diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9edad61..26a665e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2373,7 +2373,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..4065a9a 100644 +index d555767..ce0c1b4 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2413,7 +2413,7 @@ index d555767..4065a9a 100644 type crack_t; type crack_exec_t; -@@ -42,18 +43,21 @@ type groupadd_t; +@@ -42,18 +43,22 @@ type groupadd_t; type groupadd_exec_t; domain_obj_id_change_exemption(groupadd_t) init_system_domain(groupadd_t, groupadd_exec_t) @@ -2424,6 +2424,7 @@ index d555767..4065a9a 100644 type passwd_t; type passwd_exec_t; domain_obj_id_change_exemption(passwd_t) ++domain_system_change_exemption(passwd_t) application_domain(passwd_t, passwd_exec_t) -role passwd_roles types passwd_t; +#role passwd_roles types passwd_t; @@ -2438,7 +2439,7 @@ index d555767..4065a9a 100644 type sysadm_passwd_tmp_t; files_tmp_file(sysadm_passwd_tmp_t) -@@ -61,8 +65,13 @@ files_tmp_file(sysadm_passwd_tmp_t) +@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) @@ -2453,7 +2454,7 @@ index d555767..4065a9a 100644 ######################################## # -@@ -86,6 +95,7 @@ allow chfn_t self:unix_stream_socket connectto; +@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) kernel_read_kernel_sysctls(chfn_t) @@ -2461,7 +2462,7 @@ index d555767..4065a9a 100644 selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) -@@ -94,25 +104,29 @@ selinux_compute_create_context(chfn_t) +@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -2497,7 +2498,7 @@ index d555767..4065a9a 100644 files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) files_dontaudit_search_home(chfn_t) -@@ -120,19 +134,29 @@ files_dontaudit_search_home(chfn_t) +@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) @@ -2530,7 +2531,7 @@ index d555767..4065a9a 100644 ######################################## # # Crack local policy -@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t) +@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -2541,7 +2542,7 @@ index d555767..4065a9a 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t) +@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t) domain_use_interactive_fds(groupadd_t) @@ -2551,7 +2552,7 @@ index d555767..4065a9a 100644 files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) -@@ -229,14 +253,15 @@ corecmd_exec_bin(groupadd_t) +@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) @@ -2570,7 +2571,7 @@ index d555767..4065a9a 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -253,7 +278,8 @@ optional_policy(` +@@ -253,7 +279,8 @@ optional_policy(` ') optional_policy(` @@ -2580,7 +2581,7 @@ index d555767..4065a9a 100644 ') optional_policy(` -@@ -285,6 +311,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -2588,7 +2589,7 @@ index d555767..4065a9a 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -293,6 +320,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -2596,7 +2597,7 @@ index d555767..4065a9a 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -307,26 +335,38 @@ selinux_compute_create_context(passwd_t) +@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -2640,7 +2641,7 @@ index d555767..4065a9a 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -335,12 +375,11 @@ init_use_fds(passwd_t) +@@ -335,12 +376,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -2654,7 +2655,7 @@ index d555767..4065a9a 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -349,9 +388,15 @@ userdom_read_user_tmp_files(passwd_t) +@@ -349,9 +389,15 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2671,7 +2672,7 @@ index d555767..4065a9a 100644 ') ######################################## -@@ -398,9 +443,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -398,9 +444,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -2684,7 +2685,7 @@ index d555767..4065a9a 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -413,7 +459,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -413,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -2692,7 +2693,7 @@ index d555767..4065a9a 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -423,19 +468,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -423,19 +469,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -2714,7 +2715,7 @@ index d555767..4065a9a 100644 ') ######################################## -@@ -443,7 +486,8 @@ optional_policy(` +@@ -443,7 +487,8 @@ optional_policy(` # Useradd local policy # @@ -2724,7 +2725,7 @@ index d555767..4065a9a 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -458,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -458,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -2735,7 +2736,7 @@ index d555767..4065a9a 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t) +@@ -465,36 +514,36 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -2784,7 +2785,7 @@ index d555767..4065a9a 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t) +@@ -505,33 +554,36 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -2835,7 +2836,7 @@ index d555767..4065a9a 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +593,12 @@ optional_policy(` +@@ -542,7 +594,12 @@ optional_policy(` ') optional_policy(` @@ -2849,7 +2850,7 @@ index d555767..4065a9a 100644 ') optional_policy(` -@@ -550,6 +606,11 @@ optional_policy(` +@@ -550,6 +607,11 @@ optional_policy(` ') optional_policy(` @@ -2861,7 +2862,7 @@ index d555767..4065a9a 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +620,12 @@ optional_policy(` +@@ -559,3 +621,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -12254,16 +12255,17 @@ index 148d87a..822f6be 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..3035829 100644 +index cda5588..924f856 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,9 +1,13 @@ +@@ -1,9 +1,12 @@ +-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/cgroup/.* <> +# ecryptfs does not support xattr +HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) + - /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - /cgroup/.* <> ++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) /dev/hugepages(/.*)? <> @@ -12272,10 +12274,13 @@ index cda5588..3035829 100644 /dev/shm/.* <> /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -@@ -14,3 +18,10 @@ +@@ -12,5 +15,11 @@ + /lib/udev/devices/shm/.* <> + # for systemd systems: - /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - /sys/fs/cgroup/.* <> +-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/sys/fs/cgroup/.* <> ++/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> @@ -12284,7 +12289,7 @@ index cda5588..3035829 100644 +/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..7170125 100644 +index 8416beb..2216778 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -13087,7 +13092,32 @@ index 8416beb..7170125 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3137,6 +3677,24 @@ interface(`fs_nfs_domtrans',` + + ######################################## + ## ++## Mount on nfsd_fs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_nfsd_fs', ` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ allow $1 nfsd_fs_t:dir mounton; ++') ++ ++######################################## ++## + ## Mount a NFS server pseudo filesystem. + ## + ## +@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -13112,7 +13142,7 @@ index 8416beb..7170125 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -13137,7 +13167,7 @@ index 8416beb..7170125 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -13146,7 +13176,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -13155,7 +13185,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -13164,7 +13194,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -13189,7 +13219,7 @@ index 8416beb..7170125 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +4520,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -13198,7 +13228,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4528,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -13219,7 +13249,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +4546,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -13240,7 +13270,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +4564,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -13280,7 +13310,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +4601,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -13336,7 +13366,7 @@ index 8416beb..7170125 100644 ') ######################################## -@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +4753,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -13345,7 +13375,7 @@ index 8416beb..7170125 100644 ') ######################################## -@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4813,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -13370,7 +13400,7 @@ index 8416beb..7170125 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +4868,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -13379,7 +13409,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +4887,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -13440,7 +13470,7 @@ index 8416beb..7170125 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +4998,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -13485,7 +13515,7 @@ index 8416beb..7170125 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5055,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -13511,7 +13541,7 @@ index 8416beb..7170125 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5280,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -13520,7 +13550,7 @@ index 8416beb..7170125 100644 ') ######################################## -@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5328,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -13529,7 +13559,7 @@ index 8416beb..7170125 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5375,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -13556,7 +13586,7 @@ index 8416beb..7170125 100644 ## Get the quotas of all filesystems. ## ## -@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +5711,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -19310,7 +19340,7 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..3063a17 100644 +index 76d9f66..5cb2095 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,4 +1,15 @@ @@ -19329,12 +19359,13 @@ index 76d9f66..3063a17 100644 /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -8,9 +19,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) ++/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -31145,7 +31176,7 @@ index e8c59a5..5c935e3 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..a70c055 100644 +index 9fe8e01..5985e0f 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -31188,8 +31219,12 @@ index 9fe8e01..a70c055 100644 /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -77,7 +76,7 @@ ifdef(`distro_redhat',` +@@ -75,9 +74,11 @@ ifdef(`distro_redhat',` + + /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ++/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) ++ /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) @@ -31197,7 +31232,7 @@ index 9fe8e01..a70c055 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +89,7 @@ ifdef(`distro_debian',` +@@ -90,6 +91,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -38094,7 +38129,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..08ce1e5 100644 +index 3c5dba7..4f43578 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40601,16 +40636,34 @@ index 3c5dba7..08ce1e5 100644 ') ######################################## -@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3864,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to open user ptys. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_open_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ dontaudit $1 user_devpts_t:chr_file open; ') ######################################## -@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3937,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -40676,7 +40729,7 @@ index 3c5dba7..08ce1e5 100644 ') ######################################## -@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4012,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -40685,7 +40738,7 @@ index 3c5dba7..08ce1e5 100644 ') ######################################## -@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4031,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -40693,7 +40746,7 @@ index 3c5dba7..08ce1e5 100644 kernel_search_proc($1) ') -@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4108,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -40736,7 +40789,7 @@ index 3c5dba7..08ce1e5 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4164,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -40761,7 +40814,7 @@ index 3c5dba7..08ce1e5 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4215,1455 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 7e566d2..7033d16 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2572,10 +2572,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..36cb011 +index 0000000..badbc17 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,252 @@ +@@ -0,0 +1,256 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2669,6 +2669,7 @@ index 0000000..36cb011 +manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) +manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) +manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) ++files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file}) + +can_exec(antivirus_domain, antivirus_exec_t) + @@ -2716,6 +2717,9 @@ index 0000000..36cb011 +corenet_tcp_connect_http_port(antivirus_domain) +corenet_tcp_sendrecv_http_port(antivirus_domain) + ++corenet_sendrecv_snmp_client_packets(antivirus_domain) ++corenet_tcp_connect_snmp_port(antivirus_domain) ++ +corenet_sendrecv_squid_client_packets(antivirus_domain) +corenet_tcp_connect_squid_port(antivirus_domain) +corenet_tcp_sendrecv_squid_port(antivirus_domain) @@ -11974,7 +11978,7 @@ index c223f81..3bcdf6a 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 2a71346..c1eef8d 100644 +index 2a71346..4218733 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -12013,7 +12017,16 @@ index 2a71346..c1eef8d 100644 logging_send_syslog_msg(cobblerd_t) miscfiles_read_localization(cobblerd_t) -@@ -193,12 +194,11 @@ optional_policy(` +@@ -188,17 +189,20 @@ optional_policy(` + ') + + optional_policy(` ++ libs_exec_ldconfig(cobblerd_t) ++') ++ ++optional_policy(` + rpm_exec(cobblerd_t) + ') optional_policy(` rsync_read_config(cobblerd_t) @@ -12987,7 +13000,7 @@ index 3fe3cb8..b8e08c6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..2af6e1e 100644 +index 3f2b672..c0501e0 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -13071,7 +13084,16 @@ index 3f2b672..2af6e1e 100644 optional_policy(` mta_send_mail(condor_master_t) -@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; + + kernel_read_network_state(condor_collector_t) + ++corenet_tcp_bind_http_port(condor_collector_t) ++ + ##################################### + # + # Negotiator local policy +@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13080,7 +13102,7 @@ index 3f2b672..2af6e1e 100644 ###################################### # # Procd local policy -@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13089,7 +13111,7 @@ index 3f2b672..2af6e1e 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13098,7 +13120,7 @@ index 3f2b672..2af6e1e 100644 ##################################### # # Startd local policy -@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13111,7 +13133,7 @@ index 3f2b672..2af6e1e 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +260,7 @@ optional_policy(` +@@ -249,3 +262,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -13120,24 +13142,15 @@ index 3f2b672..2af6e1e 100644 + unconfined_domain(condor_startd_t) +') diff --git a/consolekit.fc b/consolekit.fc -index 23c9558..ee585a7 100644 +index 23c9558..29e5fd3 100644 --- a/consolekit.fc +++ b/consolekit.fc -@@ -1,7 +1,9 @@ --/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) -+#/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) - --/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -+#/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - --/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) --/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) --/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+#/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) + -+#/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -+#/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+#/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + + /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff --git a/consolekit.if b/consolekit.if index 5b830ec..0647a3b 100644 --- a/consolekit.if @@ -20417,10 +20430,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..1a57396 +index 0000000..05c070d --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,193 @@ +@@ -0,0 +1,194 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -20512,6 +20525,7 @@ index 0000000..1a57396 +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) +allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; + ++kernel_read_network_state(dirsrv_t) +kernel_read_system_state(dirsrv_t) +kernel_read_kernel_sysctls(dirsrv_t) + @@ -27150,7 +27164,7 @@ index d03fd43..26023f7 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 20f726b..6af4e62 100644 +index 20f726b..8e905be 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ @@ -27378,7 +27392,7 @@ index 20f726b..6af4e62 100644 +') + +optional_policy(` -+ gnome_read_home_config(gnomesystemmm_t) ++ gnome_manage_home_config(gnomesystemmm_t) +') + +optional_policy(` @@ -44418,7 +44432,7 @@ index 0e8508c..0b68b86 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..f3320a3 100644 +index 0b48a30..eac844a 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -44757,7 +44771,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -320,13 +350,15 @@ optional_policy(` +@@ -320,13 +350,19 @@ optional_policy(` ') optional_policy(` @@ -44772,17 +44786,21 @@ index 0b48a30..f3320a3 100644 optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) ++ ssh_exec(NetworkManager_t) ++') ++ ++optional_policy(` + udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) ') optional_policy(` -@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +392,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) -miscfiles_read_localization(wpa_cli_t) - +- term_dontaudit_use_console(wpa_cli_t) diff --git a/nis.fc b/nis.fc index 8aa1bfa..cd0e015 100644 @@ -53297,10 +53315,10 @@ index 0000000..0c167b7 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..e1d3320 +index 0000000..6329c9c --- /dev/null +++ b/pki.if -@@ -0,0 +1,272 @@ +@@ -0,0 +1,273 @@ + +## policy for pki +######################################## @@ -53572,6 +53590,7 @@ index 0000000..e1d3320 + ') + + read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) +') diff --git a/pki.te b/pki.te new file mode 100644 @@ -64656,7 +64675,7 @@ index 951db7f..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..e67ea1b 100644 +index 2c1730b..0e15502 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; @@ -64702,8 +64721,11 @@ index 2c1730b..e67ea1b 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t) +@@ -49,19 +57,23 @@ corecmd_exec_shell(mdadm_t) + dev_rw_sysfs(mdadm_t) + dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) ++dev_read_crash(mdadm_t) dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) +dev_read_nvram(mdadm_t) @@ -64725,7 +64747,7 @@ index 2c1730b..e67ea1b 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,16 +82,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -69574,7 +69596,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..74f3e1b 100644 +index e5212e6..df782bf 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -69785,7 +69807,7 @@ index e5212e6..74f3e1b 100644 ') ######################################## -@@ -195,41 +141,55 @@ optional_policy(` +@@ -195,41 +141,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -69826,6 +69848,7 @@ index e5212e6..74f3e1b 100644 files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) ++fs_mounton_nfsd_fs(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) fs_getattr_all_dirs(nfsd_t) @@ -69848,7 +69871,7 @@ index e5212e6..74f3e1b 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -69856,7 +69879,7 @@ index e5212e6..74f3e1b 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -69871,7 +69894,7 @@ index e5212e6..74f3e1b 100644 ') ######################################## -@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -69879,7 +69902,7 @@ index e5212e6..74f3e1b 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +239,29 @@ kernel_signal(gssd_t) +@@ -279,25 +240,29 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -69912,7 +69935,7 @@ index e5212e6..74f3e1b 100644 ') optional_policy(` -@@ -306,8 +270,11 @@ optional_policy(` +@@ -306,8 +271,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -74773,10 +74796,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..cb720ee +index 0000000..5021551 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,465 @@ +@@ -0,0 +1,467 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -75146,6 +75169,7 @@ index 0000000..cb720ee +corenet_sendrecv_ftp_client_packets(sandbox_web_type) +corenet_sendrecv_ipp_client_packets(sandbox_web_type) +corenet_sendrecv_generic_client_packets(sandbox_web_type) ++corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type) + +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) @@ -75242,6 +75266,7 @@ index 0000000..cb720ee + mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') ++userdom_dontaudit_open_user_ptys(sandbox_x_domain) diff --git a/sanlock.fc b/sanlock.fc index 3df2a0f..9059165 100644 --- a/sanlock.fc @@ -78661,6 +78686,100 @@ index cbfe369..085ac13 100644 ######################################## ## ## All of the rules required to +diff --git a/snapper.fc b/snapper.fc +new file mode 100644 +index 0000000..3f412d5 +--- /dev/null ++++ b/snapper.fc +@@ -0,0 +1 @@ ++/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) +diff --git a/snapper.if b/snapper.if +new file mode 100644 +index 0000000..94105ee +--- /dev/null ++++ b/snapper.if +@@ -0,0 +1,42 @@ ++ ++## policy for snapperd ++ ++######################################## ++## ++## Execute TEMPLATE in the snapperd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`snapper_domtrans',` ++ gen_require(` ++ type snapperd_t, snapperd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, snapperd_exec_t, snapperd_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## snapperd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snapper_dbus_chat',` ++ gen_require(` ++ type snapperd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 snapperd_t:dbus send_msg; ++ allow snapperd_t $1:dbus send_msg; ++') +diff --git a/snapper.te b/snapper.te +new file mode 100644 +index 0000000..ad232be +--- /dev/null ++++ b/snapper.te +@@ -0,0 +1,33 @@ ++policy_module(snapper, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type snapperd_t; ++type snapperd_exec_t; ++init_daemon_domain(snapperd_t, snapperd_exec_t) ++ ++######################################## ++# ++# snapperd local policy ++# ++ ++allow snapperd_t self:fifo_file rw_fifo_file_perms; ++allow snapperd_t self:unix_stream_socket create_stream_socket_perms; ++ ++storage_raw_read_fixed_disk(snapperd_t) ++ ++auth_use_nsswitch(snapperd_t) ++ ++miscfiles_read_localization(snapperd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(snapperd_t) ++ dbus_connect_system_bus(snapperd_t) ++') ++ ++optional_policy(` ++ mount_domtrans(snapperd_t) ++') diff --git a/snmp.fc b/snmp.fc index c73fa24..408ff61 100644 --- a/snmp.fc @@ -86781,10 +86900,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..f3e9b6d 100644 +index c30da4c..e97572f 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,85 @@ +@@ -1,52 +1,86 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -86834,6 +86953,7 @@ index c30da4c..f3e9b6d 100644 -/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 116a81e..18c4861 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 54%{?dist} +Release: 55%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -535,6 +535,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jun 21 2013 Miroslav Grepl 3.12.1-55 +- condor_collector uses tcp/9000 +- Label /usr/sbin/virtlockd as virtd_exec_t for now +- Allow cobbler to execute ldconfig +- Allow NM to execute ssh +- Allow mdadm to read /dev/crash +- Allow antivirus domains to connect to snmp port +- Make amavisd-snmp working correctly +- Allow nfsd_t to mounton nfsd_fs_t +- Add initial snapper policy +- We still need to have consolekit policy +- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t +- Dontaudit sandbox apps attempting to open user_devpts_t +- Allow dirsrv to read network state +- Fix pki_read_tomcat_lib_files +- Add labeling for /usr/libexec/nm-ssh-service +- Add label cert_t for /var/lib/ipa/pki-ca/publish +- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant +- Allow nfsd_t to mounton nfsd_fs_t +- Dontaudit sandbox apps attempting to open user_devpts_t +- Allow passwd_t to change role to system_r from unconfined_r + * Wed Jun 19 2013 Miroslav Grepl 3.12.1-54 - Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices