diff --git a/container-selinux.tgz b/container-selinux.tgz index 4168c82..2420260 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index adc7a97..d2b4c15 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -11227,7 +11227,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..fa12587 100644 +index f962f76..e06a46c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13191,33 +13191,7 @@ index f962f76..fa12587 100644 ') ######################################## -@@ -4126,6 +5028,25 @@ interface(`files_kernel_modules_filetrans',` - - ######################################## - ## -+## Load kernel module files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_load_kernel_modules',` -+ gen_require(` -+ type modules_object_t; -+ ') -+ -+ files_read_kernel_modules($1) -+ allow $1 modules_object_t:system module_load; -+') -+ -+######################################## -+## - ## List world-readable directories. - ## - ## -@@ -4217,174 +5138,275 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13364,61 +13338,91 @@ index f962f76..fa12587 100644 ## -## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +################################### -+## + ## +-## Read the tmp directory (/tmp). +## Create files in /etc with the type used for +## the manageable system config files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## The type of the process performing this action. +## -+## -+# + ## + # +-interface(`files_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit listing of the tmp directory (/tmp). +## Manage manageable system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain not to audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- dontaudit $1 tmp_t:dir list_dir_perms; + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Remove entries from the tmp directory. +## File name transition for system db files in /var/lib. ## ## @@ -13444,24 +13448,24 @@ index f962f76..fa12587 100644 +## +## ## --## Domain to not audit. +-## Domain allowed access. +## Type of the file to associate. ## ## # --interface(`files_dontaudit_search_tmp',` +-interface(`files_delete_tmp_dir_entry',` +interface(`files_associate_tmp',` gen_require(` type tmp_t; ') -- dontaudit $1 tmp_t:dir search_dir_perms; +- allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 tmp_t:filesystem associate; ') ######################################## ## --## Read the tmp directory (/tmp). +-## Read files in the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system @@ -13474,43 +13478,42 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_list_tmp',` +-interface(`files_read_generic_tmp_files',` +interface(`files_associate_rootfs',` gen_require(` - type tmp_t; + type root_t; ') -- allow $1 tmp_t:dir list_dir_perms; +- read_files_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; ') ######################################## ## --## Do not audit listing of the tmp directory (/tmp). +-## Manage temporary directories in /tmp. +## Get the attributes of the tmp directory (/tmp). ## ## ## --## Domain not to audit. -+## Domain allowed access. +@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',` ## ## # --interface(`files_dontaudit_list_tmp',` +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- dontaudit $1 tmp_t:dir list_dir_perms; +- manage_dirs_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## --## Remove entries from the tmp directory. +-## Manage temporary files and directories in /tmp. +## Do not audit attempts to check the +## access on tmp files ## @@ -13521,20 +13524,20 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_delete_tmp_dir_entry',` +-interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_access_check_tmp',` gen_require(` - type tmp_t; + type etc_t; ') -- allow $1 tmp_t:dir del_entry_dir_perms; +- manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## --## Read files in the tmp directory (/tmp). +-## Read symbolic links in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). ## @@ -13545,34 +13548,34 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_read_generic_tmp_files',` +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- read_files_pattern($1, tmp_t, tmp_t) +- read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') ######################################## ## --## Manage temporary directories in /tmp. +-## Read and write generic named sockets in the tmp directory (/tmp). +## Search the tmp directory (/tmp). ## ## ## -@@ -4392,35 +5414,37 @@ interface(`files_read_generic_tmp_files',` +@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',` ## ## # --interface(`files_manage_generic_tmp_dirs',` +-interface(`files_rw_generic_tmp_sockets',` +interface(`files_search_tmp',` gen_require(` type tmp_t; ') -- manage_dirs_pattern($1, tmp_t, tmp_t) +- rw_sock_files_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; @@ -13580,7 +13583,7 @@ index f962f76..fa12587 100644 ######################################## ## --## Manage temporary files and directories in /tmp. +-## Set the attributes of all tmp directories. +## Do not audit attempts to search the tmp directory (/tmp). ## ## @@ -13590,40 +13593,44 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_manage_generic_tmp_files',` +-interface(`files_setattr_all_tmp_dirs',` +interface(`files_dontaudit_search_tmp',` gen_require(` - type tmp_t; +- attribute tmpfile; ++ type tmp_t; ') -- manage_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmpfile:dir { search_dir_perms setattr }; + dontaudit $1 tmp_t:dir search_dir_perms; ') ######################################## ## --## Read symbolic links in the tmp directory (/tmp). +-## List all tmp directories. +## Read the tmp directory (/tmp). ## ## ## -@@ -4428,53 +5452,55 @@ interface(`files_manage_generic_tmp_files',` +@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # --interface(`files_read_generic_tmp_symlinks',` +-interface(`files_list_all_tmp',` +interface(`files_list_tmp',` gen_require(` - type tmp_t; +- attribute tmpfile; ++ type tmp_t; ') - read_lnk_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmpfile:dir list_dir_perms; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; ') ######################################## ## --## Read and write generic named sockets in the tmp directory (/tmp). +-## Relabel to and from all temporary +-## directory types. +## Do not audit listing of the tmp directory (/tmp). ## ## @@ -13632,33 +13639,38 @@ index f962f76..fa12587 100644 +## Domain to not audit. ## ## +-## # --interface(`files_rw_generic_tmp_sockets',` +-interface(`files_relabel_all_tmp_dirs',` +interface(`files_dontaudit_list_tmp',` gen_require(` - type tmp_t; +- attribute tmpfile; +- type var_t; ++ type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) + dontaudit $1 tmp_t:dir list_dir_perms; ') -######################################## +####################################### ## --## Set the attributes of all tmp directories. +-## Do not audit attempts to get the attributes +-## of all tmp files. +## Allow read and write to the tmp directory (/tmp). ## ## -## --## Domain allowed access. +-## Domain not to audit. -## +## +## Domain not to audit. +## ## # --interface(`files_setattr_all_tmp_dirs',` +-interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') @@ -13667,30 +13679,31 @@ index f962f76..fa12587 100644 + type tmp_t; + ') -- allow $1 tmpfile:dir { search_dir_perms setattr }; +- dontaudit $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') ######################################## ## --## List all tmp directories. +-## Allow attempts to get the attributes +-## of all tmp files. +## Remove entries from the tmp directory. ## ## ## -@@ -4482,118 +5508,116 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # --interface(`files_list_all_tmp',` +-interface(`files_getattr_all_tmp_files',` +interface(`files_delete_tmp_dir_entry',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; +- allow $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; ') @@ -13698,7 +13711,7 @@ index f962f76..fa12587 100644 ######################################## ## -## Relabel to and from all temporary --## directory types. +-## file types. +## Read files in the tmp directory (/tmp). ## ## @@ -13708,7 +13721,7 @@ index f962f76..fa12587 100644 ## -## # --interface(`files_relabel_all_tmp_dirs',` +-interface(`files_relabel_all_tmp_files',` +interface(`files_read_generic_tmp_files',` gen_require(` - attribute tmpfile; @@ -13717,14 +13730,14 @@ index f962f76..fa12587 100644 ') - allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) +- relabel_files_pattern($1, tmpfile, tmpfile) + read_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit attempts to get the attributes --## of all tmp files. +-## of all tmp sock_file. +## Manage temporary directories in /tmp. ## ## @@ -13734,21 +13747,20 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_dontaudit_getattr_all_tmp_files',` +-interface(`files_dontaudit_getattr_all_tmp_sockets',` +interface(`files_manage_generic_tmp_dirs',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- dontaudit $1 tmpfile:file getattr; +- dontaudit $1 tmpfile:sock_file getattr; + manage_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Allow attempts to get the attributes --## of all tmp files. +-## Read all tmp files. +## Allow shared library text relocations in tmp files. ## +## @@ -13765,20 +13777,20 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_getattr_all_tmp_files',` +-interface(`files_read_all_tmp_files',` +interface(`files_execmod_tmp',` gen_require(` attribute tmpfile; ') -- allow $1 tmpfile:file getattr; +- read_files_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:file execmod; ') ######################################## ## --## Relabel to and from all temporary --## file types. +-## Create an object in the tmp directories, with a private +-## type using a type transition. +## Manage temporary files and directories in /tmp. ## ## @@ -13786,259 +13798,253 @@ index f962f76..fa12587 100644 ## Domain allowed access. ## ## --## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # --interface(`files_relabel_all_tmp_files',` +-interface(`files_tmp_filetrans',` +interface(`files_manage_generic_tmp_files',` gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; + type tmp_t; ') -- allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) +- filetrans_pattern($1, tmp_t, $2, $3, $4) + manage_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Do not audit attempts to get the attributes --## of all tmp sock_file. +-## Delete the contents of /tmp. +## Read symbolic links in the tmp directory (/tmp). ## ## ## --## Domain not to audit. -+## Domain allowed access. +@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',` ## ## # --interface(`files_dontaudit_getattr_all_tmp_sockets',` +-interface(`files_purge_tmp',` +interface(`files_read_generic_tmp_symlinks',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- dontaudit $1 tmpfile:sock_file getattr; +- allow $1 tmpfile:dir list_dir_perms; +- delete_dirs_pattern($1, tmpfile, tmpfile) +- delete_files_pattern($1, tmpfile, tmpfile) +- delete_lnk_files_pattern($1, tmpfile, tmpfile) +- delete_fifo_files_pattern($1, tmpfile, tmpfile) +- delete_sock_files_pattern($1, tmpfile, tmpfile) + read_lnk_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Read all tmp files. +-## Set the attributes of the /usr directory. +## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## -@@ -4601,51 +5625,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',` ## ## # --interface(`files_read_all_tmp_files',` +-interface(`files_setattr_usr_dirs',` +interface(`files_rw_generic_tmp_sockets',` gen_require(` -- attribute tmpfile; +- type usr_t; + type tmp_t; ') -- read_files_pattern($1, tmpfile, tmpfile) +- allow $1 usr_t:dir setattr; + rw_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Create an object in the tmp directories, with a private --## type using a type transition. +-## Search the content of /usr. +## Relabel a dir from the type used in /tmp. ## ## ## - ## Domain allowed access. +@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',` ## ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## # --interface(`files_tmp_filetrans',` +-interface(`files_search_usr',` +interface(`files_relabelfrom_tmp_dirs',` gen_require(` - type tmp_t; +- type usr_t; ++ type tmp_t; ') -- filetrans_pattern($1, tmp_t, $2, $3, $4) +- allow $1 usr_t:dir search_dir_perms; + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Delete the contents of /tmp. +-## List the contents of generic +-## directories in /usr. +## Relabel a file from the type used in /tmp. ## ## ## -@@ -4653,22 +5661,17 @@ interface(`files_tmp_filetrans',` +@@ -4713,35 +5642,35 @@ interface(`files_search_usr',` ## ## # --interface(`files_purge_tmp',` +-interface(`files_list_usr',` +interface(`files_relabelfrom_tmp_files',` gen_require(` -- attribute tmpfile; +- type usr_t; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; -- delete_dirs_pattern($1, tmpfile, tmpfile) -- delete_files_pattern($1, tmpfile, tmpfile) -- delete_lnk_files_pattern($1, tmpfile, tmpfile) -- delete_fifo_files_pattern($1, tmpfile, tmpfile) -- delete_sock_files_pattern($1, tmpfile, tmpfile) +- allow $1 usr_t:dir list_dir_perms; + relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Set the attributes of the /usr directory. +-## Do not audit write of /usr dirs +## Set the attributes of all tmp directories. ## ## ## -@@ -4676,17 +5679,17 @@ interface(`files_purge_tmp',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_setattr_usr_dirs',` +-interface(`files_dontaudit_write_usr_dirs',` +interface(`files_setattr_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ') -- allow $1 usr_t:dir setattr; +- dontaudit $1 usr_t:dir write; + allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## --## Search the content of /usr. +-## Add and remove entries from /usr directories. +## Allow caller to read inherited tmp files. ## ## ## -@@ -4694,18 +5697,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # --interface(`files_search_usr',` +-interface(`files_rw_usr_dirs',` +interface(`files_read_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') -- allow $1 usr_t:dir search_dir_perms; +- allow $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file { append read_inherited_file_perms }; ') ######################################## ## --## List the contents of generic --## directories in /usr. +-## Do not audit attempts to add and remove +-## entries from /usr directories. +## Allow caller to append inherited tmp files. ## ## ## -@@ -4713,35 +5715,35 @@ interface(`files_search_usr',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_list_usr',` +-interface(`files_dontaudit_rw_usr_dirs',` +interface(`files_append_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') -- allow $1 usr_t:dir list_dir_perms; +- dontaudit $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## --## Do not audit write of /usr dirs +-## Delete generic directories in /usr in the caller domain. +## Allow caller to read and write inherited tmp files. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # --interface(`files_dontaudit_write_usr_dirs',` +-interface(`files_delete_usr_dirs',` +interface(`files_rw_inherited_tmp_file',` gen_require(` - type usr_t; + attribute tmpfile; ') -- dontaudit $1 usr_t:dir write; +- delete_dirs_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Add and remove entries from /usr directories. +-## Delete generic files in /usr in the caller domain. +## List all tmp directories. ## ## ## -@@ -4749,54 +5751,59 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',` ## ## # --interface(`files_rw_usr_dirs',` +-interface(`files_delete_usr_files',` +interface(`files_list_all_tmp',` gen_require(` - type usr_t; + attribute tmpfile; ') -- allow $1 usr_t:dir rw_dir_perms; +- delete_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## --## Do not audit attempts to add and remove --## entries from /usr directories. +-## Get the attributes of files in /usr. +## Relabel to and from all temporary +## directory types. ## ## ## --## Domain to not audit. -+## Domain allowed access. + ## Domain allowed access. ## ## +## # --interface(`files_dontaudit_rw_usr_dirs',` +-interface(`files_getattr_usr_files',` +interface(`files_relabel_all_tmp_dirs',` gen_require(` - type usr_t; @@ -14046,72 +14052,95 @@ index f962f76..fa12587 100644 + type var_t; ') -- dontaudit $1 usr_t:dir rw_dir_perms; +- getattr_files_pattern($1, usr_t, usr_t) + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## --## Delete generic directories in /usr in the caller domain. +-## Read generic files in /usr. +## Do not audit attempts to get the attributes +## of all tmp files. ## +-## +-##

+-## Allow the specified domain to read generic +-## files in /usr. These files are various program +-## files that do not have more specific SELinux types. +-## Some examples of these files are: +-##

+-##
    +-##
  • /usr/include/*
    • +-##
  • /usr/share/doc/*
    • +-##
  • /usr/share/info/*
    • +-##
+-##

+-## Generally, it is safe for many domains to have +-## this access. +-##

+-## ## ## -## Domain allowed access. +## Domain to not audit. ## ## +-## # --interface(`files_delete_usr_dirs',` +-interface(`files_read_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') -- delete_dirs_pattern($1, usr_t, usr_t) +- allow $1 usr_t:dir list_dir_perms; +- read_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:file getattr; ') ######################################## ## --## Delete generic files in /usr in the caller domain. +-## Execute generic programs in /usr in the caller domain. +## Allow attempts to get the attributes +## of all tmp files. ## ## ## -@@ -4804,73 +5811,58 @@ interface(`files_delete_usr_dirs',` +@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',` ## ## # --interface(`files_delete_usr_files',` +-interface(`files_exec_usr_files',` +interface(`files_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') -- delete_files_pattern($1, usr_t, usr_t) +- allow $1 usr_t:dir list_dir_perms; +- exec_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file getattr; ') ######################################## ## --## Get the attributes of files in /usr. +-## dontaudit write of /usr files +## Relabel to and from all temporary +## file types. ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## +## # --interface(`files_getattr_usr_files',` +-interface(`files_dontaudit_write_usr_files',` +interface(`files_relabel_all_tmp_files',` gen_require(` - type usr_t; @@ -14119,105 +14148,84 @@ index f962f76..fa12587 100644 + type var_t; ') -- getattr_files_pattern($1, usr_t, usr_t) +- dontaudit $1 usr_t:file write; + allow $1 var_t:dir search_dir_perms; + relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## --## Read generic files in /usr. +-## Create, read, write, and delete files in the /usr directory. +## Do not audit attempts to get the attributes +## of all tmp sock_file. ## --## --##

--## Allow the specified domain to read generic --## files in /usr. These files are various program --## files that do not have more specific SELinux types. --## Some examples of these files are: --##

--##
    --##
  • /usr/include/*
    • --##
  • /usr/share/doc/*
    • --##
  • /usr/share/info/*
    • --##
--##

--## Generally, it is safe for many domains to have --## this access. --##

--## ## ## -## Domain allowed access. +## Domain to not audit. ## ## --## # --interface(`files_read_usr_files',` +-interface(`files_manage_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` - type usr_t; + attribute tmpfile; ') -- allow $1 usr_t:dir list_dir_perms; -- read_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) +- manage_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:sock_file getattr; ') ######################################## ## --## Execute generic programs in /usr in the caller domain. +-## Relabel a file to the type used in /usr. +## Read all tmp files. ## ## ## -@@ -4878,19 +5870,18 @@ interface(`files_read_usr_files',` +@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',` ## ## # --interface(`files_exec_usr_files',` +-interface(`files_relabelto_usr_files',` +interface(`files_read_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') -- allow $1 usr_t:dir list_dir_perms; -- exec_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) +- relabelto_files_pattern($1, usr_t, usr_t) + read_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## --## dontaudit write of /usr files +-## Relabel a file from the type used in /usr. +## Do not audit attempts to read or write +## all leaked tmpfiles files. ## ## ## -@@ -4898,71 +5889,70 @@ interface(`files_exec_usr_files',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_write_usr_files',` +-interface(`files_relabelfrom_usr_files',` +interface(`files_dontaudit_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') -- dontaudit $1 usr_t:file write; +- relabelfrom_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Create, read, write, and delete files in the /usr directory. +-## Read symbolic links in /usr. +## Do allow attempts to read or write +## all leaked tmpfiles files. ## @@ -14228,20 +14236,20 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_manage_usr_files',` +-interface(`files_read_usr_symlinks',` +interface(`files_rw_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') -- manage_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Relabel a file to the type used in /usr. +-## Create objects in the /usr directory +## Create an object in the tmp directories, with a private +## type using a type transition. ## @@ -14250,67 +14258,56 @@ index f962f76..fa12587 100644 ## Domain allowed access. ## ## --# --interface(`files_relabelto_usr_files',` -- gen_require(` -- type usr_t; -- ') -- -- relabelto_files_pattern($1, usr_t, usr_t) --') -- --######################################## --## --## Relabel a file from the type used in /usr. --## --## +-## +## ## --## Domain allowed access. +-## The type of the object to be created +## The type of the object to be created. -+## -+## + ## + ## +-## +## -+## + ## +-## The object class. +## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. + ## + ## + ## +@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',` ## ## # --interface(`files_relabelfrom_usr_files',` +-interface(`files_usr_filetrans',` +interface(`files_tmp_filetrans',` gen_require(` - type usr_t; + type tmp_t; ') -- relabelfrom_files_pattern($1, usr_t, usr_t) +- filetrans_pattern($1, usr_t, $2, $3, $4) + filetrans_pattern($1, tmp_t, $2, $3, $4) ') ######################################## ## --## Read symbolic links in /usr. +-## Do not audit attempts to search /usr/src. +## Delete the contents of /tmp. ## ## ## -@@ -4970,68 +5960,69 @@ interface(`files_relabelfrom_usr_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_read_usr_symlinks',` +-interface(`files_dontaudit_search_src',` +interface(`files_purge_tmp',` gen_require(` -- type usr_t; +- type src_t; + attribute tmpfile; ') -- read_lnk_files_pattern($1, usr_t, usr_t) +- dontaudit $1 src_t:dir search_dir_perms; + allow $1 tmpfile:dir list_dir_perms; + delete_dirs_pattern($1, tmpfile, tmpfile) + delete_files_pattern($1, tmpfile, tmpfile) @@ -14331,92 +14328,81 @@ index f962f76..fa12587 100644 ######################################## ## --## Create objects in the /usr directory +-## Get the attributes of files in /usr/src. +## Set the attributes of the /usr directory. ## ## ## - ## Domain allowed access. +@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',` ## ## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. --## --## # --interface(`files_usr_filetrans',` +-interface(`files_getattr_usr_src_files',` +interface(`files_setattr_usr_dirs',` gen_require(` - type usr_t; +- type usr_t, src_t; ++ type usr_t; ') -- filetrans_pattern($1, usr_t, $2, $3, $4) +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) + allow $1 usr_t:dir setattr; ') ######################################## ## --## Do not audit attempts to search /usr/src. +-## Read files in /usr/src. +## Search the content of /usr. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',` ## ## # --interface(`files_dontaudit_search_src',` +-interface(`files_read_usr_src_files',` +interface(`files_search_usr',` gen_require(` -- type src_t; +- type usr_t, src_t; + type usr_t; ') -- dontaudit $1 src_t:dir search_dir_perms; -+ allow $1 usr_t:dir search_dir_perms; + allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; ') ######################################## ## --## Get the attributes of files in /usr/src. +-## Execute programs in /usr/src in the caller domain. +## List the contents of generic +## directories in /usr. ## ## ## -@@ -5039,41 +6030,35 @@ interface(`files_dontaudit_search_src',` +@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',` ## ## # --interface(`files_getattr_usr_src_files',` +-interface(`files_exec_usr_src_files',` +interface(`files_list_usr',` gen_require(` - type usr_t, src_t; -+ type usr_t; - ') - -- getattr_files_pattern($1, src_t, src_t) -- -- # /usr/src/linux symlink: -- read_lnk_files_pattern($1, usr_t, src_t) ++ type usr_t; + ') + +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) + allow $1 usr_t:dir list_dir_perms; ') ######################################## ## --## Read files in /usr/src. +-## Install a system.map into the /boot directory. +## Do not audit write of /usr dirs ## ## @@ -14426,47 +14412,44 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_read_usr_src_files',` +-interface(`files_create_kernel_symbol_table',` +interface(`files_dontaudit_write_usr_dirs',` gen_require(` -- type usr_t, src_t; +- type boot_t, system_map_t; + type usr_t; ') -- allow $1 usr_t:dir search_dir_perms; -- read_files_pattern($1, { usr_t src_t }, src_t) -- read_lnk_files_pattern($1, { usr_t src_t }, src_t) -- allow $1 src_t:dir list_dir_perms; +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; + dontaudit $1 usr_t:dir write; ') ######################################## ## --## Execute programs in /usr/src in the caller domain. +-## Read system.map in the /boot directory. +## Add and remove entries from /usr directories. ## ## ## -@@ -5081,38 +6066,36 @@ interface(`files_read_usr_src_files',` +@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # --interface(`files_exec_usr_src_files',` +-interface(`files_read_kernel_symbol_table',` +interface(`files_rw_usr_dirs',` gen_require(` -- type usr_t, src_t; +- type boot_t, system_map_t; + type usr_t; ') -- list_dirs_pattern($1, usr_t, src_t) -- exec_files_pattern($1, src_t, src_t) -- read_lnk_files_pattern($1, src_t, src_t) +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) + allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Install a system.map into the /boot directory. +-## Delete a system.map in the /boot directory. +## Do not audit attempts to add and remove +## entries from /usr directories. ## @@ -14477,89 +14460,89 @@ index f962f76..fa12587 100644 ## ## # --interface(`files_create_kernel_symbol_table',` +-interface(`files_delete_kernel_symbol_table',` +interface(`files_dontaudit_rw_usr_dirs',` gen_require(` - type boot_t, system_map_t; + type usr_t; ') -- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -- allow $1 system_map_t:file { create_file_perms rw_file_perms }; +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) + dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Read system.map in the /boot directory. +-## Search the contents of /var. +## Delete generic directories in /usr in the caller domain. ## ## ## -@@ -5120,18 +6103,17 @@ interface(`files_create_kernel_symbol_table',` +@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # --interface(`files_read_kernel_symbol_table',` +-interface(`files_search_var',` +interface(`files_delete_usr_dirs',` gen_require(` -- type boot_t, system_map_t; +- type var_t; + type usr_t; ') -- allow $1 boot_t:dir list_dir_perms; -- read_files_pattern($1, boot_t, system_map_t) +- allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## --## Delete a system.map in the /boot directory. +-## Do not audit attempts to write to /var. +## Delete generic files in /usr in the caller domain. ## ## ## -@@ -5139,18 +6121,17 @@ interface(`files_read_kernel_symbol_table',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_delete_kernel_symbol_table',` +-interface(`files_dontaudit_write_var_dirs',` +interface(`files_delete_usr_files',` gen_require(` -- type boot_t, system_map_t; +- type var_t; + type usr_t; ') -- allow $1 boot_t:dir list_dir_perms; -- delete_files_pattern($1, boot_t, system_map_t) +- dontaudit $1 var_t:dir write; + delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Search the contents of /var. +-## Allow attempts to write to /var.dirs +## Get the attributes of files in /usr. ## ## ## -@@ -5158,35 +6139,55 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # --interface(`files_search_var',` +-interface(`files_write_var_dirs',` +interface(`files_getattr_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir search_dir_perms; +- allow $1 var_t:dir write; + getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to write to /var. +-## Do not audit attempts to search +-## the contents of /var. +## Read generic files in /usr. ## +## @@ -14587,14 +14570,14 @@ index f962f76..fa12587 100644 ## +## # --interface(`files_dontaudit_write_var_dirs',` +-interface(`files_dontaudit_search_var',` +interface(`files_read_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- dontaudit $1 var_t:dir write; +- dontaudit $1 var_t:dir search_dir_perms; + allow $1 usr_t:dir list_dir_perms; + read_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) @@ -14602,23 +14585,23 @@ index f962f76..fa12587 100644 ######################################## ## --## Allow attempts to write to /var.dirs +-## List the contents of /var. +## Execute generic programs in /usr in the caller domain. ## ## ## -@@ -5194,18 +6195,19 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',` ## ## # --interface(`files_write_var_dirs',` +-interface(`files_list_var',` +interface(`files_exec_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir write; +- allow $1 var_t:dir list_dir_perms; + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) @@ -14626,119 +14609,121 @@ index f962f76..fa12587 100644 ######################################## ## --## Do not audit attempts to search --## the contents of /var. +-## Create, read, write, and delete directories +-## in the /var directory. +## dontaudit write of /usr files ## ## ## -@@ -5213,17 +6215,17 @@ interface(`files_write_var_dirs',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_search_var',` +-interface(`files_manage_var_dirs',` +interface(`files_dontaudit_write_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- dontaudit $1 var_t:dir search_dir_perms; +- allow $1 var_t:dir manage_dir_perms; + dontaudit $1 usr_t:file write; ') ######################################## ## --## List the contents of /var. +-## Read files in the /var directory. +## Create, read, write, and delete files in the /usr directory. ## ## ## -@@ -5231,18 +6233,17 @@ interface(`files_dontaudit_search_var',` +@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',` ## ## # --interface(`files_list_var',` +-interface(`files_read_var_files',` +interface(`files_manage_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir list_dir_perms; +- read_files_pattern($1, var_t, var_t) + manage_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete directories --## in the /var directory. +-## Append files in the /var directory. +## Relabel a file to the type used in /usr. ## ## ## -@@ -5250,17 +6251,17 @@ interface(`files_list_var',` +@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',` ## ## # --interface(`files_manage_var_dirs',` +-interface(`files_append_var_files',` +interface(`files_relabelto_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir manage_dir_perms; +- append_files_pattern($1, var_t, var_t) + relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Read files in the /var directory. +-## Read and write files in the /var directory. +## Relabel a file from the type used in /usr. ## ## ## -@@ -5268,17 +6269,17 @@ interface(`files_manage_var_dirs',` +@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',` ## ## # --interface(`files_read_var_files',` +-interface(`files_rw_var_files',` +interface(`files_relabelfrom_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- read_files_pattern($1, var_t, var_t) +- rw_files_pattern($1, var_t, var_t) + relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Append files in the /var directory. +-## Do not audit attempts to read and write +-## files in the /var directory. +## Read symbolic links in /usr. ## ## ## -@@ -5286,36 +6287,50 @@ interface(`files_read_var_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_append_var_files',` +-interface(`files_dontaudit_rw_var_files',` +interface(`files_read_usr_symlinks',` gen_require(` - type var_t; + type usr_t; ') -- append_files_pattern($1, var_t, var_t) +- dontaudit $1 var_t:file rw_file_perms; + read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Read and write files in the /var directory. +-## Create, read, write, and delete files in the /var directory. +## Create objects in the /usr directory ## ## @@ -14762,59 +14747,60 @@ index f962f76..fa12587 100644 +## +## # --interface(`files_rw_var_files',` +-interface(`files_manage_var_files',` +interface(`files_usr_filetrans',` gen_require(` - type var_t; + type usr_t; ') -- rw_files_pattern($1, var_t, var_t) +- manage_files_pattern($1, var_t, var_t) + filetrans_pattern($1, usr_t, $2, $3, $4) ') ######################################## ## --## Do not audit attempts to read and write --## files in the /var directory. +-## Read symbolic links in the /var directory. +## Do not audit attempts to search /usr/src. ## ## ## -@@ -5323,17 +6338,17 @@ interface(`files_rw_var_files',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_rw_var_files',` +-interface(`files_read_var_symlinks',` +interface(`files_dontaudit_search_src',` gen_require(` - type var_t; + type src_t; ') -- dontaudit $1 var_t:file rw_file_perms; +- read_lnk_files_pattern($1, var_t, var_t) + dontaudit $1 src_t:dir search_dir_perms; ') ######################################## ## --## Create, read, write, and delete files in the /var directory. +-## Create, read, write, and delete symbolic +-## links in the /var directory. +## Get the attributes of files in /usr/src. ## ## ## -@@ -5341,17 +6356,20 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',` ## ## # --interface(`files_manage_var_files',` +-interface(`files_manage_var_symlinks',` +interface(`files_getattr_usr_src_files',` gen_require(` - type var_t; + type usr_t, src_t; ') -- manage_files_pattern($1, var_t, var_t) +- manage_lnk_files_pattern($1, var_t, var_t) + getattr_files_pattern($1, src_t, src_t) + + # /usr/src/linux symlink: @@ -14823,58 +14809,8 @@ index f962f76..fa12587 100644 ######################################## ## --## Read symbolic links in the /var directory. -+## Read files in /usr/src. - ## - ## - ## -@@ -5359,18 +6377,20 @@ interface(`files_manage_var_files',` - ## - ## - # --interface(`files_read_var_symlinks',` -+interface(`files_read_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- read_lnk_files_pattern($1, var_t, var_t) -+ allow $1 usr_t:dir search_dir_perms; -+ read_files_pattern($1, { usr_t src_t }, src_t) -+ read_lnk_files_pattern($1, { usr_t src_t }, src_t) -+ allow $1 src_t:dir list_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete symbolic --## links in the /var directory. -+## Execute programs in /usr/src in the caller domain. - ## - ## - ## -@@ -5378,120 +6398,94 @@ interface(`files_read_var_symlinks',` - ## - ## - # --interface(`files_manage_var_symlinks',` -+interface(`files_exec_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- manage_lnk_files_pattern($1, var_t, var_t) -+ list_dirs_pattern($1, usr_t, src_t) -+ exec_files_pattern($1, src_t, src_t) -+ read_lnk_files_pattern($1, src_t, src_t) - ') - - ######################################## - ## -## Create objects in the /var directory -+## Install a system.map into the /boot directory. ++## Read files in /usr/src. ## ## ## @@ -14898,44 +14834,47 @@ index f962f76..fa12587 100644 -## # -interface(`files_var_filetrans',` -+interface(`files_create_kernel_symbol_table',` ++interface(`files_read_usr_src_files',` gen_require(` - type var_t; -+ type boot_t, system_map_t; ++ type usr_t, src_t; ') - filetrans_pattern($1, var_t, $2, $3, $4) -+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -+ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; ') ######################################## ## -## Get the attributes of the /var/lib directory. -+## Dontaudit getattr attempts on the system.map file ++## Execute programs in /usr/src in the caller domain. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',` ## ## # -interface(`files_getattr_var_lib_dirs',` -+interface(`files_dontaduit_getattr_kernel_symbol_table',` ++interface(`files_exec_usr_src_files',` gen_require(` - type var_t, var_lib_t; -+ type system_map_t; ++ type usr_t, src_t; ') - getattr_dirs_pattern($1, var_t, var_lib_t) -+ dontaudit $1 system_map_t:file getattr; ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) ') ######################################## ## -## Search the /var/lib directory. -+## Read system.map in the /boot directory. ++## Install a system.map into the /boot directory. ## -## -##

@@ -14958,93 +14897,92 @@ index f962f76..fa12587 100644 -## # -interface(`files_search_var_lib',` -+interface(`files_read_kernel_symbol_table',` ++interface(`files_create_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; ') - search_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ read_files_pattern($1, boot_t, system_map_t) ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## ##

-## Do not audit attempts to search the -## contents of /var/lib. -+## Delete a system.map in the /boot directory. ++## Dontaudit getattr attempts on the system.map file ## ## ## --## Domain to not audit. -+## Domain allowed access. + ## Domain to not audit. ## ## -## # -interface(`files_dontaudit_search_var_lib',` -+interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` gen_require(` - type var_lib_t; -+ type boot_t, system_map_t; ++ type system_map_t; ') - dontaudit $1 var_lib_t:dir search_dir_perms; -+ allow $1 boot_t:dir list_dir_perms; -+ delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 system_map_t:file getattr; ') ######################################## ## -## List the contents of the /var/lib directory. -+## Search the contents of /var. ++## Read system.map in the /boot directory. ## ## ## -@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # -interface(`files_list_var_lib',` -+interface(`files_search_var',` ++interface(`files_read_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; -+ type var_t; ++ type boot_t, system_map_t; ') - list_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 var_t:dir search_dir_perms; ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) ') -########################################### +######################################## ## -## Read-write /var/lib directories -+## Do not audit attempts to write to /var. ++## Delete a system.map in the /boot directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',` ## ## # -interface(`files_rw_var_lib_dirs',` -+interface(`files_dontaudit_write_var_dirs',` ++interface(`files_delete_kernel_symbol_table',` gen_require(` - type var_lib_t; -+ type var_t; ++ type boot_t, system_map_t; ') - rw_dirs_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir write; ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) ') ######################################## ## -## Create objects in the /var/lib directory -+## Allow attempts to write to /var.dirs ++## Search the contents of /var. ## ## ## @@ -15068,22 +15006,20 @@ index f962f76..fa12587 100644 -## # -interface(`files_var_lib_filetrans',` -+interface(`files_write_var_dirs',` ++interface(`files_search_var',` gen_require(` - type var_t, var_lib_t; + type var_t; ') -- allow $1 var_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3, $4) -+ allow $1 var_t:dir write; ') ######################################## ## -## Read generic files in /var/lib. -+## Do not audit attempts to search -+## the contents of /var. ++## Do not audit attempts to write to /var. ## ## ## @@ -15093,7 +15029,7 @@ index f962f76..fa12587 100644 ## # -interface(`files_read_var_lib_files',` -+interface(`files_dontaudit_search_var',` ++interface(`files_dontaudit_write_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15101,29 +15037,29 @@ index f962f76..fa12587 100644 - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ dontaudit $1 var_t:dir search_dir_perms; ++ dontaudit $1 var_t:dir write; ') ######################################## ## -## Read generic symbolic links in /var/lib -+## List the contents of /var. ++## Allow attempts to write to /var.dirs ## ## ## -@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',` ## ## # -interface(`files_read_var_lib_symlinks',` -+interface(`files_list_var',` ++interface(`files_write_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; ') - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ allow $1 var_t:dir list_dir_perms; ++ allow $1 var_t:dir write; ') -# cjp: the next two interfaces really need to be fixed @@ -15133,7 +15069,8 @@ index f962f76..fa12587 100644 ## -## Create, read, write, and delete the -## pseudorandom number generator seed. -+## Do not audit listing of the var directory (/var). ++## Do not audit attempts to search ++## the contents of /var. ## ## ## @@ -15143,7 +15080,7 @@ index f962f76..fa12587 100644 ## # -interface(`files_manage_urandom_seed',` -+interface(`files_dontaudit_list_var',` ++interface(`files_dontaudit_search_var',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15151,24 +15088,23 @@ index f962f76..fa12587 100644 - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir list_dir_perms; ++ dontaudit $1 var_t:dir search_dir_perms; ') ######################################## ## -## Allow domain to manage mount tables -## necessary for rpcd, nfsd, etc. -+## Create, read, write, and delete directories -+## in the /var directory. ++## List the contents of /var. ## ## ## -@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',` +@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',` ## ## # -interface(`files_manage_mounttab',` -+interface(`files_manage_var_dirs',` ++interface(`files_list_var',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15176,44 +15112,46 @@ index f962f76..fa12587 100644 - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir manage_dir_perms; ++ allow $1 var_t:dir list_dir_perms; ') ######################################## ## -## Set the attributes of the generic lock directories. -+## Read files in the /var directory. ++## Do not audit listing of the var directory (/var). ## ## ## -@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_setattr_lock_dirs',` -+interface(`files_read_var_files',` ++interface(`files_dontaudit_list_var',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - setattr_dirs_pattern($1, var_t, var_lock_t) -+ read_files_pattern($1, var_t, var_t) ++ dontaudit $1 var_t:dir list_dir_perms; ') ######################################## ## -## Search the locks directory (/var/lock). -+## Append files in the /var directory. ++## Create, read, write, and delete directories ++## in the /var directory. ## ## ## -@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',` ## ## # -interface(`files_search_locks',` -+interface(`files_append_var_files',` ++interface(`files_manage_var_dirs',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15221,14 +15159,14 @@ index f962f76..fa12587 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) -+ append_files_pattern($1, var_t, var_t) ++ allow $1 var_t:dir manage_dir_perms; ') ######################################## ## -## Do not audit attempts to search the -## locks directory (/var/lock). -+## Read and write files in the /var directory. ++## Read files in the /var directory. ## ## ## @@ -15238,7 +15176,7 @@ index f962f76..fa12587 100644 ## # -interface(`files_dontaudit_search_locks',` -+interface(`files_rw_var_files',` ++interface(`files_read_var_files',` gen_require(` - type var_lock_t; + type var_t; @@ -15246,24 +15184,22 @@ index f962f76..fa12587 100644 - dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_lock_t:dir search_dir_perms; -+ rw_files_pattern($1, var_t, var_t) ++ read_files_pattern($1, var_t, var_t) ') ######################################## ## -## List generic lock directories. -+## Do not audit attempts to read and write -+## files in the /var directory. ++## Append files in the /var directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',` ## ## # -interface(`files_list_locks',` -+interface(`files_dontaudit_rw_var_files',` ++interface(`files_append_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15271,23 +15207,23 @@ index f962f76..fa12587 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) -+ dontaudit $1 var_t:file rw_inherited_file_perms; ++ append_files_pattern($1, var_t, var_t) ') ######################################## ## -## Add and remove entries in the /var/lock -## directories. -+## Create, read, write, and delete files in the /var directory. ++## Read and write files in the /var directory. ## ## ## -@@ -5726,81 +6694,88 @@ interface(`files_list_locks',` +@@ -5726,60 +6638,54 @@ interface(`files_list_locks',` ## ## # -interface(`files_rw_lock_dirs',` -+interface(`files_manage_var_files',` ++interface(`files_rw_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15295,24 +15231,25 @@ index f962f76..fa12587 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - rw_dirs_pattern($1, var_t, var_lock_t) -+ manage_files_pattern($1, var_t, var_t) ++ rw_files_pattern($1, var_t, var_t) ') ######################################## ## -## Create lock directories -+## Read symbolic links in the /var directory. ++## Do not audit attempts to read and write ++## files in the /var directory. ## ## -## -## Domain allowed access +## -+## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_create_lock_dirs',` -+interface(`files_read_var_symlinks',` ++interface(`files_dontaudit_rw_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15321,14 +15258,13 @@ index f962f76..fa12587 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_lock_t, var_lock_t) -+ read_lnk_files_pattern($1, var_t, var_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; ') ######################################## ## -## Relabel to and from all lock directory types. -+## Create, read, write, and delete symbolic -+## links in the /var directory. ++## Create, read, write, and delete files in the /var directory. ## ## ## @@ -15338,7 +15274,7 @@ index f962f76..fa12587 100644 -## # -interface(`files_relabel_all_lock_dirs',` -+interface(`files_manage_var_symlinks',` ++interface(`files_manage_var_files',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; @@ -15348,12 +15284,63 @@ index f962f76..fa12587 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($1, lockfile, lockfile) -+ manage_lnk_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, var_t, var_t) ') ######################################## ## -## Get the attributes of generic lock files. ++## Read symbolic links in the /var directory. + ## + ## + ## +@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_read_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) ++ read_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Delete generic lock files. ++## Create, read, write, and delete symbolic ++## links in the /var directory. + ## + ## + ## +@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',` + ## + ## + # +-interface(`files_delete_generic_locks',` ++interface(`files_manage_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ manage_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## lock files. +## Create objects in the /var directory ## ## @@ -15377,7 +15364,7 @@ index f962f76..fa12587 100644 +## +## # --interface(`files_getattr_generic_locks',` +-interface(`files_manage_generic_locks',` +interface(`files_var_filetrans',` gen_require(` - type var_t, var_lock_t; @@ -15386,65 +15373,68 @@ index f962f76..fa12587 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 var_lock_t:dir list_dir_perms; -- getattr_files_pattern($1, var_lock_t, var_lock_t) +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) + filetrans_pattern($1, var_t, $2, $3, $4) ') + ######################################## ## --## Delete generic lock files. +-## Delete all lock files. +## Relabel dirs in the /var directory. ## ## ## -@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',` + ## Domain allowed access. ## ## +-## # --interface(`files_delete_generic_locks',` +-interface(`files_delete_all_locks',` +interface(`files_relabel_var_dirs',` gen_require(` +- attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) +- delete_files_pattern($1, lockfile, lockfile) + allow $1 var_t:dir relabel_dir_perms; ') ######################################## ## --## Create, read, write, and delete generic --## lock files. +-## Read all lock files. +## Get the attributes of the /var/lib directory. ## ## ## -@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',` +@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',` ## ## # --interface(`files_manage_generic_locks',` +-interface(`files_read_all_locks',` +interface(`files_getattr_var_lib_dirs',` gen_require(` +- attribute lockfile; - type var_t, var_lock_t; + type var_t, var_lib_t; ') -- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -- manage_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) + getattr_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## --## Delete all lock files. +-## manage all lock files. +## Search the /var/lib directory. ## +## @@ -15465,10 +15455,9 @@ index f962f76..fa12587 100644 ## Domain allowed access. ## ## --## +## # --interface(`files_delete_all_locks',` +-interface(`files_manage_all_locks',` +interface(`files_search_var_lib',` gen_require(` - attribute lockfile; @@ -15476,143 +15465,140 @@ index f962f76..fa12587 100644 + type var_t, var_lib_t; ') -- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, lockfile, lockfile) +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) + search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## --## Read all lock files. +-## Create an object in the locks directory, with a private +-## type using a type transition. +## Do not audit attempts to search the +## contents of /var/lib. ## ## ## -## Domain allowed access. +-## +-## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +## Domain to not audit. ## ## +## # --interface(`files_read_all_locks',` +-interface(`files_lock_filetrans',` +interface(`files_dontaudit_search_var_lib',` gen_require(` -- attribute lockfile; - type var_t, var_lock_t; + type var_lib_t; ') +- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) +- filetrans_pattern($1, var_lock_t, $2, $3, $4) + dontaudit $1 var_lib_t:dir search_dir_perms; ') ######################################## ## --## manage all lock files. +-## Do not audit attempts to get the attributes +-## of the /var/run directory. +## List the contents of the /var/lib directory. ## ## ## -@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_manage_all_locks',` +-interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_list_var_lib',` gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; +- type var_run_t; + type var_t, var_lib_t; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; + list_dirs_pattern($1, var_t, var_lib_t) ') -######################################## +########################################### ## --## Create an object in the locks directory, with a private --## type using a type transition. +-## Set the attributes of the /var/run directory. +## Read-write /var/lib directories ## ## ## - ## Domain allowed access. +@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## # --interface(`files_lock_filetrans',` +-interface(`files_setattr_pid_dirs',` +interface(`files_rw_var_lib_dirs',` gen_require(` -- type var_t, var_lock_t; +- type var_run_t; + type var_lib_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; + rw_dirs_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## --## Do not audit attempts to get the attributes --## of the /var/run directory. +-## Search the contents of runtime process +-## ID directories (/var/run). +## Create directories in /var/lib ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',` ## ## # --interface(`files_dontaudit_getattr_pid_dirs',` +-interface(`files_search_pids',` +interface(`files_create_var_lib_dirs',` gen_require(` -- type var_run_t; +- type var_t, var_run_t; + type var_lib_t; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_run_t) + allow $1 var_lib_t:dir { create rw_dir_perms }; ') + ######################################## ## --## Set the attributes of the /var/run directory. -+## Create objects in the /var/lib directory -+## -+## -+## +-## Do not audit attempts to search +-## the /var/run directory. ++## Create objects in the /var/lib directory + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. +## +## @@ -15629,30 +15615,37 @@ index f962f76..fa12587 100644 +## +## +## The name of the object being created. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_search_pids',` +interface(`files_var_lib_filetrans',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_lib_t; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_lib_t, $2, $3, $4) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Read generic files in /var/lib. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` +interface(`files_read_var_lib_files',` -+ gen_require(` + gen_require(` + type var_t, var_lib_t; + ') + @@ -16773,9 +16766,11 @@ index f962f76..fa12587 100644 +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; -+ type var_t, var_run_t; -+ ') -+ + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -16928,39 +16923,34 @@ index f962f76..fa12587 100644 +## +## List the contents of generic spool +## (/var/spool) directories. - ## - ## - ## -@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` - ## - ## - # --interface(`files_setattr_pid_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_list_spool',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; ++ ') ++ + list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## --## Search the contents of runtime process --## ID directories (/var/run). +-## Read generic process ID files. +## Create, read, write, and delete generic +## spool directories (/var/spool). ## ## ## -@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',` +@@ -6053,19 +8243,18 @@ interface(`files_list_pids',` ## ## # --interface(`files_search_pids',` +-interface(`files_read_generic_pids',` +interface(`files_manage_generic_spool_dirs',` gen_require(` - type var_t, var_run_t; @@ -16968,74 +16958,67 @@ index f962f76..fa12587 100644 ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## --## Do not audit attempts to search --## the /var/run directory. +-## Write named generic process ID pipes +## Read generic spool files. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',` ## ## # --interface(`files_dontaudit_search_pids',` +-interface(`files_write_generic_pid_pipes',` +interface(`files_read_generic_spool',` gen_require(` - type var_run_t; + type var_t, var_spool_t; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + list_dirs_pattern($1, var_t, var_spool_t) + read_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## --## List the contents of the runtime process --## ID directories (/var/run). +-## Create an object in the process ID directory, with a private type. +## Create, read, write, and delete generic +## spool files. - ## - ## - ## -@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_generic_spool',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_spool_t, var_spool_t) - ') - - ######################################## - ## --## Read generic process ID files. ++') ++ ++######################################## ++## +## Create objects in the spool directory +## with a private type with a type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## +## +## Type to which the created node will be transitioned. @@ -17052,43 +17035,33 @@ index f962f76..fa12587 100644 +## The name of the object being created. +## +## - # --interface(`files_read_generic_pids',` ++# +interface(`files_spool_filetrans',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_spool_t, $2, $3, $4) - ') - - ######################################## - ## --## Write named generic process ID pipes ++') ++ ++######################################## ++## +## Allow access to manage all polyinstantiated +## directories on the system. - ## - ## - ## -@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_polyinstantiate_all',` - gen_require(` -- type var_run_t; ++ gen_require(` + attribute polydir, polymember, polyparent; + type poly_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; ++ ') ++ + # Need to give access to /selinux/member + selinux_compute_member($1) + @@ -17125,11 +17098,10 @@ index f962f76..fa12587 100644 + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) + ') - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. ++') ++ ++######################################## ++## +## Unconfined access to files. +## +## @@ -17178,7 +17150,7 @@ index f962f76..fa12587 100644 ##

## ## -@@ -6117,80 +8433,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -17365,7 +17337,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6198,19 +8591,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17389,7 +17361,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6218,18 +8609,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17412,7 +17384,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6237,129 +8627,119 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17582,7 +17554,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6367,18 +8747,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17607,7 +17579,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6386,132 +8767,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8748,227 @@ interface(`files_search_spool',` ## ## # @@ -17881,7 +17853,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6519,53 +8995,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17939,7 +17911,7 @@ index f962f76..fa12587 100644 ## ## ## -@@ -6573,10 +9013,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -21742,7 +21714,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..1428581 100644 +index e100d88..9ccf724 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -22138,7 +22110,34 @@ index e100d88..1428581 100644 ') ######################################## -@@ -2085,9 +2241,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',` + list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + ') + ++ ++######################################## ++## ++## Read RPC sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_rpc_sysctls_dirs',` ++ gen_require(` ++ type proc_t, proc_net_t, sysctl_rpc_t; ++ ') ++ ++ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ++') ++ + ######################################## + ## + ## Read and write RPC sysctls. +@@ -2085,9 +2261,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -22168,7 +22167,7 @@ index e100d88..1428581 100644 ######################################## ## ## Allow caller to read all sysctls. -@@ -2282,6 +2457,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2477,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -22194,7 +22193,7 @@ index e100d88..1428581 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2500,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2520,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -22203,7 +22202,7 @@ index e100d88..1428581 100644 ## ## # -@@ -2488,6 +2682,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2702,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -22228,11 +22227,34 @@ index e100d88..1428581 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2737,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,7 +2757,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## +-## Allow caller to relabel unlabeled files. +## Allow caller to relabel unlabeled filesystems. + ## + ## + ## +@@ -2533,18 +2765,36 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` + ## + ## + # +-interface(`kernel_relabelfrom_unlabeled_files',` ++interface(`kernel_relabelfrom_unlabeled_fs',` + gen_require(` + type unlabeled_t; + ') + +- kernel_list_unlabeled($1) +- allow $1 unlabeled_t:file { getattr relabelfrom }; ++ allow $1 unlabeled_t:filesystem relabelfrom; + ') + + ######################################## + ## +-## Allow caller to relabel unlabeled symbolic links. ++## Allow caller to relabel unlabeled files. +## +## +## @@ -22240,34 +22262,27 @@ index e100d88..1428581 100644 +## +## +# -+interface(`kernel_relabelfrom_unlabeled_fs',` ++interface(`kernel_relabelfrom_unlabeled_files',` + gen_require(` + type unlabeled_t; + ') + -+ allow $1 unlabeled_t:filesystem relabelfrom; ++ kernel_list_unlabeled($1) ++ allow $1 unlabeled_t:file { getattr relabelfrom }; +') + +######################################## +## - ## Allow caller to relabel unlabeled files. ++## Allow caller to relabel unlabeled symbolic links. ## ## -@@ -2667,16 +2897,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` + ## +@@ -2667,6 +2917,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## --## Receive TCP packets from an unlabeled connection. +## Receive DCCP packets from an unlabeled connection. - ## --## --##

--## Receive TCP packets from an unlabeled connection. --##

--##

--## The corenetwork interface corenet_tcp_recv_unlabeled() should --## be used instead of this one. --##

++## +## +## +## Domain allowed access. @@ -22284,20 +22299,10 @@ index e100d88..1428581 100644 + +######################################## +## -+## Receive TCP packets from an unlabeled connection. -+## -+## -+##

-+## Receive TCP packets from an unlabeled connection. -+##

-+##

-+## The corenetwork interface corenet_tcp_recv_unlabeled() should -+## be used instead of this one. -+##

- ## - ## - ## -@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` + ## Receive TCP packets from an unlabeled connection. + ## + ## +@@ -2694,6 +2962,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -22323,7 +22328,7 @@ index e100d88..1428581 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3090,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -22357,7 +22362,7 @@ index e100d88..1428581 100644 ######################################## ## -@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3272,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -22382,7 +22387,7 @@ index e100d88..1428581 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3304,649 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -23034,7 +23039,7 @@ index e100d88..1428581 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..c4d3183 100644 +index 8dbab4c..5deb336 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -23329,20 +23334,7 @@ index 8dbab4c..c4d3183 100644 ######################################## # # Unlabeled process local policy -@@ -388,8 +480,12 @@ optional_policy(` - if( ! secure_mode_insmod ) { - allow can_load_kernmodule self:capability sys_module; - -+ files_load_kernel_modules(can_load_kernmodule) -+ - # load_module() calls stop_machine() which - # calls sched_setscheduler() -+ # gt: there seems to be no trace of the above, at -+ # least in kernel versions greater than 2.6.37... - allow can_load_kernmodule self:capability sys_nice; - kernel_setsched(can_load_kernmodule) - } -@@ -399,14 +495,38 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index e5d2322..94c1d52 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -12877,7 +12877,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..ec869f5 100644 +index 80a88a2..71c25c3 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -12905,7 +12905,7 @@ index 80a88a2..ec869f5 100644 domain_setpriority_all_domains(cgclear_t) fs_manage_cgroup_dirs(cgclear_t) -@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; +@@ -64,23 +66,26 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; kernel_list_unlabeled(cgconfig_t) kernel_read_system_state(cgconfig_t) @@ -12929,12 +12929,13 @@ index 80a88a2..ec869f5 100644 -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; ++allow cgred_t self:netlink_connector_socket create_socket_perms; +allow cgred_t cgconfig_etc_t:file read_file_perms; allow cgred_t cgrules_etc_t:file read_file_perms; allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t) +@@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t) files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) files_read_all_symlinks(cgred_t) @@ -14854,10 +14855,10 @@ index cc4e7cb..f348d27 100644 domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/cmirrord.te b/cmirrord.te -index bbdd396..8328b95 100644 +index bbdd396..28b1761 100644 --- a/cmirrord.te +++ b/cmirrord.te -@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) +@@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t) # Local policy # @@ -14866,7 +14867,14 @@ index bbdd396..8328b95 100644 dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process { setfscreate signal }; allow cmirrord_t self:fifo_file rw_fifo_file_perms; -@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) + allow cmirrord_t self:sem create_sem_perms; + allow cmirrord_t self:shm create_shm_perms; + allow cmirrord_t self:netlink_socket create_socket_perms; ++allow cmirrord_t self:netlink_connector_socket create_socket_perms; + allow cmirrord_t self:unix_stream_socket { accept listen }; + + manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) +@@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) domain_use_interactive_fds(cmirrord_t) domain_obj_id_change_exemption(cmirrord_t) @@ -83504,7 +83512,7 @@ index da64218..3fb8575 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') diff --git a/quota.te b/quota.te -index f47c8e8..d4e9042 100644 +index f47c8e8..af09c76 100644 --- a/quota.te +++ b/quota.te @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) @@ -83599,7 +83607,7 @@ index f47c8e8..d4e9042 100644 ') optional_policy(` -@@ -103,12 +102,12 @@ optional_policy(` +@@ -103,12 +102,13 @@ optional_policy(` ####################################### # @@ -83610,11 +83618,12 @@ index f47c8e8..d4e9042 100644 allow quota_nld_t self:fifo_file rw_fifo_file_perms; allow quota_nld_t self:netlink_socket create_socket_perms; -allow quota_nld_t self:unix_stream_socket { accept listen }; ++allow quota_nld_t self:netlink_generic_socket create_socket_perms; +allow quota_nld_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) -@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t) +@@ -121,11 +121,9 @@ init_read_utmp(quota_nld_t) logging_send_syslog_msg(quota_nld_t) @@ -91109,7 +91118,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..a37f579 100644 +index 2da9fca..be1fab2 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91313,7 +91322,7 @@ index 2da9fca..a37f579 100644 ') ######################################## -@@ -202,41 +232,61 @@ optional_policy(` +@@ -202,41 +232,62 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91331,6 +91340,7 @@ index 2da9fca..a37f579 100644 kernel_request_load_module(nfsd_t) -# kernel_mounton_proc(nfsd_t) +kernel_mounton_proc(nfsd_t) ++kernel_rw_rpc_sysctls_dirs(nfsd_t) -corenet_sendrecv_nfs_server_packets(nfsd_t) +corecmd_exec_shell(nfsd_t) @@ -91385,7 +91395,7 @@ index 2da9fca..a37f579 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91393,7 +91403,7 @@ index 2da9fca..a37f579 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91408,7 +91418,7 @@ index 2da9fca..a37f579 100644 ') ######################################## -@@ -270,7 +319,7 @@ optional_policy(` +@@ -270,7 +320,7 @@ optional_policy(` # GSSD local policy # @@ -91417,7 +91427,7 @@ index 2da9fca..a37f579 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91425,7 +91435,7 @@ index 2da9fca..a37f579 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +338,31 @@ kernel_signal(gssd_t) +@@ -288,25 +339,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91460,7 +91470,7 @@ index 2da9fca..a37f579 100644 ') optional_policy(` -@@ -314,9 +370,12 @@ optional_policy(` +@@ -314,9 +371,12 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 7791e64..ee794e1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.8%{?dist} +Release: 225.9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,10 @@ exit 0 %endif %changelog +* Mon Feb 20 2017 Lukas Vrabec - 3.13.1-225.9 +- Allow nfsd_t domain rw sysctl_rpc_t dirs +- Add interface kernel_rw_rpc_sysctls_dirs() + * Wed Feb 15 2017 Lukas Vrabec - 3.13.1-225.8 - Allow rhsmcertd domain signull kernel. - Fix label for nagios plugins in nagios file conxtext file