diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 53b2a80..a06763e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9321,7 +9321,7 @@ index cf04cb5..32d58ca 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..d8cdd96 100644 +index b876c48..b2aed45 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9357,7 +9357,7 @@ index b876c48..d8cdd96 100644 /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -52,13 +53,17 @@ ifdef(`distro_suse',` +@@ -52,13 +53,20 @@ ifdef(`distro_suse',` /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9377,10 +9377,13 @@ index b876c48..d8cdd96 100644 +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) ++/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) ++ ++/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -70,7 +75,10 @@ ifdef(`distro_suse',` +@@ -70,7 +78,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9392,7 +9395,7 @@ index b876c48..d8cdd96 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', ` +@@ -78,10 +89,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -9403,7 +9406,7 @@ index b876c48..d8cdd96 100644 ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -104,7 +111,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -9412,7 +9415,7 @@ index b876c48..d8cdd96 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -125,10 +129,12 @@ ifdef(`distro_debian',` +@@ -125,10 +132,12 @@ ifdef(`distro_debian',` # # Mount points; do not relabel subdirectories, since # we don't want to change any removable media by default. @@ -9426,7 +9429,7 @@ index b876c48..d8cdd96 100644 # # /misc -@@ -138,7 +144,7 @@ ifdef(`distro_debian',` +@@ -138,7 +147,7 @@ ifdef(`distro_debian',` # # /mnt # @@ -9435,7 +9438,7 @@ index b876c48..d8cdd96 100644 /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> -@@ -150,10 +156,10 @@ ifdef(`distro_debian',` +@@ -150,10 +159,10 @@ ifdef(`distro_debian',` # # /opt # @@ -9448,7 +9451,7 @@ index b876c48..d8cdd96 100644 # # /proc -@@ -161,6 +167,12 @@ ifdef(`distro_debian',` +@@ -161,6 +170,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -9461,7 +9464,7 @@ index b876c48..d8cdd96 100644 # # /run # -@@ -169,6 +181,7 @@ ifdef(`distro_debian',` +@@ -169,6 +184,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) @@ -9469,7 +9472,7 @@ index b876c48..d8cdd96 100644 # # /selinux # -@@ -178,13 +191,14 @@ ifdef(`distro_debian',` +@@ -178,13 +194,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9486,7 +9489,7 @@ index b876c48..d8cdd96 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +208,11 @@ ifdef(`distro_debian',` +@@ -194,9 +211,11 @@ ifdef(`distro_debian',` # # /usr # @@ -9499,7 +9502,7 @@ index b876c48..d8cdd96 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +220,9 @@ ifdef(`distro_debian',` +@@ -204,15 +223,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9516,7 +9519,7 @@ index b876c48..d8cdd96 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +230,6 @@ ifdef(`distro_debian',` +@@ -220,8 +233,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9525,7 +9528,7 @@ index b876c48..d8cdd96 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +237,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +240,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9534,7 +9537,7 @@ index b876c48..d8cdd96 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +245,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +248,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9561,7 +9564,7 @@ index b876c48..d8cdd96 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +278,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +281,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9576,14 +9579,14 @@ index b876c48..d8cdd96 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +295,5 @@ ifdef(`distro_debian',` +@@ -271,3 +298,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..d12f46e 100644 +index f962f76..47dc71f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11073,7 +11076,7 @@ index f962f76..d12f46e 100644 ') ######################################## -@@ -4217,192 +4975,215 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,192 +4975,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11161,7 +11164,7 @@ index f962f76..d12f46e 100644 - ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` -+ type etc_t, system_conf_t; ++ type etc_t, system_conf_t, usr_t; + ') - dontaudit $1 tmp_t:dir getattr; @@ -11182,6 +11185,9 @@ index f962f76..d12f46e 100644 + filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") ++ filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") ++ filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") ++ filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") ') -######################################## @@ -11385,7 +11391,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4410,53 +5191,56 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4410,53 +5194,56 @@ interface(`files_manage_generic_tmp_dirs',` ## ## # @@ -11454,7 +11460,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4464,77 +5248,93 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4464,77 +5251,93 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -11572,7 +11578,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4542,110 +5342,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4542,110 +5345,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -11711,7 +11717,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4653,22 +5441,17 @@ interface(`files_tmp_filetrans',` +@@ -4653,22 +5444,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -11738,7 +11744,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4676,17 +5459,17 @@ interface(`files_purge_tmp',` +@@ -4676,17 +5462,17 @@ interface(`files_purge_tmp',` ## ## # @@ -11760,7 +11766,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4694,18 +5477,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4694,18 +5480,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -11783,7 +11789,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4713,35 +5495,35 @@ interface(`files_search_usr',` +@@ -4713,35 +5498,35 @@ interface(`files_search_usr',` ## ## # @@ -11828,7 +11834,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4749,36 +5531,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4749,36 +5534,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -11874,7 +11880,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4786,17 +5567,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4786,17 +5570,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -11896,7 +11902,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4804,73 +5585,59 @@ interface(`files_delete_usr_dirs',` +@@ -4804,73 +5588,59 @@ interface(`files_delete_usr_dirs',` ## ## # @@ -11989,7 +11995,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4878,55 +5645,58 @@ interface(`files_read_usr_files',` +@@ -4878,55 +5648,58 @@ interface(`files_read_usr_files',` ## ## # @@ -12064,7 +12070,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -4934,67 +5704,70 @@ interface(`files_manage_usr_files',` +@@ -4934,67 +5707,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -12153,7 +12159,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5003,35 +5776,50 @@ interface(`files_read_usr_symlinks',` +@@ -5003,35 +5779,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -12213,7 +12219,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5039,20 +5827,17 @@ interface(`files_dontaudit_search_src',` +@@ -5039,20 +5830,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -12238,7 +12244,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5060,20 +5845,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5060,20 +5848,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -12263,7 +12269,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5081,38 +5864,35 @@ interface(`files_read_usr_src_files',` +@@ -5081,38 +5867,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -12311,7 +12317,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5120,37 +5900,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5120,37 +5903,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -12359,7 +12365,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5158,35 +5937,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5158,35 +5940,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -12404,7 +12410,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5194,36 +5973,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5194,36 +5976,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -12470,7 +12476,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5231,36 +6029,37 @@ interface(`files_dontaudit_search_var',` +@@ -5231,36 +6032,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -12518,7 +12524,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5268,17 +6067,17 @@ interface(`files_manage_var_dirs',` +@@ -5268,17 +6070,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -12540,7 +12546,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5286,17 +6085,17 @@ interface(`files_read_var_files',` +@@ -5286,17 +6088,17 @@ interface(`files_read_var_files',` ## ## # @@ -12562,7 +12568,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5304,73 +6103,86 @@ interface(`files_append_var_files',` +@@ -5304,73 +6106,86 @@ interface(`files_append_var_files',` ## ## # @@ -12669,7 +12675,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5378,50 +6190,41 @@ interface(`files_read_var_symlinks',` +@@ -5378,50 +6193,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -12734,7 +12740,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5429,69 +6232,56 @@ interface(`files_var_filetrans',` +@@ -5429,69 +6235,56 @@ interface(`files_var_filetrans',` ## ## # @@ -12819,7 +12825,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5499,17 +6289,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,17 +6292,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -12843,7 +12849,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5517,70 +6308,54 @@ interface(`files_list_var_lib',` +@@ -5517,70 +6311,54 @@ interface(`files_list_var_lib',` ## ## # @@ -12927,7 +12933,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5588,41 +6363,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6366,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -12979,7 +12985,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5630,36 +6400,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,36 +6403,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -13026,7 +13032,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5667,38 +6437,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,38 +6440,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -13074,7 +13080,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5706,19 +6473,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,19 +6476,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13098,7 +13104,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5726,60 +6491,54 @@ interface(`files_list_locks',` +@@ -5726,60 +6494,54 @@ interface(`files_list_locks',` ## ## # @@ -13174,7 +13180,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5787,20 +6546,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,20 +6549,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -13200,7 +13206,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5808,165 +6565,156 @@ interface(`files_getattr_generic_locks',` +@@ -5808,165 +6568,156 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -13428,7 +13434,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -5974,59 +6722,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5974,59 +6725,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -13519,7 +13525,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6034,18 +6794,18 @@ interface(`files_dontaudit_search_pids',` +@@ -6034,18 +6797,18 @@ interface(`files_dontaudit_search_pids',` ## ## # @@ -13543,7 +13549,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6053,19 +6813,21 @@ interface(`files_list_pids',` +@@ -6053,19 +6816,21 @@ interface(`files_list_pids',` ## ## # @@ -13571,7 +13577,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6073,58 +6835,1243 @@ interface(`files_read_generic_pids',` +@@ -6073,58 +6838,1243 @@ interface(`files_read_generic_pids',` ## ## # @@ -14850,7 +14856,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6132,44 +8079,165 @@ interface(`files_write_generic_pid_pipes',` +@@ -6132,44 +8082,165 @@ interface(`files_write_generic_pid_pipes',` ## The name of the object being created. ## ## @@ -15035,7 +15041,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6177,20 +8245,18 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6177,20 +8248,18 @@ interface(`files_pid_filetrans_lock_dir',` ## ## # @@ -15061,7 +15067,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6198,19 +8264,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8267,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -15085,7 +15091,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6218,18 +8282,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8285,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -15108,7 +15114,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6237,41 +8300,43 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,41 +8303,43 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -15166,7 +15172,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6280,67 +8345,55 @@ interface(`files_read_all_pids',` +@@ -6280,67 +8348,55 @@ interface(`files_read_all_pids',` ## ## # @@ -15251,7 +15257,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6348,37 +8401,37 @@ interface(`files_manage_all_pids',` +@@ -6348,37 +8404,37 @@ interface(`files_manage_all_pids',` ## ## # @@ -15300,7 +15306,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6386,132 +8439,207 @@ interface(`files_search_spool',` +@@ -6386,132 +8442,207 @@ interface(`files_search_spool',` ## ## # @@ -15559,7 +15565,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6519,53 +8647,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8650,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15617,7 +15623,7 @@ index f962f76..d12f46e 100644 ## ## ## -@@ -6573,10 +8665,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8668,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -34272,10 +34278,10 @@ index 312cd04..3c62b4c 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..738e9ff 100644 +index 73a1c4e..ef41ebe 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,33 @@ +@@ -1,22 +1,35 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -34289,6 +34295,7 @@ index 73a1c4e..738e9ff 100644 + +/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) + ++/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -34309,6 +34316,7 @@ index 73a1c4e..738e9ff 100644 +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b67a506..13a5f51 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..dc1d24c 100644 +index 1a93dc5..f2b26f5 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,31 +1,44 @@ +@@ -1,31 +1,46 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -42,6 +42,8 @@ index 1a93dc5..dc1d24c 100644 + +/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) + ++/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0) ++ +/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -536,7 +538,7 @@ index 058d908..2f6c3a9 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..cfd3aa9 100644 +index eb50f07..0a78b7e 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -555,7 +557,7 @@ index eb50f07..cfd3aa9 100644 ## gen_tunable(abrt_anon_write, false) -@@ -37,13 +36,15 @@ attribute abrt_domain; +@@ -37,87 +36,98 @@ attribute abrt_domain; attribute_role abrt_helper_roles; roleattribute system_r abrt_helper_roles; @@ -573,7 +575,14 @@ index eb50f07..cfd3aa9 100644 type abrt_etc_t; files_config_file(abrt_etc_t) -@@ -55,69 +56,75 @@ files_tmp_file(abrt_tmp_t) + type abrt_var_log_t; + logging_log_file(abrt_var_log_t) + ++type abrt_var_lib_t; ++files_type(abrt_var_lib_t) ++ + type abrt_tmp_t; + files_tmp_file(abrt_tmp_t) type abrt_var_cache_t; files_type(abrt_var_cache_t) @@ -677,7 +686,7 @@ index eb50f07..cfd3aa9 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,41 +132,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,41 +135,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -731,7 +740,7 @@ index eb50f07..cfd3aa9 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +189,42 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +192,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -771,13 +780,14 @@ index eb50f07..cfd3aa9 100644 +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) ++miscfiles_dontaudit_write_generic_cert_files(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +232,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +236,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -794,7 +804,7 @@ index eb50f07..cfd3aa9 100644 ') optional_policy(` -@@ -222,6 +244,20 @@ optional_policy(` +@@ -222,6 +248,20 @@ optional_policy(` ') optional_policy(` @@ -815,7 +825,7 @@ index eb50f07..cfd3aa9 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +270,11 @@ optional_policy(` +@@ -234,6 +274,11 @@ optional_policy(` ') optional_policy(` @@ -827,7 +837,7 @@ index eb50f07..cfd3aa9 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +284,7 @@ optional_policy(` +@@ -243,6 +288,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -835,7 +845,7 @@ index eb50f07..cfd3aa9 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +295,17 @@ optional_policy(` +@@ -253,9 +299,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -854,7 +864,7 @@ index eb50f07..cfd3aa9 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +316,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +320,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -869,7 +879,7 @@ index eb50f07..cfd3aa9 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +335,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -877,7 +887,7 @@ index eb50f07..cfd3aa9 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +344,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -898,7 +908,7 @@ index eb50f07..cfd3aa9 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +365,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +369,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -925,7 +935,7 @@ index eb50f07..cfd3aa9 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +401,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -939,7 +949,7 @@ index eb50f07..cfd3aa9 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +419,11 @@ optional_policy(` +@@ -343,10 +423,11 @@ optional_policy(` ####################################### # @@ -953,7 +963,7 @@ index eb50f07..cfd3aa9 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +442,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -985,6 +995,9 @@ index eb50f07..cfd3aa9 100644 manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) +files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt") ++ ++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t) ++manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t) read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) @@ -995,17 +1008,22 @@ index eb50f07..cfd3aa9 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) ++dev_read_urand(abrt_dump_oops_t) ++dev_read_rand(abrt_dump_oops_t) ++ domain_use_interactive_fds(abrt_dump_oops_t) ++fs_getattr_all_fs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) +fs_list_pstorefs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) ++logging_read_syslog_pid(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) ####################################### # -@@ -404,7 +491,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +503,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1014,7 +1032,7 @@ index eb50f07..cfd3aa9 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +500,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +512,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1058,7 +1076,7 @@ index eb50f07..cfd3aa9 100644 ') ####################################### -@@ -430,10 +543,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +555,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -11769,7 +11787,7 @@ index 0000000..aa308eb +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..c8338dc +index 0000000..f50b201 --- /dev/null +++ b/chrome.te @@ -0,0 +1,249 @@ @@ -11981,7 +11999,7 @@ index 0000000..c8338dc + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share }; + +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) +fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) @@ -21809,7 +21827,7 @@ index a7326da..c87b5b7 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index 583a527..bb77017 100644 +index 583a527..1053281 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) @@ -21830,8 +21848,14 @@ index 583a527..bb77017 100644 corenet_all_recvfrom_netlabel(denyhosts_t) corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) -@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t) +@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t) + corenet_tcp_connect_smtp_port(denyhosts_t) + corenet_tcp_sendrecv_smtp_port(denyhosts_t) ++corenet_sendrecv_sype_transport_client_packets(denyhosts_t) ++corenet_tcp_connect_sype_transport_port(denyhosts_t) ++corenet_tcp_sendrecv_sype_transport_port(denyhosts_t) ++ dev_read_urand(denyhosts_t) +auth_use_nsswitch(denyhosts_t) @@ -21844,7 +21868,7 @@ index 583a527..bb77017 100644 sysnet_dns_name_resolve(denyhosts_t) sysnet_manage_config(denyhosts_t) sysnet_etc_filetrans_config(denyhosts_t) -@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t) +@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9c345ba..19922e8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 69%{?dist} +Release: 70%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Aug 4 2014 Miroslav Grepl 3.13.1-70 +- Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t. +- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port. +- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t. +- Dontaudit write access on generic cert files. We don't audit also access check. +- Add support for arptables. +- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager. + * Mon Aug 4 2014 Tom Callaway 3.13.1-69 - fix license handling