diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 1b54bc8..907824f 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -5938,7 +5938,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..25a5cfe 100644 +index b191055..9729941 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6126,7 +6126,8 @@ index b191055..25a5cfe 100644 +network_port(ircd, tcp,6667,s0, tcp,6697,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) - network_port(isns, tcp,3205,s0, udp,3205,s0) +-network_port(isns, tcp,3205,s0, udp,3205,s0) ++network_port(isns, tcp,3205,s0, udp,3205,s0, tcp,51954,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) -network_port(jabber_interserver, tcp,5269,s0) -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) @@ -49009,10 +49010,10 @@ index 0000000..86e3d01 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..8abc799 +index 0000000..e18f8c8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,965 @@ +@@ -0,0 +1,966 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49733,6 +49734,7 @@ index 0000000..8abc799 + +dev_read_sysfs(systemd_rfkill_t) +dev_rw_wireless(systemd_rfkill_t) ++dev_write_kmsg(systemd_rfkill_t) + +init_search_var_lib_dirs(systemd_rfkill_t) + diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index f24ab7c..b133d1f 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..1377e9e 100644 +index eb50f07..f3cc31a 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1069,7 +1069,7 @@ index eb50f07..1377e9e 100644 # -allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; ++allow abrt_dump_oops_t self:capability { setcap kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; +allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace }; +allow abrt_dump_oops_t self:process setfscreate; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; @@ -9774,7 +9774,7 @@ index 531a8f2..3fcf187 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..ab9ec30 100644 +index 1241123..f726b13 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9801,7 +9801,7 @@ index 1241123..ab9ec30 100644 # -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; -+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_override fowner net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; +allow named_t self:capability2 block_suspend; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; @@ -31360,10 +31360,10 @@ index 0000000..cf9f7bf +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..efd838f +index 0000000..fb8be0d --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,72 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -31397,6 +31397,7 @@ index 0000000..efd838f +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file }) + ++kernel_read_system_state(geoclue_t) +kernel_read_network_state(geoclue_t) + +auth_read_passwd(geoclue_t) @@ -32015,30 +32016,31 @@ index 5cd0909..bd3c3d2 100644 + +corenet_tcp_connect_commplex_main_port(glance_scrubber_t) +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) -diff --git a/glusterfs.fc b/glusterd.fc -similarity index 54% -rename from glusterfs.fc -rename to glusterd.fc -index 4bd6ade..52b4110 100644 ---- a/glusterfs.fc +diff --git a/glusterd.fc b/glusterd.fc +new file mode 100644 +index 0000000..52b4110 +--- /dev/null +++ b/glusterd.fc -@@ -6,11 +6,17 @@ - /usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) - /usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) - +@@ -0,0 +1,22 @@ ++/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++ ++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) ++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) ++ ++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + - /opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) - --/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) ++/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) - - /var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) ++ ++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) - ++ +/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) - /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) --/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) @@ -32618,6 +32620,28 @@ index 0000000..3ba328e +optional_policy(` + ssh_exec(glusterd_t) +') +diff --git a/glusterfs.fc b/glusterfs.fc +deleted file mode 100644 +index 4bd6ade..0000000 +--- a/glusterfs.fc ++++ /dev/null +@@ -1,16 +0,0 @@ +-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +- +-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +- +-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +- +-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +- +-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) +- +-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +- +-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterfs.if b/glusterfs.if deleted file mode 100644 index 05233c8..0000000 @@ -39824,7 +39848,7 @@ index ca020fa..d546e07 100644 + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) +') diff --git a/isns.te b/isns.te -index bc11034..183c526 100644 +index bc11034..20a7f39 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -39845,9 +39869,11 @@ index bc11034..183c526 100644 corenet_all_recvfrom_unlabeled(isnsd_t) corenet_all_recvfrom_netlabel(isnsd_t) corenet_tcp_sendrecv_generic_if(isnsd_t) -@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -45,11 +49,8 @@ corenet_tcp_sendrecv_isns_port(isnsd_t) + corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) ++corenet_tcp_connect_isns_port(isnsd_t) -files_read_etc_files(isnsd_t) +auth_use_nsswitch(isnsd_t) @@ -64713,10 +64739,10 @@ index 0000000..7581b52 +') diff --git a/openfortivpn.te b/openfortivpn.te new file mode 100644 -index 0000000..0d22f83 +index 0000000..3142896 --- /dev/null +++ b/openfortivpn.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,67 @@ +policy_module(openfortivpn, 1.0.0) + +######################################## @@ -64725,11 +64751,9 @@ index 0000000..0d22f83 +# + +type openfortivpn_t; -+domain_type(openfortivpn_t); +role system_r types openfortivpn_t; -+ +type openfortivpn_exec_t; -+domain_entry_file(openfortivpn_t, openfortivpn_exec_t) ++init_daemon_domain(openfortivpn_t, openfortivpn_exec_t) + +type openfortivpn_var_lib_t; +files_type(openfortivpn_var_lib_t) @@ -69348,14 +69372,15 @@ index 43d50f9..6b1544f 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..5212cd2 100644 +index 1fb1964..a8026bd 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") +@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") # allow pcscd_t self:capability { dac_override dac_read_search fsetid }; -allow pcscd_t self:process signal; ++allow pcscd_t self:capability2 { wake_alarm }; +allow pcscd_t self:process { signal signull }; allow pcscd_t self:fifo_file rw_fifo_file_perms; -allow pcscd_t self:unix_stream_socket { accept listen }; @@ -69366,7 +69391,7 @@ index 1fb1964..5212cd2 100644 allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) +@@ -36,7 +38,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) kernel_read_system_state(pcscd_t) @@ -69374,7 +69399,7 @@ index 1fb1964..5212cd2 100644 corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) +@@ -45,12 +46,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) corenet_tcp_connect_http_port(pcscd_t) corenet_tcp_sendrecv_http_port(pcscd_t) @@ -69389,7 +69414,7 @@ index 1fb1964..5212cd2 100644 files_read_etc_runtime_files(pcscd_t) term_use_unallocated_ttys(pcscd_t) -@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t) +@@ -60,16 +62,26 @@ locallogin_use_fds(pcscd_t) logging_send_syslog_msg(pcscd_t) @@ -69418,7 +69443,7 @@ index 1fb1964..5212cd2 100644 ') optional_policy(` -@@ -85,3 +96,8 @@ optional_policy(` +@@ -85,3 +97,8 @@ optional_policy(` optional_policy(` udev_read_db(pcscd_t) ') @@ -90832,7 +90857,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..7f491b0 100644 +index 2da9fca..23bddad 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91030,7 +91055,7 @@ index 2da9fca..7f491b0 100644 ') ######################################## -@@ -202,41 +226,56 @@ optional_policy(` +@@ -202,41 +226,61 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91084,6 +91109,11 @@ index 2da9fca..7f491b0 100644 storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) ++allow nfsd_t nfsd_unit_file_t:file manage_file_perms; ++systemd_unit_file_filetrans(nfsd_t, nfsd_unit_file_t, file) ++systemd_create_unit_file_dirs(nfsd_t) ++systemd_create_unit_file_lnk(nfsd_t) ++ +# Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -91096,7 +91126,7 @@ index 2da9fca..7f491b0 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +284,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91104,7 +91134,7 @@ index 2da9fca..7f491b0 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +295,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91119,7 +91149,7 @@ index 2da9fca..7f491b0 100644 ') ######################################## -@@ -270,7 +308,7 @@ optional_policy(` +@@ -270,7 +313,7 @@ optional_policy(` # GSSD local policy # @@ -91128,7 +91158,7 @@ index 2da9fca..7f491b0 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +318,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91136,7 +91166,7 @@ index 2da9fca..7f491b0 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +327,31 @@ kernel_signal(gssd_t) +@@ -288,25 +332,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91171,7 +91201,7 @@ index 2da9fca..7f491b0 100644 ') optional_policy(` -@@ -314,9 +359,12 @@ optional_policy(` +@@ -314,9 +364,12 @@ optional_policy(` ') optional_policy(` @@ -105199,47 +105229,40 @@ index 0000000..80c6480 + systemd_read_fifo_file_passwd_run($1) + ') +') -diff --git a/systemtap.te b/stapserver.te -similarity index 64% -rename from systemtap.te -rename to stapserver.te -index ffde368..e847ea3 100644 ---- a/systemtap.te +diff --git a/stapserver.te b/stapserver.te +new file mode 100644 +index 0000000..e847ea3 +--- /dev/null +++ b/stapserver.te -@@ -1,4 +1,4 @@ --policy_module(systemtap, 1.1.0) +@@ -0,0 +1,114 @@ +policy_module(stapserver, 1.1.1) - - ######################################## - # -@@ -9,12 +9,6 @@ type stapserver_t; - type stapserver_exec_t; - init_daemon_domain(stapserver_t, stapserver_exec_t) - --type stapserver_initrc_exec_t; --init_script_file(stapserver_initrc_exec_t) -- --type stapserver_conf_t; --files_config_file(stapserver_conf_t) -- - type stapserver_var_lib_t; - files_type(stapserver_var_lib_t) - -@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t) - type stapserver_var_run_t; - files_pid_file(stapserver_var_run_t) - ++ ++######################################## ++# ++# Declarations ++# ++ ++type stapserver_t; ++type stapserver_exec_t; ++init_daemon_domain(stapserver_t, stapserver_exec_t) ++ ++type stapserver_var_lib_t; ++files_type(stapserver_var_lib_t) ++ ++type stapserver_log_t; ++logging_log_file(stapserver_log_t) ++ ++type stapserver_var_run_t; ++files_pid_file(stapserver_var_run_t) ++ +type stapserver_tmp_t; +files_tmp_file(stapserver_tmp_t) + - ######################################## - # --# Local policy ++######################################## ++# +# stapserver local policy - # - --allow stapserver_t self:capability { dac_override kill setuid setgid }; --allow stapserver_t self:process { setrlimit setsched signal }; ++# ++ +#runuser +allow stapserver_t self:capability { setuid setgid }; +allow stapserver_t self:process setsched; @@ -105247,84 +105270,84 @@ index ffde368..e847ea3 100644 +allow stapserver_t self:capability { dac_override kill sys_ptrace}; +allow stapserver_t self:process { setrlimit signal }; + - allow stapserver_t self:fifo_file rw_fifo_file_perms; - allow stapserver_t self:key write; --allow stapserver_t self:unix_stream_socket { accept listen }; --allow stapserver_t self:tcp_socket create_stream_socket_perms; -- --allow stapserver_t stapserver_conf_t:file read_file_perms; ++allow stapserver_t self:fifo_file rw_fifo_file_perms; ++allow stapserver_t self:key write; +allow stapserver_t self:unix_stream_socket create_stream_socket_perms; +allow stapserver_t self:tcp_socket { accept listen }; - - manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) - manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) - files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) - - manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) ++ ++manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) ++manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) ++files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) ++ ++manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) - logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) - ++logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) ++ +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) + - manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) - manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) - files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) - --kernel_read_kernel_sysctls(stapserver_t) - kernel_read_system_state(stapserver_t) ++manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) ++manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) ++files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) ++ ++kernel_read_system_state(stapserver_t) +kernel_read_kernel_sysctls(stapserver_t) - - corecmd_exec_bin(stapserver_t) - corecmd_exec_shell(stapserver_t) - - domain_read_all_domains_state(stapserver_t) ++ ++corecmd_exec_bin(stapserver_t) ++corecmd_exec_shell(stapserver_t) ++ ++domain_read_all_domains_state(stapserver_t) +domain_use_interactive_fds(stapserver_t) - --dev_read_rand(stapserver_t) - dev_read_sysfs(stapserver_t) ++ ++dev_read_sysfs(stapserver_t) +dev_read_rand(stapserver_t) - dev_read_urand(stapserver_t) - - files_list_tmp(stapserver_t) --files_read_usr_files(stapserver_t) - files_search_kernel_modules(stapserver_t) - ++dev_read_urand(stapserver_t) ++ ++files_list_tmp(stapserver_t) ++files_search_kernel_modules(stapserver_t) ++ +fs_search_cgroup_dirs(stapserver_t) +fs_getattr_all_fs(stapserver_t) + - auth_use_nsswitch(stapserver_t) - - init_read_utmp(stapserver_t) -@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t) - logging_send_audit_msgs(stapserver_t) - logging_send_syslog_msg(stapserver_t) - --miscfiles_read_localization(stapserver_t) ++auth_use_nsswitch(stapserver_t) ++ ++init_read_utmp(stapserver_t) ++ ++logging_send_audit_msgs(stapserver_t) ++logging_send_syslog_msg(stapserver_t) ++ +#lspci - miscfiles_read_hwdata(stapserver_t) - ++miscfiles_read_hwdata(stapserver_t) ++ +systemd_dbus_chat_logind(stapserver_t) + - userdom_use_user_terminals(stapserver_t) - - optional_policy(` ++userdom_use_user_terminals(stapserver_t) ++ ++optional_policy(` + avahi_dbus_chat(stapserver_t) +') + +optional_policy(` - consoletype_exec(stapserver_t) - ') - -@@ -99,3 +111,4 @@ optional_policy(` - optional_policy(` - rpm_exec(stapserver_t) - ') ++ consoletype_exec(stapserver_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(stapserver_t) ++') ++ ++optional_policy(` ++ hostname_exec(stapserver_t) ++') ++ ++optional_policy(` ++ plymouthd_exec_plymouth(stapserver_t) ++') ++ ++optional_policy(` ++ rpm_exec(stapserver_t) ++') + diff --git a/stunnel.fc b/stunnel.fc index 49dd63c..ae2e798 100644 @@ -106142,6 +106165,113 @@ index c755e2d..0000000 - files_search_pids($1) - admin_pattern($1, stapserver_var_run_t) -') +diff --git a/systemtap.te b/systemtap.te +deleted file mode 100644 +index ffde368..0000000 +--- a/systemtap.te ++++ /dev/null +@@ -1,101 +0,0 @@ +-policy_module(systemtap, 1.1.0) +- +-######################################## +-# +-# Declarations +-# +- +-type stapserver_t; +-type stapserver_exec_t; +-init_daemon_domain(stapserver_t, stapserver_exec_t) +- +-type stapserver_initrc_exec_t; +-init_script_file(stapserver_initrc_exec_t) +- +-type stapserver_conf_t; +-files_config_file(stapserver_conf_t) +- +-type stapserver_var_lib_t; +-files_type(stapserver_var_lib_t) +- +-type stapserver_log_t; +-logging_log_file(stapserver_log_t) +- +-type stapserver_var_run_t; +-files_pid_file(stapserver_var_run_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow stapserver_t self:capability { dac_override kill setuid setgid }; +-allow stapserver_t self:process { setrlimit setsched signal }; +-allow stapserver_t self:fifo_file rw_fifo_file_perms; +-allow stapserver_t self:key write; +-allow stapserver_t self:unix_stream_socket { accept listen }; +-allow stapserver_t self:tcp_socket create_stream_socket_perms; +- +-allow stapserver_t stapserver_conf_t:file read_file_perms; +- +-manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +-manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +-files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) +- +-manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) +- +-manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +-manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +-files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) +- +-kernel_read_kernel_sysctls(stapserver_t) +-kernel_read_system_state(stapserver_t) +- +-corecmd_exec_bin(stapserver_t) +-corecmd_exec_shell(stapserver_t) +- +-domain_read_all_domains_state(stapserver_t) +- +-dev_read_rand(stapserver_t) +-dev_read_sysfs(stapserver_t) +-dev_read_urand(stapserver_t) +- +-files_list_tmp(stapserver_t) +-files_read_usr_files(stapserver_t) +-files_search_kernel_modules(stapserver_t) +- +-auth_use_nsswitch(stapserver_t) +- +-init_read_utmp(stapserver_t) +- +-logging_send_audit_msgs(stapserver_t) +-logging_send_syslog_msg(stapserver_t) +- +-miscfiles_read_localization(stapserver_t) +-miscfiles_read_hwdata(stapserver_t) +- +-userdom_use_user_terminals(stapserver_t) +- +-optional_policy(` +- consoletype_exec(stapserver_t) +-') +- +-optional_policy(` +- dbus_system_bus_client(stapserver_t) +-') +- +-optional_policy(` +- hostname_exec(stapserver_t) +-') +- +-optional_policy(` +- plymouthd_exec_plymouth(stapserver_t) +-') +- +-optional_policy(` +- rpm_exec(stapserver_t) +-') diff --git a/targetd.fc b/targetd.fc new file mode 100644 index 0000000..c1ef053 @@ -109470,7 +109600,7 @@ index 61c2e07..3b86095 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..f24416b 100644 +index 5ceacde..c919a2d 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -109487,7 +109617,16 @@ index 5ceacde..f24416b 100644 type tor_t; type tor_exec_t; init_daemon_domain(tor_t, tor_exec_t) -@@ -32,6 +39,10 @@ logging_log_file(tor_var_log_t) +@@ -25,13 +32,19 @@ init_script_file(tor_initrc_exec_t) + + type tor_var_lib_t; + files_type(tor_var_lib_t) ++files_mountpoint(tor_var_lib_t) + + type tor_var_log_t; + logging_log_file(tor_var_log_t) ++files_mountpoint(tor_var_log_t) + type tor_var_run_t; files_pid_file(tor_var_run_t) init_daemon_run_dir(tor_var_run_t, "tor") @@ -109498,7 +109637,7 @@ index 5ceacde..f24416b 100644 ######################################## # -@@ -48,6 +59,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; +@@ -48,6 +61,8 @@ allow tor_t tor_etc_t:dir list_dir_perms; allow tor_t tor_etc_t:file read_file_perms; allow tor_t tor_etc_t:lnk_file read_lnk_file_perms; @@ -109507,7 +109646,7 @@ index 5ceacde..f24416b 100644 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) -@@ -77,7 +90,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) +@@ -77,7 +92,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) @@ -109515,7 +109654,7 @@ index 5ceacde..f24416b 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -85,6 +97,7 @@ corenet_udp_sendrecv_dns_port(tor_t) +@@ -85,6 +99,7 @@ corenet_udp_sendrecv_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) @@ -109523,7 +109662,7 @@ index 5ceacde..f24416b 100644 corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) -@@ -98,19 +111,22 @@ dev_read_urand(tor_t) +@@ -98,19 +113,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 75a201e..dfc2e6f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.19%{?dist} +Release: 191.20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -672,6 +672,18 @@ exit 0 %endif %changelog +* Wed Nov 02 2016 Lukas Vrabec 3.13.1-191.20 +- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) +- Add named_t domain net_raw capability bz(1389240) +- Allow geoclue to read system info. bz(1389320) +- Make openfortivpn_t as init_deamon_domain. bz(1159899) +- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) +- Add pscsd_t wake_alarm capability2 +- Allow isnsd_t to connect to isns_port_t +- Make tor_var_lib_t and tor_var_log_t as mountpoints. +- Allow systemd-rfkill to write to /proc/kmsg bz(1388669) +- Label tcp 51954 as isns_port_t + * Tue Oct 18 2016 Miroslav Grepl - Add transition rules for sandbox domains - Fix cobbler module