38229,7 @@ index 17eda24..d1770c8 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +973,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +977,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38201,7 +38237,7 @@ index 17eda24..d1770c8 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +983,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +987,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38246,7 +38282,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -559,14 +1028,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38278,7 +38314,7 @@ index 17eda24..d1770c8 100644 ') ') -@@ -577,6 +1063,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1067,39 @@ ifdef(`distro_suse',` ') ') @@ -38318,7 +38354,7 @@ index 17eda24..d1770c8 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1108,8 @@ optional_policy(` +@@ -589,6 +1112,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38327,7 +38363,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -610,6 +1131,7 @@ optional_policy(` +@@ -610,6 +1135,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38335,7 +38371,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -626,6 +1148,17 @@ optional_policy(` +@@ -626,6 +1152,17 @@ optional_policy(` ') optional_policy(` @@ -38353,7 +38389,7 @@ index 17eda24..d1770c8 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1175,13 @@ optional_policy(` +@@ -642,9 +1179,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38367,7 +38403,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -657,15 +1194,11 @@ optional_policy(` +@@ -657,15 +1198,11 @@ optional_policy(` ') optional_policy(` @@ -38385,7 +38421,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -686,6 +1219,15 @@ optional_policy(` +@@ -686,6 +1223,15 @@ optional_policy(` ') optional_policy(` @@ -38401,7 +38437,7 @@ index 17eda24..d1770c8 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1268,7 @@ optional_policy(` +@@ -726,6 +1272,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38409,7 +38445,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -743,7 +1286,13 @@ optional_policy(` +@@ -743,7 +1290,13 @@ optional_policy(` ') optional_policy(` @@ -38424,7 +38460,7 @@ index 17eda24..d1770c8 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1315,10 @@ optional_policy(` +@@ -766,6 +1319,10 @@ optional_policy(` ') optional_policy(` @@ -38435,7 +38471,7 @@ index 17eda24..d1770c8 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1328,20 @@ optional_policy(` +@@ -775,10 +1332,20 @@ optional_policy(` ') optional_policy(` @@ -38456,7 +38492,7 @@ index 17eda24..d1770c8 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1350,10 @@ optional_policy(` +@@ -787,6 +1354,10 @@ optional_policy(` ') optional_policy(` @@ -38467,7 +38503,7 @@ index 17eda24..d1770c8 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1375,6 @@ optional_policy(` +@@ -808,8 +1379,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38476,7 +38512,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -818,6 +1383,10 @@ optional_policy(` +@@ -818,6 +1387,10 @@ optional_policy(` ') optional_policy(` @@ -38487,7 +38523,7 @@ index 17eda24..d1770c8 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1396,12 @@ optional_policy(` +@@ -827,10 +1400,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38500,7 +38536,7 @@ index 17eda24..d1770c8 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1428,60 @@ optional_policy(` +@@ -857,21 +1432,60 @@ optional_policy(` ') optional_policy(` @@ -38562,7 +38598,7 @@ index 17eda24..d1770c8 100644 ') optional_policy(` -@@ -887,6 +1497,10 @@ optional_policy(` +@@ -887,6 +1501,10 @@ optional_policy(` ') optional_policy(` @@ -38573,7 +38609,7 @@ index 17eda24..d1770c8 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1511,218 @@ optional_policy(` +@@ -897,3 +1515,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -46124,7 +46160,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..b363779 100644 +index 2cea692..c9a9c5e 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -46495,7 +46531,7 @@ index 2cea692..b363779 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -720,8 +970,13 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,14 +970,23 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) @@ -46509,7 +46545,17 @@ index 2cea692..b363779 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +1005,6 @@ interface(`sysnet_use_ldap',` + avahi_stream_connect($1) + ') + ++ optional_policy(` ++ dbus_stream_connect_system_dbusd($1) ++ ') ++ + optional_policy(` + nscd_use($1) + ') +@@ -750,8 +1009,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -46518,7 +46564,7 @@ index 2cea692..b363779 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -760,9 +1013,14 @@ interface(`sysnet_use_ldap',` +@@ -760,9 +1017,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) @@ -46533,7 +46579,7 @@ index 2cea692..b363779 100644 ') ######################################## -@@ -784,7 +1042,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +1046,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -46541,7 +46587,7 @@ index 2cea692..b363779 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1053,126 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1057,126 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -47154,10 +47200,10 @@ index 0000000..8b77d7a +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..16cd1ac +index 0000000..86e3d01 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1763 @@ +@@ -0,0 +1,1803 @@ +## SELinux policy for systemd components + +###################################### @@ -48921,12 +48967,52 @@ index 0000000..16cd1ac + allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; + files_etc_filetrans($1, systemd_hwdb_etc_t, file) +') ++ ++######################################## ++## ++## Allow process to mount directory configured in a ++## systemd unit as ReadWriteDirectory or ReadOnlyDirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_allow_mount_dir',` ++ gen_require(` ++ attribute systemd_mount_directory; ++ ') ++ ++ allow $1 systemd_mount_directory:dir mounton; ++') ++ ++######################################## ++## ++## Mark the following type as mountable by systemd. ++## ++## ++## ++## Type to be authorized to be mounted ++## ++## ++## ++# ++interface(`systemd_mount_dir',` ++ gen_require(` ++ attribute systemd_mount_directory; ++ ') ++ ++ files_type($1) ++ typeattribute $1 systemd_mount_directory; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..fda8f23 +index 0000000..8abc799 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,964 @@ +@@ -0,0 +1,965 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48937,6 +49023,7 @@ index 0000000..fda8f23 +attribute systemd_unit_file_type; +attribute systemd_domain; +attribute systemctl_domain; ++attribute systemd_mount_directory; + +systemd_domain_template(systemd_logger) +systemd_domain_template(systemd_logind) @@ -51305,7 +51392,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..af8711d 100644 +index 9dc60c6..adc5f75 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -52474,15 +52561,18 @@ index 9dc60c6..af8711d 100644 ############################## # # Local policy -@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1195,142 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # -+ kernel_stream_connect($1_usertype) ++ allow $1_usertype self:cap_userns { sys_admin sys_chroot }; ++ allow $1_usertype self:dir { add_name write }; - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) -- ++ kernel_stream_connect($1_usertype) ++ fs_associate_proc($1_usertype) + - dev_read_sound($1_t) - dev_write_sound($1_t) + dev_read_sound($1_usertype) @@ -52494,6 +52584,7 @@ index 9dc60c6..af8711d 100644 + dev_read_rand($1_usertype) - logging_send_syslog_msg($1_t) +- logging_dontaudit_send_audit_msgs($1_t) + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) @@ -52501,6 +52592,7 @@ index 9dc60c6..af8711d 100644 + libs_dontaudit_setattr_lib_files($1_usertype) + + init_read_state($1_usertype) ++ init_signal($1_usertype) + + tunable_policy(`selinuxuser_rw_noexattrfile',` + dev_rw_usbfs($1_t) @@ -52515,7 +52607,7 @@ index 9dc60c6..af8711d 100644 + ') + + logging_send_syslog_msg($1_t) - logging_dontaudit_send_audit_msgs($1_t) ++ logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) @@ -52563,25 +52655,25 @@ index 9dc60c6..af8711d 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ fprintd_dbus_chat($1_t) ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + realmd_dbus_chat($1_t) ') @@ -52626,7 +52718,7 @@ index 9dc60c6..af8711d 100644 ') ####################################### -@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1364,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -52664,7 +52756,7 @@ index 9dc60c6..af8711d 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1401,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -52738,7 +52830,7 @@ index 9dc60c6..af8711d 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1466,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -52749,7 +52841,7 @@ index 9dc60c6..af8711d 100644 ') ') -@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1504,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -52760,7 +52852,7 @@ index 9dc60c6..af8711d 100644 ') ############################## -@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1522,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -52768,7 +52860,7 @@ index 9dc60c6..af8711d 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1533,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -52785,7 +52877,7 @@ index 9dc60c6..af8711d 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1550,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -52794,7 +52886,7 @@ index 9dc60c6..af8711d 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1569,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -52810,7 +52902,7 @@ index 9dc60c6..af8711d 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1588,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -52855,7 +52947,7 @@ index 9dc60c6..af8711d 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1631,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -52864,7 +52956,7 @@ index 9dc60c6..af8711d 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1640,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -52887,7 +52979,7 @@ index 9dc60c6..af8711d 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1690,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -52896,7 +52988,7 @@ index 9dc60c6..af8711d 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1700,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52905,7 +52997,7 @@ index 9dc60c6..af8711d 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1714,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52917,7 +53009,7 @@ index 9dc60c6..af8711d 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1728,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -52960,7 +53052,7 @@ index 9dc60c6..af8711d 100644 ') optional_policy(` -@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1813,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -52979,7 +53071,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1856,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -53033,7 +53125,7 @@ index 9dc60c6..af8711d 100644 ## Allow domain to attach to TUN devices created by administrative users. ##
## -@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2008,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -53065,7 +53157,7 @@ index 9dc60c6..af8711d 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2074,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53080,7 +53172,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2097,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53092,7 +53184,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2142,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -53117,7 +53209,7 @@ index 9dc60c6..af8711d 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2178,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -53177,7 +53269,7 @@ index 9dc60c6..af8711d 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2304,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -53192,7 +53284,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2343,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53207,7 +53299,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2373,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -53216,7 +53308,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2381,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -53240,7 +53332,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2399,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -53311,7 +53403,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2455,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -53339,7 +53431,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,13 +2475,163 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -53353,11 +53445,10 @@ index 9dc60c6..af8711d 100644 +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) - ') - - ######################################## - ## --## Do not audit attempts to read user home files. ++') ++ ++######################################## ++## +## Dontaudit getattr on user tmp sockets. +## +## @@ -53416,21 +53507,18 @@ index 9dc60c6..af8711d 100644 +## +## Do not audit attempts to set the +## attributes of user home files. - ## - ## - ## -@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',` - ## - ## - # --interface(`userdom_dontaudit_read_user_home_content_files',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`userdom_dontaudit_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; ++ gen_require(` ++ type user_home_t; ++ ') ++ + dontaudit $1 user_home_t:file setattr_file_perms; +') + @@ -53511,24 +53599,20 @@ index 9dc60c6..af8711d 100644 + + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to read user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_read_user_home_content_files',` -+ gen_require(` + ') + + ######################################## +@@ -1893,11 +2646,14 @@ interface(`userdom_read_user_home_content_files',` + # + interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` +- type user_home_t; + attribute user_home_type; + type user_home_dir_t; -+ ') -+ + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -53536,7 +53620,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2694,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -53545,7 +53629,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2702,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -53558,7 +53642,7 @@ index 9dc60c6..af8711d 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2713,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -53567,7 +53651,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2721,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -53636,7 +53720,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2816,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -53646,7 +53730,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2832,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -53671,7 +53755,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## -@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2922,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -53680,7 +53764,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2930,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -53704,7 +53788,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2948,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -53720,7 +53804,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3188,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -53778,7 +53862,7 @@ index 9dc60c6..af8711d 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3250,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -53787,7 +53871,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3291,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -53813,7 +53897,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## -@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3393,27 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -53842,7 +53926,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,6 +3441,27 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -53870,7 +53954,7 @@ index 9dc60c6..af8711d 100644 interface(`userdom_manage_user_tmp_pipes',` gen_require(` type user_tmp_t; -@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3557,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -53892,7 +53976,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3583,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -53914,7 +53998,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3598,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -53937,7 +54021,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3613,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -53998,7 +54082,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3757,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -54023,7 +54107,7 @@ index 9dc60c6..af8711d 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3793,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -54066,7 +54150,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -2856,14 +3824,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3829,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -54104,7 +54188,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2882,8 +3869,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3874,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -54134,7 +54218,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -2955,6 +3961,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3966,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54177,7 +54261,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4020,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4025,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54202,7 +54286,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4038,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4043,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -54214,7 +54298,7 @@ index 9dc60c6..af8711d 100644 ## memory segments. ## ## -@@ -3025,17 +4049,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4054,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -54235,7 +54319,7 @@ index 9dc60c6..af8711d 100644 ## memory segments. ## ## -@@ -3044,12 +4068,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4073,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -54250,7 +54334,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -3094,7 +4118,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4123,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54259,7 +54343,7 @@ index 9dc60c6..af8711d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4134,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4139,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54293,7 +54377,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -3214,7 +4222,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4227,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54320,7 +54404,7 @@ index 9dc60c6..af8711d 100644 ') ######################################## -@@ -3269,12 +4295,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4300,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54336,7 +54420,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -3282,54 +4309,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4314,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -54408,7 +54492,7 @@ index 9dc60c6..af8711d 100644 ## ## ## -@@ -3337,17 +4366,91 @@ interface(`userdom_getattr_all_users',` +@@ -3337,18 +4371,92 @@ interface(`userdom_getattr_all_users',` ## ## # @@ -54425,6 +54509,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## -## Do not audit attempts to inherit the file +-## descriptors from any user domains. +## Do not audit attempts to use user ttys. +## +## @@ -54500,10 +54585,11 @@ index 9dc60c6..af8711d 100644 +######################################## +## +## Do not audit attempts to inherit the file - ## descriptors from any user domains. ++## descriptors from any user domains. ## ## -@@ -3382,6 +4485,42 @@ interface(`userdom_signal_all_users',` + ## +@@ -3382,6 +4490,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -54546,7 +54632,7 @@ index 9dc60c6..af8711d 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4541,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4546,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -54607,7 +54693,7 @@ index 9dc60c6..af8711d 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4628,1817 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4633,1817 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index cf53652..f24ab7c 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..5f57515 100644 +index eb50f07..1377e9e 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1070,7 +1070,7 @@ index eb50f07..5f57515 100644 -allow abrt_dump_oops_t self:capability dac_override; +allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; -+allow abrt_dump_oops_t self:cap_userns { kill }; ++allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace }; +allow abrt_dump_oops_t self:process setfscreate; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; @@ -5492,7 +5492,7 @@ index f6eb485..757b864 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..4cb64e5 100644 +index 6649962..248b38c 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6210,7 +6210,7 @@ index 6649962..4cb64e5 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +575,176 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +575,177 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6277,6 +6277,7 @@ index 6649962..4cb64e5 100644 -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) +fs_rw_hugetlbfs_files(httpd_t) ++fs_list_inotifyfs(httpd_t) + +auth_use_nsswitch(httpd_t) + @@ -6451,7 +6452,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6511,7 +6512,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6614,7 +6615,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6695,7 +6696,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -749,24 +919,32 @@ optional_policy(` +@@ -749,24 +920,32 @@ optional_policy(` ') optional_policy(` @@ -6734,7 +6735,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -775,6 +953,10 @@ optional_policy(` +@@ -775,6 +954,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6745,7 +6746,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -786,35 +968,60 @@ optional_policy(` +@@ -786,35 +969,60 @@ optional_policy(` ') optional_policy(` @@ -6819,7 +6820,7 @@ index 6649962..4cb64e5 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1029,30 @@ optional_policy(` +@@ -822,8 +1030,30 @@ optional_policy(` ') optional_policy(` @@ -6850,7 +6851,7 @@ index 6649962..4cb64e5 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1061,8 @@ optional_policy(` +@@ -832,6 +1062,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6859,7 +6860,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -842,20 +1073,44 @@ optional_policy(` +@@ -842,20 +1074,44 @@ optional_policy(` ') optional_policy(` @@ -6910,7 +6911,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -863,16 +1118,31 @@ optional_policy(` +@@ -863,16 +1119,31 @@ optional_policy(` ') optional_policy(` @@ -6944,7 +6945,7 @@ index 6649962..4cb64e5 100644 ') optional_policy(` -@@ -883,65 +1153,189 @@ optional_policy(` +@@ -883,65 +1154,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7156,7 +7157,7 @@ index 6649962..4cb64e5 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1344,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1345,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7310,7 +7311,7 @@ index 6649962..4cb64e5 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1429,107 @@ optional_policy(` +@@ -1083,172 +1430,107 @@ optional_policy(` ') ') @@ -7548,7 +7549,7 @@ index 6649962..4cb64e5 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1537,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1538,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7645,7 +7646,7 @@ index 6649962..4cb64e5 100644 ######################################## # -@@ -1321,8 +1612,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1613,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7662,7 +7663,7 @@ index 6649962..4cb64e5 100644 ') ######################################## -@@ -1330,49 +1628,40 @@ optional_policy(` +@@ -1330,49 +1629,40 @@ optional_policy(` # User content local policy # @@ -7728,7 +7729,7 @@ index 6649962..4cb64e5 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1672,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -14958,7 +14959,7 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 5f306dd..e01156f 100644 +index 5f306dd..578b615 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -15042,7 +15043,7 @@ index 5f306dd..e01156f 100644 ') optional_policy(` -@@ -192,13 +206,13 @@ optional_policy(` +@@ -192,13 +206,14 @@ optional_policy(` ') optional_policy(` @@ -15057,6 +15058,7 @@ index 5f306dd..e01156f 100644 - tftp_manage_config_files(cobblerd_t) - tftp_etc_filetrans_config(cobblerd_t, file, "tftp") + tftp_manage_config(cobblerd_t) ++ tftp_delete_content_dirs(cobblerd_t) tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') diff --git a/cockpit.fc b/cockpit.fc @@ -15273,7 +15275,7 @@ index 0000000..d5920c0 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..23ebc59 +index 0000000..e7b8c7e --- /dev/null +++ b/cockpit.te @@ -0,0 +1,115 @@ @@ -15336,8 +15338,8 @@ index 0000000..23ebc59 +manage_sock_files_pattern(cockpit_ws_t, cockpit_var_run_t, cockpit_var_run_t) +files_pid_filetrans(cockpit_ws_t, cockpit_var_run_t, { file dir sock_file }) + -+read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) -+list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) + +auth_use_nsswitch(cockpit_ws_t) + @@ -22144,7 +22146,7 @@ index dda905b..5587295 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..f9c33f4 100644 +index 62d22cb..d4cf2ea 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -22293,9 +22295,9 @@ index 62d22cb..f9c33f4 100644 - files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) - -+ dev_read_urand($1) + ++ dev_read_urand($1) + + # For connecting to the bus files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) @@ -22674,7 +22676,7 @@ index 62d22cb..f9c33f4 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +410,67 @@ interface(`dbus_manage_lib_files',` +@@ -397,199 +410,231 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -22714,10 +22716,25 @@ index 62d22cb..f9c33f4 100644 ## ## -## Type to be used as a domain. --## --## ++## Domain allowed access. + ## + ## -## --## ++# ++interface(`dbus_use_system_bus_fds',` ++ gen_require(` ++ type system_dbusd_t; ++ ') ++ ++ allow $1 system_dbusd_t:fd use; ++') ++ ++######################################## ++## ++## Allow unconfined access to the system DBUS. ++## ++## + ## -## Type of the program to be used as an -## entry point to this domain. +## Domain allowed access. @@ -22725,112 +22742,149 @@ index 62d22cb..f9c33f4 100644 ## # -interface(`dbus_all_session_domain',` -+interface(`dbus_use_system_bus_fds',` ++interface(`dbus_unconfined',` gen_require(` - type session_bus_type; -+ type system_dbusd_t; ++ attribute dbusd_unconfined; ') - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) -+ allow $1 system_dbusd_t:fd use; ++ typeattribute $1 dbusd_unconfined; ') ######################################## ## -## Allow a application domain to be -## started by the specified session bus. -+## Allow unconfined access to the system DBUS. ++## Delete all dbus pid files ## -## --## ++## + ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). --## --## ++## Domain allowed access. + ## + ## ++# ++interface(`dbus_delete_pid_files',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Read all dbus pid files ++## ## ## -## Type to be used as a domain. --## --## ++## Domain allowed access. + ## + ## -## --## ++# ++interface(`dbus_read_pid_files',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ++## ++## + ## -## Type of the program to be used as an -## entry point to this domain. -+## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`dbus_spec_session_domain',` -+interface(`dbus_unconfined',` ++interface(`dbus_dontaudit_stream_connect_session_bus',` gen_require(` - type $1_dbusd_t; -+ attribute dbusd_unconfined; ++ attribute session_bus_type; ') - domtrans_pattern($1_dbusd_t, $2, $3) - - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) -+ typeattribute $1 dbusd_unconfined; ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; ') ######################################## ## -## Acquire service on the DBUS system bus. -+## Delete all dbus pid files ++## Allow attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## -@@ -479,18 +478,18 @@ interface(`dbus_spec_session_domain',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`dbus_connect_system_bus',` -+interface(`dbus_delete_pid_files',` ++interface(`dbus_stream_connect_session_bus',` gen_require(` - type system_dbusd_t; - class dbus acquire_svc; -+ type system_dbusd_var_run_t; ++ attribute session_bus_type; ') - allow $1 system_dbusd_t:dbus acquire_svc; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++ allow $1 session_bus_type:unix_stream_socket connectto; ') ######################################## ## -## Send messages to the DBUS system bus. -+## Read all dbus pid files ++## Do not audit attempts to send dbus ++## messages to session bus types. ## ## ## -@@ -498,98 +497,122 @@ interface(`dbus_connect_system_bus',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`dbus_send_system_bus',` -+interface(`dbus_read_pid_files',` ++interface(`dbus_chat_session_bus',` gen_require(` - type system_dbusd_t; -- class dbus send_msg; -+ type system_dbusd_var_run_t; ++ attribute session_bus_type; + class dbus send_msg; ') - allow $1 system_dbusd_t:dbus send_msg; -+ files_search_pids($1) -+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++ allow $1 session_bus_type:dbus send_msg; ++ allow session_bus_type $1:dbus send_msg; ') ######################################## ## -## Unconfined access to DBUS system bus. -+## Do not audit attempts to connect to -+## session bus types with a unix -+## stream socket. ++## Do not audit attempts to send dbus ++## messages to session bus types. ## ## ## @@ -22840,59 +22894,43 @@ index 62d22cb..f9c33f4 100644 ## # -interface(`dbus_system_bus_unconfined',` -+interface(`dbus_dontaudit_stream_connect_session_bus',` ++interface(`dbus_dontaudit_chat_session_bus',` gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; + attribute session_bus_type; ++ class dbus send_msg; ') - allow $1 system_dbusd_t:dbus *; -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; ++ dontaudit $1 session_bus_type:dbus send_msg; ') ######################################## ## -## Create a domain for processes which -## can be started by the DBUS system bus. -+## Allow attempts to connect to -+## session bus types with a unix -+## stream socket. ++## Do not audit attempts to send dbus ++## messages to system bus types. ## ## ## -## Type to be used as a domain. -+## Domain to not audit. - ## - ## +-## +-## -## -+# -+interface(`dbus_stream_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ ') -+ -+ allow $1 session_bus_type:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## - ## +-## -## Type of the program to be used as an entry point to this domain. +## Domain to not audit. ## ## # -interface(`dbus_system_domain',` -+interface(`dbus_chat_session_bus',` ++interface(`dbus_dontaudit_chat_system_bus',` gen_require(` - type system_dbusd_t; - role system_r; -+ attribute session_bus_type; ++ attribute system_bus_type; + class dbus send_msg; ') @@ -22909,38 +22947,22 @@ index 62d22cb..f9c33f4 100644 - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) -+ allow $1 session_bus_type:dbus send_msg; -+ allow session_bus_type $1:dbus send_msg; -+') - +- - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus send_msg; - ') -+ -+ dontaudit $1 session_bus_type:dbus send_msg; +- ') ++ dontaudit $1 system_bus_type:dbus send_msg; ++ dontaudit system_bus_type $1:dbus send_msg; ') ++ ######################################## ## -## Use and inherit DBUS system bus -## file descriptors. -+## Do not audit attempts to send dbus -+## messages to system bus types. ++## Allow attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## @@ -22950,18 +22972,16 @@ index 62d22cb..f9c33f4 100644 ## # -interface(`dbus_use_system_bus_fds',` -+interface(`dbus_dontaudit_chat_system_bus',` ++interface(`dbus_stream_connect_system_dbusd',` gen_require(` -- type system_dbusd_t; -+ attribute system_bus_type; -+ class dbus send_msg; + type system_dbusd_t; ') - allow $1 system_dbusd_t:fd use; -+ dontaudit $1 system_bus_type:dbus send_msg; -+ dontaudit system_bus_type $1:dbus send_msg; ++ allow $1 system_dbusd_t:unix_stream_socket connectto; ') ++ ######################################## ## -## Do not audit attempts to read and @@ -22972,7 +22992,7 @@ index 62d22cb..f9c33f4 100644 ## ## ## -@@ -597,28 +620,48 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +642,48 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23030,7 +23050,7 @@ index 62d22cb..f9c33f4 100644 + files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te -index c9998c8..44c6283 100644 +index c9998c8..8b447a3 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -23154,7 +23174,7 @@ index c9998c8..44c6283 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +122,170 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +122,174 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -23203,9 +23223,10 @@ index c9998c8..44c6283 100644 optional_policy(` - policykit_read_lib(system_dbusd_t) + cpufreqselector_dbus_chat(system_dbusd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) + getty_start_services(system_dbusd_t) +') + @@ -23235,10 +23256,9 @@ index c9998c8..44c6283 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -23253,6 +23273,10 @@ index c9998c8..44c6283 100644 ') +optional_policy(` ++ virt_list_sandbox_dirs(system_dbusd_t) ++') ++ ++optional_policy(` + # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc + xserver_read_inherited_xdm_lib_files(system_dbusd_t) +') @@ -23272,7 +23296,7 @@ index c9998c8..44c6283 100644 +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms; + +fs_search_all(system_bus_type) -+ + +dbus_system_bus_client(system_bus_type) +dbus_connect_system_bus(system_bus_type) + @@ -23302,7 +23326,7 @@ index c9998c8..44c6283 100644 +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') - ++ +######################################## +# +# session_bus_type rules @@ -23339,7 +23363,7 @@ index c9998c8..44c6283 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +294,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +298,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -23364,7 +23388,7 @@ index c9998c8..44c6283 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +313,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +317,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -23372,7 +23396,7 @@ index c9998c8..44c6283 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +322,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +326,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -23414,7 +23438,7 @@ index c9998c8..44c6283 100644 ') ######################################## -@@ -244,5 +359,9 @@ optional_policy(` +@@ -244,5 +363,9 @@ optional_policy(` # Unconfined access to this module # @@ -26571,7 +26595,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..315aa2f 100644 +index 0aabc7e..3d8233b 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -26642,7 +26666,7 @@ index 0aabc7e..315aa2f 100644 corecmd_exec_bin(dovecot_domain) corecmd_exec_shell(dovecot_domain) -@@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain) +@@ -81,26 +79,36 @@ dev_read_sysfs(dovecot_domain) dev_read_rand(dovecot_domain) dev_read_urand(dovecot_domain) @@ -26671,6 +26695,8 @@ index 0aabc7e..315aa2f 100644 +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) + +allow dovecot_t dovecot_auth_t:process signal; ++ ++allow dovecot_t dovecot_deliver_t:process signull; allow dovecot_t dovecot_cert_t:dir list_dir_perms; -allow dovecot_t dovecot_cert_t:file read_file_perms; @@ -26687,7 +26713,7 @@ index 0aabc7e..315aa2f 100644 allow dovecot_t dovecot_keytab_t:file read_file_perms; -@@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) +@@ -108,12 +116,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) @@ -26704,19 +26730,19 @@ index 0aabc7e..315aa2f 100644 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +@@ -125,45 +134,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) -- ++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) + -can_exec(dovecot_t, dovecot_exec_t) - -allow dovecot_t dovecot_auth_t:process signal; - -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) - +- -corenet_all_recvfrom_unlabeled(dovecot_t) corenet_all_recvfrom_netlabel(dovecot_t) corenet_tcp_sendrecv_generic_if(dovecot_t) @@ -26761,7 +26787,7 @@ index 0aabc7e..315aa2f 100644 init_getattr_utmp(dovecot_t) -@@ -171,45 +168,44 @@ auth_use_nsswitch(dovecot_t) +@@ -171,45 +170,44 @@ auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) @@ -26825,7 +26851,7 @@ index 0aabc7e..315aa2f 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,46 +223,69 @@ optional_policy(` +@@ -227,46 +225,69 @@ optional_policy(` ######################################## # @@ -26904,7 +26930,7 @@ index 0aabc7e..315aa2f 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,53 +296,79 @@ optional_policy(` +@@ -277,53 +298,79 @@ optional_policy(` ') optional_policy(` @@ -27003,7 +27029,7 @@ index 0aabc7e..315aa2f 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +377,6 @@ optional_policy(` +@@ -332,5 +379,6 @@ optional_policy(` ') optional_policy(` @@ -28964,7 +28990,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..a30b953 100644 +index 98072a3..ee152e2 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -29042,7 +29068,12 @@ index 98072a3..a30b953 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +115,10 @@ optional_policy(` +@@ -91,10 +111,15 @@ optional_policy(` + + optional_policy(` + networkmanager_dbus_chat(firewalld_t) ++ networkmanager_stream_connect(firewalld_t) + ') ') optional_policy(` @@ -31984,31 +32015,30 @@ index 5cd0909..bd3c3d2 100644 + +corenet_tcp_connect_commplex_main_port(glance_scrubber_t) +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) -diff --git a/glusterd.fc b/glusterd.fc -new file mode 100644 -index 0000000..52b4110 ---- /dev/null +diff --git a/glusterfs.fc b/glusterd.fc +similarity index 54% +rename from glusterfs.fc +rename to glusterd.fc +index 4bd6ade..52b4110 100644 +--- a/glusterfs.fc +++ b/glusterd.fc -@@ -0,0 +1,22 @@ -+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -+ -+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -+ -+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -+ +@@ -6,11 +6,17 @@ + /usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + /usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + -+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -+ + /opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) +/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) -+ -+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) + + /var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) -+ + +/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) -+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) + /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) @@ -32588,28 +32618,6 @@ index 0000000..3ba328e +optional_policy(` + ssh_exec(glusterd_t) +') -diff --git a/glusterfs.fc b/glusterfs.fc -deleted file mode 100644 -index 4bd6ade..0000000 ---- a/glusterfs.fc -+++ /dev/null -@@ -1,16 +0,0 @@ --/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -- --/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) --/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) -- --/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) --/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -- --/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) -- --/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) -- --/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) -- --/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) --/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterfs.if b/glusterfs.if deleted file mode 100644 index 05233c8..0000000 @@ -69754,7 +69762,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..bc31081 100644 +index 608f454..270648d 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -70097,7 +70105,8 @@ index 608f454..bc31081 100644 +# pegasus local policy # - allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; +-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; ++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service sys_ptrace }; dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; +allow pegasus_t self:process { setsched signal }; @@ -72804,7 +72813,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778..5fd133f 100644 +index ee91778..fb9b69a 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) @@ -72830,7 +72839,7 @@ index ee91778..5fd133f 100644 type policykit_resolve_t, policykit_domain; type policykit_resolve_exec_t; -@@ -42,63 +37,70 @@ files_pid_file(policykit_var_run_t) +@@ -42,96 +37,121 @@ files_pid_file(policykit_var_run_t) ####################################### # @@ -72920,7 +72929,14 @@ index ee91778..5fd133f 100644 optional_policy(` consolekit_dbus_chat(policykit_t) ') -@@ -109,29 +111,43 @@ optional_policy(` + + optional_policy(` ++ devicekit_dbus_chat(policykit_t) ++ ') ++ ++ optional_policy(` + rpm_dbus_chat(policykit_t) + ') ') optional_policy(` @@ -72958,11 +72974,11 @@ index ee91778..5fd133f 100644 -allow policykit_auth_t self:process { getsched setsched signal }; -allow policykit_auth_t self:unix_stream_socket { accept listen }; +allow policykit_auth_t self:process { setsched getsched signal }; -+ -+allow policykit_auth_t self:unix_dgram_socket create_socket_perms; -+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; -ps_process_pattern(policykit_auth_t, policykit_domain) ++allow policykit_auth_t self:unix_dgram_socket create_socket_perms; ++allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; ++ +policykit_dbus_chat(policykit_auth_t) + +kernel_read_system_state(policykit_auth_t) @@ -72972,7 +72988,7 @@ index ee91778..5fd133f 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,65 +161,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -73065,7 +73081,7 @@ index ee91778..5fd133f 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +242,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -73092,7 +73108,7 @@ index ee91778..5fd133f 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +263,28 @@ optional_policy(` +@@ -235,26 +267,28 @@ optional_policy(` ######################################## # @@ -73127,7 +73143,7 @@ index ee91778..5fd133f 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +296,6 @@ optional_policy(` +@@ -266,6 +300,6 @@ optional_policy(` ') optional_policy(` @@ -90236,6 +90252,16 @@ index 0000000..da94453 + #unconfined_domain(rolekit_t) + domain_named_filetrans(rolekit_t) +') +diff --git a/roundup.fc b/roundup.fc +index 6f05cd0..dc2a9aa 100644 +--- a/roundup.fc ++++ b/roundup.fc +@@ -2,4 +2,4 @@ + + /usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0) + +-/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) ++/var/lib/roundup(/.*)? gen_context(system_u:object_r:roundup_var_lib_t,s0) diff --git a/roundup.if b/roundup.if index 975bb6a..ce4f5ea 100644 --- a/roundup.if @@ -90254,10 +90280,14 @@ index 975bb6a..ce4f5ea 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/roundup.te b/roundup.te -index ccb5991..189ac01 100644 +index ccb5991..fa10c5a 100644 --- a/roundup.te +++ b/roundup.te -@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) +@@ -38,10 +38,10 @@ files_pid_filetrans(roundup_t, roundup_var_run_t, file) + kernel_read_kernel_sysctls(roundup_t) + kernel_list_proc(roundup_t) + kernel_read_proc_symlinks(roundup_t) ++kernel_read_system_state(roundup_t) corecmd_exec_bin(roundup_t) @@ -90265,7 +90295,7 @@ index ccb5991..189ac01 100644 corenet_all_recvfrom_netlabel(roundup_t) corenet_tcp_sendrecv_generic_if(roundup_t) corenet_tcp_sendrecv_generic_node(roundup_t) -@@ -60,16 +59,11 @@ dev_read_urand(roundup_t) +@@ -60,19 +60,19 @@ dev_read_urand(roundup_t) domain_use_interactive_fds(roundup_t) @@ -90282,11 +90312,19 @@ index ccb5991..189ac01 100644 sysnet_dns_name_resolve(roundup_t) userdom_dontaudit_use_unpriv_user_fds(roundup_t) ++ ++optional_policy(` ++ apache_search_config(roundup_t) ++') ++ + userdom_dontaudit_search_user_home_dirs(roundup_t) + + optional_policy(` diff --git a/rpc.fc b/rpc.fc -index a6fb30c..38a2f09 100644 +index a6fb30c..3148280 100644 --- a/rpc.fc +++ b/rpc.fc -@@ -1,12 +1,23 @@ +@@ -1,12 +1,25 @@ -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) +# +# /etc @@ -90304,19 +90342,21 @@ index a6fb30c..38a2f09 100644 -/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/usr/lib/systemd/system-generators/nfs.* -- gen_context(system_u:object_r:nfsd_exec_t,s0) + +# +# /sbin +# +/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - ++ +# +# /usr +# /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -@@ -16,7 +27,12 @@ +@@ -16,7 +29,12 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) @@ -96721,10 +96761,10 @@ index 0000000..3e89d71 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..24cb7ca +index 0000000..8a1e510 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,508 @@ +@@ -0,0 +1,512 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -96946,6 +96986,10 @@ index 0000000..24cb7ca +') + +optional_policy(` ++ colord_dbus_chat(sandbox_x_domain) ++') ++ ++optional_policy(` + consolekit_dbus_chat(sandbox_x_domain) +') + @@ -105155,40 +105199,47 @@ index 0000000..80c6480 + systemd_read_fifo_file_passwd_run($1) + ') +') -diff --git a/stapserver.te b/stapserver.te -new file mode 100644 -index 0000000..e847ea3 ---- /dev/null +diff --git a/systemtap.te b/stapserver.te +similarity index 64% +rename from systemtap.te +rename to stapserver.te +index ffde368..e847ea3 100644 +--- a/systemtap.te +++ b/stapserver.te -@@ -0,0 +1,114 @@ +@@ -1,4 +1,4 @@ +-policy_module(systemtap, 1.1.0) +policy_module(stapserver, 1.1.1) -+ -+######################################## -+# -+# Declarations -+# -+ -+type stapserver_t; -+type stapserver_exec_t; -+init_daemon_domain(stapserver_t, stapserver_exec_t) -+ -+type stapserver_var_lib_t; -+files_type(stapserver_var_lib_t) -+ -+type stapserver_log_t; -+logging_log_file(stapserver_log_t) -+ -+type stapserver_var_run_t; -+files_pid_file(stapserver_var_run_t) -+ + + ######################################## + # +@@ -9,12 +9,6 @@ type stapserver_t; + type stapserver_exec_t; + init_daemon_domain(stapserver_t, stapserver_exec_t) + +-type stapserver_initrc_exec_t; +-init_script_file(stapserver_initrc_exec_t) +- +-type stapserver_conf_t; +-files_config_file(stapserver_conf_t) +- + type stapserver_var_lib_t; + files_type(stapserver_var_lib_t) + +@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t) + type stapserver_var_run_t; + files_pid_file(stapserver_var_run_t) + +type stapserver_tmp_t; +files_tmp_file(stapserver_tmp_t) + -+######################################## -+# + ######################################## + # +-# Local policy +# stapserver local policy -+# -+ + # + +-allow stapserver_t self:capability { dac_override kill setuid setgid }; +-allow stapserver_t self:process { setrlimit setsched signal }; +#runuser +allow stapserver_t self:capability { setuid setgid }; +allow stapserver_t self:process setsched; @@ -105196,84 +105247,84 @@ index 0000000..e847ea3 +allow stapserver_t self:capability { dac_override kill sys_ptrace}; +allow stapserver_t self:process { setrlimit signal }; + -+allow stapserver_t self:fifo_file rw_fifo_file_perms; -+allow stapserver_t self:key write; + allow stapserver_t self:fifo_file rw_fifo_file_perms; + allow stapserver_t self:key write; +-allow stapserver_t self:unix_stream_socket { accept listen }; +-allow stapserver_t self:tcp_socket create_stream_socket_perms; +- +-allow stapserver_t stapserver_conf_t:file read_file_perms; +allow stapserver_t self:unix_stream_socket create_stream_socket_perms; +allow stapserver_t self:tcp_socket { accept listen }; -+ -+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -+ -+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) + + manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) + manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) + files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) + + manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -+logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -+ + logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) + +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) + -+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -+ -+kernel_read_system_state(stapserver_t) + manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) + manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) + files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) + +-kernel_read_kernel_sysctls(stapserver_t) + kernel_read_system_state(stapserver_t) +kernel_read_kernel_sysctls(stapserver_t) -+ -+corecmd_exec_bin(stapserver_t) -+corecmd_exec_shell(stapserver_t) -+ -+domain_read_all_domains_state(stapserver_t) + + corecmd_exec_bin(stapserver_t) + corecmd_exec_shell(stapserver_t) + + domain_read_all_domains_state(stapserver_t) +domain_use_interactive_fds(stapserver_t) -+ -+dev_read_sysfs(stapserver_t) + +-dev_read_rand(stapserver_t) + dev_read_sysfs(stapserver_t) +dev_read_rand(stapserver_t) -+dev_read_urand(stapserver_t) -+ -+files_list_tmp(stapserver_t) -+files_search_kernel_modules(stapserver_t) -+ + dev_read_urand(stapserver_t) + + files_list_tmp(stapserver_t) +-files_read_usr_files(stapserver_t) + files_search_kernel_modules(stapserver_t) + +fs_search_cgroup_dirs(stapserver_t) +fs_getattr_all_fs(stapserver_t) + -+auth_use_nsswitch(stapserver_t) -+ -+init_read_utmp(stapserver_t) -+ -+logging_send_audit_msgs(stapserver_t) -+logging_send_syslog_msg(stapserver_t) -+ + auth_use_nsswitch(stapserver_t) + + init_read_utmp(stapserver_t) +@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t) + logging_send_audit_msgs(stapserver_t) + logging_send_syslog_msg(stapserver_t) + +-miscfiles_read_localization(stapserver_t) +#lspci -+miscfiles_read_hwdata(stapserver_t) -+ + miscfiles_read_hwdata(stapserver_t) + +systemd_dbus_chat_logind(stapserver_t) + -+userdom_use_user_terminals(stapserver_t) -+ -+optional_policy(` + userdom_use_user_terminals(stapserver_t) + + optional_policy(` + avahi_dbus_chat(stapserver_t) +') + +optional_policy(` -+ consoletype_exec(stapserver_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(stapserver_t) -+') -+ -+optional_policy(` -+ hostname_exec(stapserver_t) -+') -+ -+optional_policy(` -+ plymouthd_exec_plymouth(stapserver_t) -+') -+ -+optional_policy(` -+ rpm_exec(stapserver_t) -+') + consoletype_exec(stapserver_t) + ') + +@@ -99,3 +111,4 @@ optional_policy(` + optional_policy(` + rpm_exec(stapserver_t) + ') + diff --git a/stunnel.fc b/stunnel.fc index 49dd63c..ae2e798 100644 @@ -106091,113 +106142,6 @@ index c755e2d..0000000 - files_search_pids($1) - admin_pattern($1, stapserver_var_run_t) -') -diff --git a/systemtap.te b/systemtap.te -deleted file mode 100644 -index ffde368..0000000 ---- a/systemtap.te -+++ /dev/null -@@ -1,101 +0,0 @@ --policy_module(systemtap, 1.1.0) -- --######################################## --# --# Declarations --# -- --type stapserver_t; --type stapserver_exec_t; --init_daemon_domain(stapserver_t, stapserver_exec_t) -- --type stapserver_initrc_exec_t; --init_script_file(stapserver_initrc_exec_t) -- --type stapserver_conf_t; --files_config_file(stapserver_conf_t) -- --type stapserver_var_lib_t; --files_type(stapserver_var_lib_t) -- --type stapserver_log_t; --logging_log_file(stapserver_log_t) -- --type stapserver_var_run_t; --files_pid_file(stapserver_var_run_t) -- --######################################## --# --# Local policy --# -- --allow stapserver_t self:capability { dac_override kill setuid setgid }; --allow stapserver_t self:process { setrlimit setsched signal }; --allow stapserver_t self:fifo_file rw_fifo_file_perms; --allow stapserver_t self:key write; --allow stapserver_t self:unix_stream_socket { accept listen }; --allow stapserver_t self:tcp_socket create_stream_socket_perms; -- --allow stapserver_t stapserver_conf_t:file read_file_perms; -- --manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -- --manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -- --manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -- --kernel_read_kernel_sysctls(stapserver_t) --kernel_read_system_state(stapserver_t) -- --corecmd_exec_bin(stapserver_t) --corecmd_exec_shell(stapserver_t) -- --domain_read_all_domains_state(stapserver_t) -- --dev_read_rand(stapserver_t) --dev_read_sysfs(stapserver_t) --dev_read_urand(stapserver_t) -- --files_list_tmp(stapserver_t) --files_read_usr_files(stapserver_t) --files_search_kernel_modules(stapserver_t) -- --auth_use_nsswitch(stapserver_t) -- --init_read_utmp(stapserver_t) -- --logging_send_audit_msgs(stapserver_t) --logging_send_syslog_msg(stapserver_t) -- --miscfiles_read_localization(stapserver_t) --miscfiles_read_hwdata(stapserver_t) -- --userdom_use_user_terminals(stapserver_t) -- --optional_policy(` -- consoletype_exec(stapserver_t) --') -- --optional_policy(` -- dbus_system_bus_client(stapserver_t) --') -- --optional_policy(` -- hostname_exec(stapserver_t) --') -- --optional_policy(` -- plymouthd_exec_plymouth(stapserver_t) --') -- --optional_policy(` -- rpm_exec(stapserver_t) --') diff --git a/targetd.fc b/targetd.fc new file mode 100644 index 0000000..c1ef053 @@ -107646,7 +107590,7 @@ index 3dd87da..0d13384 100644 -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/tftp.if b/tftp.if -index 9957e30..cd21321 100644 +index 9957e30..51af586 100644 --- a/tftp.if +++ b/tftp.if @@ -1,8 +1,8 @@ @@ -107660,17 +107604,13 @@ index 9957e30..cd21321 100644 ## ## ## -@@ -13,18 +13,21 @@ +@@ -13,18 +13,40 @@ interface(`tftp_read_content',` gen_require(` type tftpdir_t; + type tftpdir_rw_t; - ') - -- files_search_var_lib($1) -- allow $1 tftpdir_t:dir list_dir_perms; -- allow $1 tftpdir_t:file read_file_perms; -- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; ++ ') ++ + list_dirs_pattern($1, tftpdir_t, tftpdir_t) + read_files_pattern($1, tftpdir_t, tftpdir_t) + read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) @@ -107678,46 +107618,68 @@ index 9957e30..cd21321 100644 + list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++') ++ ++######################################## ++## ++## Search tftp /var/lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_search_rw_content',` ++ gen_require(` ++ type tftpdir_rw_t; + ') + ++ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + files_search_var_lib($1) +- allow $1 tftpdir_t:dir list_dir_perms; +- allow $1 tftpdir_t:file read_file_perms; +- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## Create, read, write, and delete -## tftp rw content. -+## Search tftp /var/lib directories. ++## Allow read tftp /var/lib files. ## ## ## -@@ -32,20 +35,18 @@ interface(`tftp_read_content',` +@@ -32,20 +54,18 @@ interface(`tftp_read_content',` ## ## # -interface(`tftp_manage_rw_content',` -+interface(`tftp_search_rw_content',` ++interface(`tftp_read_rw_content',` gen_require(` type tftpdir_rw_t; ') -+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) files_search_var_lib($1) - allow $1 tftpdir_rw_t:dir manage_dir_perms; - allow $1 tftpdir_rw_t:file manage_file_perms; - allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; ++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Read tftpd configuration files. -+## Allow read tftp /var/lib files. ++## Allow write tftp /var/lib files. ## ## ## -@@ -53,19 +54,18 @@ interface(`tftp_manage_rw_content',` +@@ -53,19 +73,18 @@ interface(`tftp_manage_rw_content',` ## ## # -interface(`tftp_read_config_files',` -+interface(`tftp_read_rw_content',` ++interface(`tftp_write_rw_content',` gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; @@ -107726,23 +107688,23 @@ index 9957e30..cd21321 100644 - files_search_etc($1) - allow $1 tftpd_conf_t:file read_file_perms; + files_search_var_lib($1) -+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Create, read, write, and delete -## tftpd configuration files. -+## Allow write tftp /var/lib files. ++## Manage tftp /var/lib files. ## ## ## -@@ -73,55 +73,83 @@ interface(`tftp_read_config_files',` +@@ -73,55 +92,83 @@ interface(`tftp_read_config_files',` ## ## # -interface(`tftp_manage_config_files',` -+interface(`tftp_write_rw_content',` ++interface(`tftp_manage_rw_content',` gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; @@ -107751,7 +107713,8 @@ index 9957e30..cd21321 100644 - files_search_etc($1) - allow $1 tftpd_conf_t:file manage_file_perms; + files_search_var_lib($1) -+ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## @@ -107768,14 +107731,13 @@ index 9957e30..cd21321 100644 ## -## +# -+interface(`tftp_manage_rw_content',` ++interface(`tftp_delete_content_dirs',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) -+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ delete_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + +######################################## @@ -107837,7 +107799,7 @@ index 9957e30..cd21321 100644 ## ## Private file type. ## -@@ -131,25 +159,38 @@ interface(`tftp_etc_filetrans_config',` +@@ -131,25 +178,38 @@ interface(`tftp_etc_filetrans_config',` ## Class of the object being created. ## ## @@ -107884,7 +107846,7 @@ index 9957e30..cd21321 100644 ## ## ## -@@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',` +@@ -161,18 +221,22 @@ interface(`tftp_filetrans_tftpdir',` interface(`tftp_admin',` gen_require(` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; @@ -108534,10 +108496,10 @@ index 0000000..9524b50 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..e80cde4 +index 0000000..3f3a239 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,162 @@ +@@ -0,0 +1,165 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -108639,6 +108601,9 @@ index 0000000..e80cde4 + +sysnet_read_config(thumb_t) + ++ ++term_dontaudit_use_unallocated_ttys(thumb_t) ++ +userdom_dontaudit_setattr_user_tmp(thumb_t) +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) @@ -111523,10 +111488,10 @@ index a4f20bc..d8b1fd1 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..12e74f1 100644 +index facdee8..ee9e63e 100644 --- a/virt.if +++ b/virt.if -@@ -1,318 +1,231 @@ +@@ -1,120 +1,104 @@ -## Libvirt virtualization API. +## Libvirt virtualization API @@ -111576,8 +111541,10 @@ index facdee8..12e74f1 100644 - - optional_policy(` - pulseaudio_tmpfs_content($1_tmpfs_t) -- ') -- ++ type virtd_lxc_t; + ') ++') + - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) @@ -111612,87 +111579,60 @@ index facdee8..12e74f1 100644 - - optional_policy(` - pulseaudio_run($1_t, virt_domain_roles) -- ') -- -- optional_policy(` -- xserver_rw_shm($1_t) -+ type virtd_lxc_t; - ') - ') - --####################################### +######################################## - ## --## The template to define a virt lxc domain. ++## +## svirt_sandbox_domain attribute stub interface. No access allowed. - ## --## ++## +## - ## --## Domain prefix to be used. ++## +## Domain allowed access. - ## - ## - # --template(`virt_lxc_domain_template',` ++## ++## ++# +interface(`virt_stub_svirt_sandbox_domain',` - gen_require(` -- attribute_role svirt_lxc_domain_roles; -- attribute svirt_lxc_domain; ++ gen_require(` + attribute svirt_sandbox_domain; ') -- -- type $1_t, svirt_lxc_domain; -- domain_type($1_t) -- domain_user_exemption_target($1_t) -- mls_rangetrans_target($1_t) -- mcs_constrained($1_t) -- role svirt_lxc_domain_roles types $1_t; - ') ++') - ######################################## - ## --## Make the specified type virt image type. +- optional_policy(` +- xserver_rw_shm($1_t) ++######################################## ++## +## svirt_sandbox_file_t stub interface. No access allowed. - ## --## ++## +## - ## --## Type to be used as a virtual image. ++## +## Domain allowed access. - ## - ## - # --interface(`virt_image',` ++## ++## ++# +interface(`virt_stub_svirt_sandbox_file',` - gen_require(` -- attribute virt_image_type; ++ gen_require(` + type svirt_sandbox_file_t; ') -- -- typeattribute $1 virt_image_type; -- files_type($1) -- dev_node($1) ') - ######################################## +-####################################### ++######################################## ## --## Execute a domain transition to run virtd. +-## The template to define a virt lxc domain. +## Creates types and rules for a basic +## qemu process domain. ## --## +-## +## ## --## Domain allowed to transition. +-## Domain prefix to be used. +## Prefix for the domain. ## ## # --interface(`virt_domtrans',` +-template(`virt_lxc_domain_template',` +template(`virt_domain_template',` gen_require(` -- type virtd_t, virtd_exec_t; +- attribute_role svirt_lxc_domain_roles; +- attribute svirt_lxc_domain; + attribute virt_image_type, virt_domain; + attribute virt_tmpfs_type; + attribute virt_ptynode; @@ -111700,13 +111640,14 @@ index facdee8..12e74f1 100644 + type virtlogd_t; ') -- corecmd_search_bin($1) -- domtrans_pattern($1, virtd_exec_t, virtd_t) +- type $1_t, svirt_lxc_domain; +- domain_type($1_t) + type $1_t, virt_domain; + application_domain($1_t, qemu_exec_t) -+ domain_user_exemption_target($1_t) -+ mls_rangetrans_target($1_t) -+ mcs_constrained($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) +- role svirt_lxc_domain_roles types $1_t; + role system_r types $1_t; + + type $1_devpts_t, virt_ptynode; @@ -111728,38 +111669,29 @@ index facdee8..12e74f1 100644 ######################################## ## --## Execute a domain transition to run virt qmf. +-## Make the specified type virt image type. +## Make the specified type usable as a virt image ## --## -+## + ## ## --## Domain allowed to transition. +-## Type to be used as a virtual image. +## Type to be used as a virtual image ## ## # --interface(`virt_domtrans_qmf',` -+interface(`virt_image',` - gen_require(` -- type virt_qmf_t, virt_qmf_exec_t; -+ attribute virt_image_type; - ') +@@ -125,31 +109,32 @@ interface(`virt_image',` -- corecmd_search_bin($1) -- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) -+ typeattribute $1 virt_image_type; -+ files_type($1) + typeattribute $1 virt_image_type; + files_type($1) + + # virt images can be assigned to blk devices -+ dev_node($1) + dev_node($1) ') -######################################## +####################################### ## --## Execute a domain transition to --## run virt bridgehelper. +-## Execute a domain transition to run virtd. +## Getattr on virt executable. ## ## @@ -111771,9 +111703,9 @@ index facdee8..12e74f1 100644 +## ## # --interface(`virt_domtrans_bridgehelper',` +-interface(`virt_domtrans',` - gen_require(` -- type virt_bridgehelper_t, virt_bridgehelper_exec_t; +- type virtd_t, virtd_exec_t; - ') +interface(`virt_getattr_exec',` + gen_require(` @@ -111781,134 +111713,183 @@ index facdee8..12e74f1 100644 + ') - corecmd_search_bin($1) -- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) +- domtrans_pattern($1, virtd_exec_t, virtd_t) + allow $1 virtd_exec_t:file getattr; ') ######################################## ## --## Execute bridgehelper in the bridgehelper --## domain, and allow the specified role --## the bridgehelper domain. +-## Execute a domain transition to run virt qmf. +## Execute a domain transition to run virt. ## ## ## - ## Domain allowed to transition. +@@ -157,95 +142,71 @@ interface(`virt_domtrans',` ## ## --## --## --## Role allowed access. --## --## # --interface(`virt_run_bridgehelper',` +-interface(`virt_domtrans_qmf',` +interface(`virt_domtrans',` gen_require(` -- attribute_role virt_bridgehelper_roles; +- type virt_qmf_t, virt_qmf_exec_t; + type virtd_t, virtd_exec_t; ') -- virt_domtrans_bridgehelper($1) -- roleattribute $2 virt_bridgehelper_roles; +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) + domtrans_pattern($1, virtd_exec_t, virtd_t) ') ######################################## ## --## Execute virt domain in the their --## domain, and allow the specified --## role that virt domain. +-## Execute a domain transition to +-## run virt bridgehelper. +## Execute virtd in the caller domain. ## ## ## -## Domain allowed to transition. --## --## --## --## --## Role allowed access. +## Domain allowed access. ## ## # --interface(`virt_run_virt_domain',` +-interface(`virt_domtrans_bridgehelper',` +interface(`virt_exec',` gen_require(` -- attribute virt_domain; -- attribute_role virt_domain_roles; +- type virt_bridgehelper_t, virt_bridgehelper_exec_t; + type virtd_exec_t; ') -- allow $1 virt_domain:process { signal transition }; -- roleattribute $2 virt_domain_roles; -- -- allow virt_domain $1:fd use; -- allow virt_domain $1:fifo_file rw_fifo_file_perms; -- allow virt_domain $1:process sigchld; +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) + can_exec($1, virtd_exec_t) ') ######################################## ## --## Send generic signals to all virt domains. +-## Execute bridgehelper in the bridgehelper +-## domain, and allow the specified role +-## the bridgehelper domain. +## Transition to virt_qmf. ## ## -## --## Domain allowed access. --## +## -+## Domain allowed to transition. + ## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +## ## # --interface(`virt_signal_all_virt_domains',` +-interface(`virt_run_bridgehelper',` +interface(`virt_domtrans_qmf',` gen_require(` -- attribute virt_domain; +- attribute_role virt_bridgehelper_roles; + type virt_qmf_t, virt_qmf_exec_t; ') -- allow $1 virt_domain:process signal; +- virt_domtrans_bridgehelper($1) +- roleattribute $2 virt_bridgehelper_roles; + corecmd_search_bin($1) + domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) ') ######################################## ## --## Send kill signals to all virt domains. +-## Execute virt domain in the their +-## domain, and allow the specified +-## role that virt domain. +## Transition to virt_bridgehelper. ## ## -## --## Domain allowed access. +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. -## +## +## Domain allowed to transition. +## ## -# --interface(`virt_kill_all_virt_domains',` +-interface(`virt_run_virt_domain',` +interface(`virt_domtrans_bridgehelper',` gen_require(` - attribute virt_domain; +- attribute_role virt_domain_roles; + type virt_bridgehelper_t, virt_bridgehelper_exec_t; ') -- allow $1 virt_domain:process sigkill; +- allow $1 virt_domain:process { signal transition }; +- roleattribute $2 virt_domain_roles; +- +- allow virt_domain $1:fd use; +- allow virt_domain $1:fifo_file rw_fifo_file_perms; +- allow virt_domain $1:process sigchld; + domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) ') -######################################## +####################################### ## +-## Send generic signals to all virt domains. ++## Connect to virt over a unix domain stream socket. + ## + ## + ## +@@ -253,17 +214,18 @@ interface(`virt_run_virt_domain',` + ## + ## + # +-interface(`virt_signal_all_virt_domains',` ++interface(`virt_stream_connect',` + gen_require(` +- attribute virt_domain; ++ type virtd_t, virt_var_run_t; + ') + +- allow $1 virt_domain:process signal; ++ files_search_pids($1) ++ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + ') + +-######################################## ++####################################### + ## +-## Send kill signals to all virt domains. ++## Connect to svirt process over a unix domain stream socket. + ## + ## + ## +@@ -271,48 +233,36 @@ interface(`virt_signal_all_virt_domains',` + ## + ## + # +-interface(`virt_kill_all_virt_domains',` ++interface(`virt_stream_connect_svirt',` + gen_require(` +- attribute virt_domain; ++ type svirt_t; + ') + +- allow $1 virt_domain:process sigkill; ++ allow $1 svirt_t:unix_stream_socket connectto; + ') + + ######################################## + ## -## Execute svirt lxc domains in their -## domain, and allow the specified -## role that svirt lxc domain. -+## Connect to virt over a unix domain stream socket. ++## Read and write to apmd unix ++## stream sockets. ## ## ## @@ -111923,11 +111904,11 @@ index facdee8..12e74f1 100644 ## # -interface(`virt_run_svirt_lxc_domain',` -+interface(`virt_stream_connect',` ++interface(`virt_rw_stream_sockets_svirt',` gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; -+ type virtd_t, virt_var_run_t; ++ type svirt_t; ') - allow $1 svirt_lxc_domain:process { signal transition }; @@ -111936,30 +111917,31 @@ index facdee8..12e74f1 100644 - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; -+ files_search_pids($1) -+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ++ allow $1 svirt_t:unix_stream_socket { read write }; ') - ####################################### +-####################################### ++######################################## ## -## Get attributes of virtd executable files. -+## Connect to svirt process over a unix domain stream socket. ++## Allow domain to attach to virt TUN devices ## ## ## -@@ -320,18 +233,17 @@ interface(`virt_run_svirt_lxc_domain',` +@@ -320,18 +270,18 @@ interface(`virt_run_svirt_lxc_domain',` ## ## # -interface(`virt_getattr_virtd_exec_files',` -+interface(`virt_stream_connect_svirt',` ++interface(`virt_attach_tun_iface',` gen_require(` - type virtd_exec_t; -+ type svirt_t; ++ type virtd_t; ') - allow $1 virtd_exec_t:file getattr_file_perms; -+ allow $1 svirt_t:unix_stream_socket connectto; ++ allow $1 virtd_t:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; ') -####################################### @@ -111967,112 +111949,116 @@ index facdee8..12e74f1 100644 ## -## Connect to virt with a unix -## domain stream socket. -+## Allow domain to attach to virt TUN devices ++## Allow domain to attach to virt sandbox TUN devices ## ## ## -@@ -339,18 +251,18 @@ interface(`virt_getattr_virtd_exec_files',` +@@ -339,18 +289,18 @@ interface(`virt_getattr_virtd_exec_files',` ## ## # -interface(`virt_stream_connect',` -+interface(`virt_attach_tun_iface',` ++interface(`virt_attach_sandbox_tun_iface',` gen_require(` - type virtd_t, virt_var_run_t; -+ type virtd_t; ++ attribute svirt_sandbox_domain; ') - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -+ allow $1 virtd_t:tun_socket relabelfrom; ++ allow $1 svirt_sandbox_domain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; ') ######################################## ## -## Attach to virt tun devices. -+## Allow domain to attach to virt sandbox TUN devices ++## Read virt config files. ## ## ## -@@ -358,18 +270,18 @@ interface(`virt_stream_connect',` +@@ -358,18 +308,20 @@ interface(`virt_stream_connect',` ## ## # -interface(`virt_attach_tun_iface',` -+interface(`virt_attach_sandbox_tun_iface',` ++interface(`virt_read_config',` gen_require(` - type virtd_t; -+ attribute svirt_sandbox_domain; ++ type virt_etc_t, virt_etc_rw_t; ') - allow $1 virtd_t:tun_socket relabelfrom; -+ allow $1 svirt_sandbox_domain:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; +- allow $1 self:tun_socket relabelto; ++ files_search_etc($1) ++ read_files_pattern($1, virt_etc_t, virt_etc_t) ++ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ++ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') ######################################## ## -## Read virt configuration content. -+## Read virt config files. ++## manage virt config files. ## ## ## -@@ -383,7 +295,6 @@ interface(`virt_read_config',` +@@ -377,22 +329,20 @@ interface(`virt_attach_tun_iface',` + ## + ## + # +-interface(`virt_read_config',` ++interface(`virt_manage_config',` + gen_require(` + type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -391,8 +302,7 @@ interface(`virt_read_config',` +- read_files_pattern($1, virt_etc_t, virt_etc_t) +- read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +- read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ++ manage_files_pattern($1, virt_etc_t, virt_etc_t) ++ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ++ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + ') ######################################## ## -## Create, read, write, and delete -## virt configuration content. -+## manage virt config files. ++## Allow domain to manage virt image files ## ## ## -@@ -406,7 +316,6 @@ interface(`virt_manage_config',` +@@ -400,22 +350,17 @@ interface(`virt_read_config',` + ## + ## + # +-interface(`virt_manage_config',` ++interface(`virt_getattr_content',` + gen_require(` +- type virt_etc_t, virt_etc_rw_t; ++ type virt_content_t; ') - files_search_etc($1) +- files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -414,8 +323,25 @@ interface(`virt_manage_config',` +- manage_files_pattern($1, virt_etc_t, virt_etc_t) +- manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +- manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ++ allow $1 virt_content_t:file getattr_file_perms; + ') ######################################## ## -## Create, read, write, and delete -## virt image files. +## Allow domain to manage virt image files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_getattr_content',` -+ gen_require(` -+ type virt_content_t; -+ ') -+ -+ allow $1 virt_content_t:file getattr_file_perms; -+') -+ -+######################################## -+## -+## Allow domain to manage virt image files ## ## ## -@@ -434,6 +360,7 @@ interface(`virt_read_content',` +@@ -434,6 +379,7 @@ interface(`virt_read_content',` read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) @@ -112080,7 +112066,7 @@ index facdee8..12e74f1 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -450,8 +377,7 @@ interface(`virt_read_content',` +@@ -450,8 +396,7 @@ interface(`virt_read_content',` ######################################## ## @@ -112090,7 +112076,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -459,35 +385,17 @@ interface(`virt_read_content',` +@@ -459,35 +404,17 @@ interface(`virt_read_content',` ## ## # @@ -112129,7 +112115,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -495,53 +403,38 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +422,38 @@ interface(`virt_manage_virt_content',` ## ## # @@ -112194,7 +112180,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -549,34 +442,21 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +461,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -112237,7 +112223,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -584,32 +464,36 @@ interface(`virt_manage_svirt_home_content',` +@@ -584,32 +483,36 @@ interface(`virt_manage_svirt_home_content',` ## ## # @@ -112286,7 +112272,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -618,54 +502,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +521,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -112350,7 +112336,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',` +@@ -673,107 +558,625 @@ interface(`virt_home_filetrans',` ## ## # @@ -112731,6 +112717,24 @@ index facdee8..12e74f1 100644 + +####################################### +## ++## List Sandbox Dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_list_sandbox_dirs',` ++ gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ ++ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++') ++ ++####################################### ++## +## Read Sandbox Files +## +## @@ -113003,7 +113007,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1184,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -113027,7 +113031,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1202,17 @@ interface(`virt_read_pid_files',` ## ## # @@ -113050,7 +113054,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1220,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -113073,7 +113077,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -839,192 +1201,243 @@ interface(`virt_search_lib',` +@@ -839,192 +1238,243 @@ interface(`virt_search_lib',` ## ## # @@ -113397,7 +113401,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -1032,20 +1445,17 @@ interface(`virt_read_images',` +@@ -1032,20 +1482,17 @@ interface(`virt_read_images',` ## ## # @@ -113422,7 +113426,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1500,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -113445,7 +113449,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1518,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -113471,7 +113475,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1536,18 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -113513,7 +113517,7 @@ index facdee8..12e74f1 100644 ## ## ## -@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1563,109 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -113552,26 +113556,20 @@ index facdee8..12e74f1 100644 - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) -- -- files_search_tmp($1) -- admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- -- files_search_etc($1) -- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + allow $1 virt_domain:process signal_perms; -- logging_search_logs($1) -- admin_pattern($1, virt_log_t) +- files_search_tmp($1) +- admin_pattern($1, { virt_tmp_type virt_tmp_t }) + admin_pattern($1, virt_file_type) + admin_pattern($1, svirt_file_type) -- files_search_pids($1) -- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) +- files_search_etc($1) +- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + virt_systemctl($1) + allow $1 virtd_unit_file_t:service all_service_perms; -- files_search_var($1) -- admin_pattern($1, svirt_cache_t) +- logging_search_logs($1) +- admin_pattern($1, virt_log_t) + virt_stream_connect_sandbox($1) + virt_stream_connect_svirt($1) + virt_stream_connect($1) @@ -113591,16 +113589,16 @@ index facdee8..12e74f1 100644 + attribute sandbox_caps_domain; + ') -- files_search_var_lib($1) -- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) +- files_search_pids($1) +- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) + typeattribute $1 sandbox_caps_domain; +') -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) +- files_search_var($1) +- admin_pattern($1, svirt_cache_t) -- dev_list_all_dev_nodes($1) -- allow $1 virt_ptynode:chr_file rw_term_perms; +- files_search_var_lib($1) +- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) +######################################## +## +## Send and receive messages from @@ -113621,6 +113619,43 @@ index facdee8..12e74f1 100644 + allow $1 virtd_t:dbus send_msg; + allow virtd_t $1:dbus send_msg; + ps_process_pattern(virtd_t, $1) ++') + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++######################################## ++## ++## Execute a file in a sandbox directory ++## in the specified domain. ++## ++## ++##

++## Execute a file in a sandbox directory ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`virt_sandbox_domtrans',` ++ gen_require(` ++ type container_file_t; ++ ') + +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; ++ domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te index f03dcf5..913e23f 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 0bb37fd..75a201e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.18%{?dist} +Release: 191.19%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -672,6 +672,22 @@ exit 0 %endif %changelog +* Tue Oct 18 2016 Miroslav Grepl +- Add transition rules for sandbox domains +- Fix cobbler module +- Allow system_dbusd to list sandbox dirs +- Sandbox printing of pdf wants to talk to colord +- Add dbus_stream_connect_system_dbusd() interface. +- Dontaudit leaked file descriptors for thumb. BZ(1383071) +- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156) +- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t +- Make unconfined domains create resolv.conf with correct label +- Fix typo in filesystem module +- Add systemd_mount_dir to deal with service using ReadOnlyDirectory +- These allow rules are requiered to allow chrome to setup user namespace +- When running as staff_t sudo getpgid on init +- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473) + * Wed Oct 05 2016 Colin Walters - Revert addition of systemd service for factory reset, since it is basically worse than what we had before. BZ(1290659)