diff --git a/policy-F16.patch b/policy-F16.patch index 7bcb0ec..da8f6b8 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1312,7 +1312,7 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..b8152bc 100644 +index 7090dae..1c6d379 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t) @@ -1351,7 +1351,15 @@ index 7090dae..b8152bc 100644 selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) -@@ -102,6 +105,7 @@ files_read_var_lib_files(logrotate_t) +@@ -85,6 +88,7 @@ auth_use_nsswitch(logrotate_t) + # Run helper programs. + corecmd_exec_bin(logrotate_t) + corecmd_exec_shell(logrotate_t) ++corecmd_getattr_all_executables(logrotate_t) + + domain_signal_all_domains(logrotate_t) + domain_use_interactive_fds(logrotate_t) +@@ -102,6 +106,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -1359,7 +1367,7 @@ index 7090dae..b8152bc 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +120,16 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +121,17 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -1376,6 +1384,7 @@ index 7090dae..b8152bc 100644 - -mta_send_mail(logrotate_t) +userdom_dontaudit_list_admin_dir(logrotate_t) ++userdom_dontaudit_getattr_user_home_content(logrotate_t) ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; @@ -1383,7 +1392,7 @@ index 7090dae..b8152bc 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +141,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +143,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -1392,7 +1401,7 @@ index 7090dae..b8152bc 100644 ') optional_policy(` -@@ -154,6 +157,10 @@ optional_policy(` +@@ -154,6 +159,10 @@ optional_policy(` ') optional_policy(` @@ -1403,7 +1412,7 @@ index 7090dae..b8152bc 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +169,20 @@ optional_policy(` +@@ -162,10 +171,20 @@ optional_policy(` ') optional_policy(` @@ -1424,7 +1433,7 @@ index 7090dae..b8152bc 100644 cups_domtrans(logrotate_t) ') -@@ -178,6 +195,10 @@ optional_policy(` +@@ -178,6 +197,10 @@ optional_policy(` ') optional_policy(` @@ -1435,7 +1444,7 @@ index 7090dae..b8152bc 100644 icecast_signal(logrotate_t) ') -@@ -200,9 +221,12 @@ optional_policy(` +@@ -200,9 +223,12 @@ optional_policy(` ') optional_policy(` @@ -1449,7 +1458,7 @@ index 7090dae..b8152bc 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +252,14 @@ optional_policy(` +@@ -228,3 +254,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -10704,11 +10713,12 @@ index 0000000..809784d +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..a53f663 +index 0000000..cab7eab --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,489 @@ +@@ -0,0 +1,492 @@ +policy_module(sandbox,1.0.0) ++ +dbus_stub() +attribute sandbox_domain; +attribute sandbox_x_domain; @@ -10750,7 +10760,9 @@ index 0000000..a53f663 +# +# sandbox xserver policy +# -+allow sandbox_xserver_t self:process { execmem execstack }; ++ ++allow sandbox_xserver_t self:process { execmem execstack signal_perms }; ++ +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; +allow sandbox_xserver_t self:shm create_shm_perms; +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; @@ -25053,7 +25065,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..3f8a147 100644 +index 9e39aa5..5a10781 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,21 +1,30 @@ @@ -25088,7 +25100,7 @@ index 9e39aa5..3f8a147 100644 /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -24,16 +33,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u +@@ -24,16 +33,18 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -25109,11 +25121,12 @@ index 9e39aa5..3f8a147 100644 /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -@@ -43,8 +53,9 @@ ifdef(`distro_suse', ` +@@ -43,8 +54,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -25125,7 +25138,7 @@ index 9e39aa5..3f8a147 100644 /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -54,9 +65,11 @@ ifdef(`distro_suse', ` +@@ -54,9 +66,11 @@ ifdef(`distro_suse', ` /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25137,7 +25150,7 @@ index 9e39aa5..3f8a147 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,20 +86,26 @@ ifdef(`distro_suse', ` +@@ -73,20 +87,26 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25166,7 +25179,7 @@ index 9e39aa5..3f8a147 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -105,7 +124,27 @@ ifdef(`distro_debian', ` +@@ -105,7 +125,27 @@ ifdef(`distro_debian', ` /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -30285,10 +30298,10 @@ index 0000000..6451167 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..54d3487 +index 0000000..e22a32e --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,227 @@ +@@ -0,0 +1,228 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -30385,6 +30398,7 @@ index 0000000..54d3487 +manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) +logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir }) + ++kernel_read_kernel_sysctls(deltacloudd_t) +kernel_read_system_state(deltacloudd_t) + +corecmd_exec_bin(deltacloudd_t) @@ -38465,7 +38479,7 @@ index 9d3201b..7da7267 100644 + ftp_systemctl($1) ') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..cd27af1 100644 +index 8a74a83..94c1fed 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -38566,6 +38580,15 @@ index 8a74a83..cd27af1 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) +@@ -177,7 +206,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) + + kernel_read_kernel_sysctls(ftpd_t) + kernel_read_system_state(ftpd_t) +-kernel_search_network_state(ftpd_t) ++kernel_read_network_state(ftpd_t) + + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) @@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -45384,7 +45407,7 @@ index 343cee3..4099451 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..7ede790 100644 +index 64268e4..705498f 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -45438,7 +45461,7 @@ index 64268e4..7ede790 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -79,9 +71,16 @@ selinux_getattr_fs(system_mail_t) +@@ -79,9 +71,18 @@ selinux_getattr_fs(system_mail_t) term_dontaudit_use_unallocated_ttys(system_mail_t) init_use_script_ptys(system_mail_t) @@ -45453,10 +45476,12 @@ index 64268e4..7ede790 100644 +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) + +logging_append_all_logs(system_mail_t) ++ ++logging_send_syslog_msg(system_mail_t) optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,14 +91,21 @@ optional_policy(` +@@ -92,14 +93,21 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -45481,7 +45506,7 @@ index 64268e4..7ede790 100644 ') optional_policy(` -@@ -108,9 +114,15 @@ optional_policy(` +@@ -108,9 +116,15 @@ optional_policy(` ') optional_policy(` @@ -45497,7 +45522,7 @@ index 64268e4..7ede790 100644 ') optional_policy(` -@@ -124,12 +136,9 @@ optional_policy(` +@@ -124,12 +138,9 @@ optional_policy(` ') optional_policy(` @@ -45512,7 +45537,7 @@ index 64268e4..7ede790 100644 ') optional_policy(` -@@ -146,6 +155,10 @@ optional_policy(` +@@ -146,6 +157,10 @@ optional_policy(` ') optional_policy(` @@ -45523,7 +45548,7 @@ index 64268e4..7ede790 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,22 +171,13 @@ optional_policy(` +@@ -158,22 +173,13 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -45549,7 +45574,7 @@ index 64268e4..7ede790 100644 ') optional_policy(` -@@ -189,6 +193,10 @@ optional_policy(` +@@ -189,6 +195,10 @@ optional_policy(` ') optional_policy(` @@ -45560,7 +45585,7 @@ index 64268e4..7ede790 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,15 +207,16 @@ optional_policy(` +@@ -199,15 +209,16 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -45581,7 +45606,7 @@ index 64268e4..7ede790 100644 ######################################## # # Mailserver delivery local policy -@@ -220,7 +229,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +231,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -45591,7 +45616,7 @@ index 64268e4..7ede790 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +252,10 @@ optional_policy(` +@@ -242,6 +254,10 @@ optional_policy(` ') optional_policy(` @@ -45602,7 +45627,7 @@ index 64268e4..7ede790 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +263,25 @@ optional_policy(` +@@ -249,16 +265,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -45630,7 +45655,7 @@ index 64268e4..7ede790 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) +@@ -277,14 +302,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) # files in an appropriate place for mta_user_agent userdom_read_user_tmp_files(mta_user_agent) @@ -45647,7 +45672,7 @@ index 64268e4..7ede790 100644 # Read user temporary files. # postfix seems to need write access if the file handle is opened read/write userdom_rw_user_tmp_files(user_mail_t) -@@ -292,3 +315,114 @@ optional_policy(` +@@ -292,3 +317,114 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -51970,7 +51995,7 @@ index 09aeffa..f8a0d88 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 4a5387a..acf8ed1 100644 +index 4a5387a..b75ab1c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,16 +19,16 @@ gen_require(` @@ -51996,6 +52021,15 @@ index 4a5387a..acf8ed1 100644 ## gen_tunable(sepgsql_unconfined_dbadm, true) +@@ -205,7 +205,7 @@ allow postgresql_t self:shm create_shm_perms; + allow postgresql_t self:tcp_socket create_stream_socket_perms; + allow postgresql_t self:udp_socket create_stream_socket_perms; + allow postgresql_t self:unix_dgram_socket create_socket_perms; +-allow postgresql_t self:unix_stream_socket create_stream_socket_perms; ++allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow postgresql_t self:netlink_selinux_socket create_socket_perms; + + allow postgresql_t sepgsql_database_type:db_database *; @@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) @@ -61310,7 +61344,7 @@ index 941380a..ce8c972 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..b231b96 100644 +index 8ffa257..d0c7e39 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t) @@ -61327,7 +61361,7 @@ index 8ffa257..b231b96 100644 # -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; + -+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin }; ++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:fifo_file rw_fifo_file_perms; @@ -63424,7 +63458,7 @@ index 7c5d8d8..45bac8e 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..a1bc102 100644 +index 3eca020..2cd5679 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -63990,7 +64024,7 @@ index 3eca020..a1bc102 100644 miscfiles_read_localization(virt_domain) +tunable_policy(`virt_use_execmem',` -+ allow virtd_t virt_domain:process { execmem execstack }; ++ allow virt_domain virt_domain:process { execmem execstack }; +') + optional_policy(` @@ -67177,7 +67211,7 @@ index c9981d1..d0931f9 100644 corenet_sendrecv_zabbix_agent_client_packets($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 7f88f5f..7d8a06e 100644 +index 7f88f5f..67a111c 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1) @@ -67235,7 +67269,7 @@ index 7f88f5f..7d8a06e 100644 # shared memory rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -58,25 +75,54 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) @@ -67266,8 +67300,7 @@ index 7f88f5f..7d8a06e 100644 zabbix_agent_tcp_connect(zabbix_t) +tunable_policy(`zabbix_can_network',` -+ corenet_tcp_connect_all_unreserved_ports(zabbix_t) -+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t) ++ corenet_tcp_connect_all_ports(zabbix_t) +') + optional_policy(` @@ -67293,7 +67326,7 @@ index 7f88f5f..7d8a06e 100644 ######################################## # # zabbix agent local policy -@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) +@@ -134,3 +180,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) # Network access to zabbix server zabbix_tcp_connect(zabbix_agent_t) @@ -70695,7 +70728,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 55a6cd8..2af2952 100644 +index 55a6cd8..46835a9 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms; @@ -70707,7 +70740,7 @@ index 55a6cd8..2af2952 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -128,13 +130,13 @@ corecmd_exec_bin(ipsec_t) +@@ -128,19 +130,21 @@ corecmd_exec_bin(ipsec_t) # Pluto needs network access corenet_all_recvfrom_unlabeled(ipsec_t) @@ -70727,7 +70760,15 @@ index 55a6cd8..2af2952 100644 corenet_tcp_bind_reserved_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) -@@ -156,6 +158,8 @@ files_dontaudit_search_home(ipsec_t) + corenet_udp_bind_ipsecnat_port(ipsec_t) + corenet_sendrecv_generic_server_packets(ipsec_t) + corenet_sendrecv_isakmp_server_packets(ipsec_t) ++corenet_tcp_connect_http_port(ipsec_t) ++corenet_tcp_connect_ldap_port(ipsec_t) + + dev_read_sysfs(ipsec_t) + dev_read_rand(ipsec_t) +@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -70736,7 +70777,7 @@ index 55a6cd8..2af2952 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -169,6 +173,8 @@ logging_send_syslog_msg(ipsec_t) +@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t) miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) @@ -70745,7 +70786,7 @@ index 55a6cd8..2af2952 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -245,6 +253,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -70765,7 +70806,7 @@ index 55a6cd8..2af2952 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -70777,7 +70818,7 @@ index 55a6cd8..2af2952 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t) +@@ -297,7 +319,7 @@ sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -70786,7 +70827,7 @@ index 55a6cd8..2af2952 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -324,10 +344,6 @@ optional_policy(` +@@ -324,10 +346,6 @@ optional_policy(` modutils_domtrans_insmod(ipsec_mgmt_t) ') @@ -70797,7 +70838,7 @@ index 55a6cd8..2af2952 100644 ifdef(`TODO',` # ideally it would not need this. It wants to write to /root/.rnd file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) -@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t) +@@ -377,12 +395,12 @@ corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) @@ -70816,7 +70857,7 @@ index 55a6cd8..2af2952 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t) +@@ -411,6 +429,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -70825,7 +70866,7 @@ index 55a6cd8..2af2952 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t) +@@ -448,5 +468,6 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) @@ -71013,7 +71054,7 @@ index f3e1b57..d7fd7fb 100644 ') diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc -index 14d9670..56960ca 100644 +index 14d9670..57d9b88 100644 --- a/policy/modules/system/iscsi.fc +++ b/policy/modules/system/iscsi.fc @@ -1,7 +1,12 @@ @@ -71026,7 +71067,7 @@ index 14d9670..56960ca 100644 /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) + /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) -+/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0) ++/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te @@ -71928,7 +71969,7 @@ index a0b379d..bf90918 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..cd16709 100644 +index 02f4c97..7470a2e 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,13 @@ @@ -71954,7 +71995,16 @@ index 02f4c97..cd16709 100644 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -73,4 +80,8 @@ ifdef(`distro_redhat',` +@@ -54,6 +61,8 @@ ifndef(`distro_gentoo',` + ifdef(`distro_redhat',` + /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) + /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ++/var/spool/postfix/dev -d gen_context(system_u:object_r:var_log_t,s0) ++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0) + ') + + /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +@@ -73,4 +82,8 @@ ifdef(`distro_redhat',` /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -77681,7 +77731,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..e03d9fb 100644 +index 4b2878a..88476fe 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -78515,15 +78565,22 @@ index 4b2878a..e03d9fb 100644 ') ') -@@ -712,13 +875,26 @@ template(`userdom_login_user_template', ` +@@ -708,17 +871,33 @@ template(`userdom_common_user_template',` + template(`userdom_login_user_template', ` + gen_require(` + class context contains; ++ attribute login_userdomain; + ') userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) ++ typeattribute $1_t login_userdomain; - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_home_role($1_r, $1_usertype) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) + @@ -78547,7 +78604,7 @@ index 4b2878a..e03d9fb 100644 userdom_change_password_template($1) -@@ -736,72 +912,80 @@ template(`userdom_login_user_template', ` +@@ -736,72 +915,80 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -78661,7 +78718,7 @@ index 4b2878a..e03d9fb 100644 ') ') -@@ -833,6 +1017,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1020,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -78671,7 +78728,7 @@ index 4b2878a..e03d9fb 100644 ############################## # # Local policy -@@ -874,45 +1061,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1064,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -78740,37 +78797,36 @@ index 4b2878a..e03d9fb 100644 + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; -+ -+ optional_policy(` + + optional_policy(` +- consolekit_dbus_chat($1_t) + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat($1_t) + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) -+ ') + ') + + optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + fprintd_dbus_chat($1_t) - ') - ') - - optional_policy(` -- java_role($1_r, $1_t) ++ ') ++ ') ++ ++ optional_policy(` + openoffice_role_template($1, $1_r, $1_usertype) + ') + @@ -78782,9 +78838,10 @@ index 4b2878a..e03d9fb 100644 + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) + pulseaudio_filetrans_home_content($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- java_role($1_r, $1_t) + rtkit_scheduled($1_usertype) ') @@ -78801,7 +78858,7 @@ index 4b2878a..e03d9fb 100644 ') ') -@@ -947,7 +1207,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1210,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -78810,7 +78867,7 @@ index 4b2878a..e03d9fb 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1216,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1219,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -78828,7 +78885,7 @@ index 4b2878a..e03d9fb 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1241,72 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1244,72 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -78879,11 +78936,9 @@ index 4b2878a..e03d9fb 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + execmem_role_template($1, $1_r, $1_t) + ') + @@ -78902,15 +78957,17 @@ index 4b2878a..e03d9fb 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1315,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1318,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -78921,7 +78978,7 @@ index 4b2878a..e03d9fb 100644 ') ') -@@ -1039,7 +1353,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1356,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -78930,7 +78987,7 @@ index 4b2878a..e03d9fb 100644 ') ############################## -@@ -1066,6 +1380,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1383,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -78938,7 +78995,7 @@ index 4b2878a..e03d9fb 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1389,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1392,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -78948,7 +79005,7 @@ index 4b2878a..e03d9fb 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1406,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1409,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -78956,7 +79013,7 @@ index 4b2878a..e03d9fb 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1424,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1427,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -78970,7 +79027,7 @@ index 4b2878a..e03d9fb 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1441,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1444,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -79013,7 +79070,7 @@ index 4b2878a..e03d9fb 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1482,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1485,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -79022,7 +79079,7 @@ index 4b2878a..e03d9fb 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1543,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1546,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -79031,7 +79088,7 @@ index 4b2878a..e03d9fb 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1557,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1560,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -79042,7 +79099,7 @@ index 4b2878a..e03d9fb 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1570,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1573,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -79071,7 +79128,7 @@ index 4b2878a..e03d9fb 100644 ') optional_policy(` -@@ -1251,12 +1598,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1601,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -79087,7 +79144,7 @@ index 4b2878a..e03d9fb 100644 ') optional_policy(` -@@ -1279,50 +1626,99 @@ template(`userdom_security_admin_template',` +@@ -1279,49 +1629,98 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -79156,7 +79213,6 @@ index 4b2878a..e03d9fb 100644 ') - allow $1 user_devpts_t:chr_file setattr_chr_file_perms; --') + typeattribute $1 user_tmpfs_type; + + files_tmpfs_file($1) @@ -79198,11 +79254,10 @@ index 4b2878a..e03d9fb 100644 + ') + + allow $1 user_devpts_t:chr_file setattr_chr_file_perms; -+') + ') ######################################## - ## -@@ -1395,6 +1791,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1794,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -79210,7 +79265,7 @@ index 4b2878a..e03d9fb 100644 files_search_home($1) ') -@@ -1441,6 +1838,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1841,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -79225,7 +79280,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -1456,9 +1861,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1864,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -79237,7 +79292,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -1515,6 +1922,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1925,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -79280,7 +79335,7 @@ index 4b2878a..e03d9fb 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2032,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2035,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -79289,7 +79344,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -1603,10 +2048,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2051,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -79304,7 +79359,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -1649,6 +2096,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2099,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -79348,7 +79403,7 @@ index 4b2878a..e03d9fb 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2152,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2155,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -79374,7 +79429,7 @@ index 4b2878a..e03d9fb 100644 ## Mmap user home files. ## ## -@@ -1698,14 +2201,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1698,14 +2204,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -79412,7 +79467,7 @@ index 4b2878a..e03d9fb 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2241,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2244,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -79430,7 +79485,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -1779,6 +2307,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2310,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -79491,7 +79546,7 @@ index 4b2878a..e03d9fb 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2392,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2395,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -79501,7 +79556,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -1827,21 +2408,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2411,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -79515,19 +79570,18 @@ index 4b2878a..e03d9fb 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -1941,6 +2516,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2519,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -79552,7 +79606,7 @@ index 4b2878a..e03d9fb 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2601,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2604,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -79561,7 +79615,7 @@ index 4b2878a..e03d9fb 100644 files_search_home($1) ') -@@ -2039,7 +2632,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2635,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -79570,7 +79624,7 @@ index 4b2878a..e03d9fb 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2158,11 +2751,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2158,11 +2754,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -79585,7 +79639,7 @@ index 4b2878a..e03d9fb 100644 files_search_tmp($1) ') -@@ -2182,7 +2775,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2778,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -79594,7 +79648,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -2390,7 +2983,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2986,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -79603,7 +79657,7 @@ index 4b2878a..e03d9fb 100644 files_search_tmp($1) ') -@@ -2419,6 +3012,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +3015,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -79629,7 +79683,7 @@ index 4b2878a..e03d9fb 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3047,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3050,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -79645,7 +79699,7 @@ index 4b2878a..e03d9fb 100644 ## ## ## -@@ -2462,7 +3075,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3078,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -79654,7 +79708,7 @@ index 4b2878a..e03d9fb 100644 ## ## ## -@@ -2470,14 +3083,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3086,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -79689,7 +79743,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -2572,7 +3201,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3204,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -79698,7 +79752,7 @@ index 4b2878a..e03d9fb 100644 ## ## ## -@@ -2580,33 +3209,63 @@ interface(`userdom_use_user_ttys',` +@@ -2580,48 +3212,97 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -79733,18 +79787,23 @@ index 4b2878a..e03d9fb 100644 -## not be allowed for non-interactive domains. -##

-## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`userdom_use_user_terminals',` +interface(`userdom_use_user_ptys',` -+ gen_require(` + gen_require(` +- type user_tty_device_t, user_devpts_t; + type user_devpts_t; -+ ') -+ -+ allow $1 user_devpts_t:chr_file rw_term_perms; + ') + +- allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; +- term_list_ptys($1) +') + +######################################## @@ -79778,22 +79837,18 @@ index 4b2878a..e03d9fb 100644 +## access. +##

+## - ## - ## - ## Domain allowed access. -@@ -2614,14 +3273,33 @@ interface(`userdom_use_user_ptys',` - ## - ## - # --interface(`userdom_use_user_terminals',` ++## ++## ++## Domain allowed access. ++## ++## ++## ++# +interface(`userdom_use_inherited_user_terminals',` - gen_require(` - type user_tty_device_t, user_devpts_t; - ') - -- allow $1 user_tty_device_t:chr_file rw_term_perms; -- allow $1 user_devpts_t:chr_file rw_term_perms; -- term_list_ptys($1) ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') @@ -79819,7 +79874,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -2640,8 +3318,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3321,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -79849,7 +79904,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -2713,6 +3410,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3413,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -79874,7 +79929,7 @@ index 4b2878a..e03d9fb 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3451,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3454,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -79899,7 +79954,7 @@ index 4b2878a..e03d9fb 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3469,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3472,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -79925,7 +79980,7 @@ index 4b2878a..e03d9fb 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3530,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3533,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -79934,7 +79989,7 @@ index 4b2878a..e03d9fb 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3546,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3549,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -79968,7 +80023,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -2972,7 +3634,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3637,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -79977,7 +80032,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -3027,7 +3689,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3692,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -80024,7 +80079,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -3045,7 +3745,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3748,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -80033,7 +80088,7 @@ index 4b2878a..e03d9fb 100644 ') ######################################## -@@ -3064,6 +3764,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3767,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -80041,7 +80096,7 @@ index 4b2878a..e03d9fb 100644 kernel_search_proc($1) ') -@@ -3142,6 +3843,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3846,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -80066,7 +80121,7 @@ index 4b2878a..e03d9fb 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3879,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3882,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -80091,7 +80146,7 @@ index 4b2878a..e03d9fb 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3931,1165 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3934,1165 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -81258,7 +81313,7 @@ index 4b2878a..e03d9fb 100644 + #') +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..d6c3860 100644 +index 9b4a930..107f262 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -81270,7 +81325,7 @@ index 9b4a930..d6c3860 100644 ##

## gen_tunable(allow_user_mysql_connect, false) -@@ -43,6 +43,20 @@ gen_tunable(user_rw_noexattrfile, false) +@@ -43,12 +43,27 @@ gen_tunable(user_rw_noexattrfile, false) ## ##

@@ -81291,7 +81346,14 @@ index 9b4a930..d6c3860 100644 ## Allow w to display everyone ##

## -@@ -59,6 +73,19 @@ attribute unpriv_userdomain; + gen_tunable(user_ttyfile_stat, false) + + attribute admindomain; ++attribute login_userdomain; + + # all user domains + attribute userdomain; +@@ -59,6 +74,19 @@ attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; @@ -81311,7 +81373,7 @@ index 9b4a930..d6c3860 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +99,77 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; diff --git a/selinux-policy.spec b/selinux-policy.spec index 2479833..53d8324 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 78%{?dist} +Release: 79%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 7 2012 Miroslav Grepl 3.10.0-79 +- Allow system_mail to send log msgs +- Add login_userdomain attribute +- Dontaudit logrotate to getattr home content +- Label httpd.event as httpd_exec_t, it is an apache daemon +- Iscsi log file context specification fix +- Allow sssd sys_resource capability +- vsftpd reads network state +- Add labeling for /var/spool/postfix/dev/log +- Allow deltacloud to read kernel sysctl +- Fix virt_use_execmem boolean + * Wed Feb 29 2012 Miroslav Grepl 3.10.0-78 - Allow memcache to create sock_file