diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 688449e..67411f3 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..f9f01e8 100644 +index 4edc40d..3173c7b 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5670,7 +5670,7 @@ index 4edc40d..f9f01e8 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,54 +107,65 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,54 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5702,6 +5702,7 @@ index 4edc40d..f9f01e8 100644 network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) +network_port(conman, tcp,7890,s0, udp,7890,s0) ++network_port(connlcli, tcp,1358,s0, udp,1358,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) @@ -5743,7 +5744,7 @@ index 4edc40d..f9f01e8 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5810,7 +5811,7 @@ index 4edc40d..f9f01e8 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +227,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5832,6 +5833,7 @@ index 4edc40d..f9f01e8 100644 +network_port(openflow, tcp,6633,s0, tcp,6653,s0) network_port(openhpid, tcp,4743,s0, udp,4743,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) ++network_port(openvswitch, tcp,6634,s0) +network_port(osapi_compute, tcp, 8774, s0) network_port(pdps, tcp,1314,s0, udp,1314,s0) network_port(pegasus_http, tcp,5988,s0) @@ -5850,7 +5852,7 @@ index 4edc40d..f9f01e8 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -214,38 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +266,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5903,7 +5905,7 @@ index 4edc40d..f9f01e8 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +316,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5914,7 +5916,7 @@ index 4edc40d..f9f01e8 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5927,7 +5929,7 @@ index 4edc40d..f9f01e8 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -285,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -285,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5954,7 +5956,7 @@ index 4edc40d..f9f01e8 100644 ######################################## # -@@ -330,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5963,7 +5965,7 @@ index 4edc40d..f9f01e8 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -8903,7 +8905,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..4b49713 100644 +index cf04cb5..1abe365 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8944,7 +8946,7 @@ index cf04cb5..4b49713 100644 # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -8982,6 +8984,7 @@ index cf04cb5..4b49713 100644 +files_read_inherited_tmp_files(domain) +files_append_inherited_tmp_files(domain) +files_read_all_base_ro_files(domain) ++files_dontaduit_getattr_kernel_symbol_table(domain) + +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) @@ -8992,7 +8995,7 @@ index cf04cb5..4b49713 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -9011,7 +9014,7 @@ index cf04cb5..4b49713 100644 ') optional_policy(` -@@ -133,6 +190,9 @@ optional_policy(` +@@ -133,6 +191,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -9021,7 +9024,7 @@ index cf04cb5..4b49713 100644 ') ######################################## -@@ -147,12 +207,18 @@ optional_policy(` +@@ -147,12 +208,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -9041,7 +9044,7 @@ index cf04cb5..4b49713 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +232,326 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +233,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9300,6 +9303,10 @@ index cf04cb5..4b49713 100644 + cron_rw_system_job_pipes(domain) +') + ++optional_policy(` ++ devicekit_dbus_chat_power(domain) ++') ++ +ifdef(`hide_broken_symptoms',` + dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; @@ -9619,7 +9626,7 @@ index c2c6e05..2282452 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..8eb459b 100644 +index 64ff4d7..a47b644 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11387,7 +11394,32 @@ index 64ff4d7..8eb459b 100644 ') ######################################## -@@ -5223,6 +6319,24 @@ interface(`files_list_var',` +@@ -5094,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',` + + ######################################## + ## ++## Dontaudit getattr attempts on the system.map file ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaduit_getattr_kernel_symbol_table',` ++ gen_require(` ++ type system_map_t; ++ ') ++ ++ dontaudit $1 system_map_t:file getattr; ++') ++ ++######################################## ++## + ## Read system.map in the /boot directory. + ## + ## +@@ -5223,6 +6337,24 @@ interface(`files_list_var',` ######################################## ## @@ -11412,7 +11444,16 @@ index 64ff4d7..8eb459b 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5507,6 +6621,23 @@ interface(`files_rw_var_lib_dirs',` +@@ -5310,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',` + type var_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -5507,6 +6639,23 @@ interface(`files_rw_var_lib_dirs',` rw_dirs_pattern($1, var_lib_t, var_lib_t) ') @@ -11436,7 +11477,7 @@ index 64ff4d7..8eb459b 100644 ######################################## ## ## Create objects in the /var/lib directory -@@ -5578,6 +6709,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6727,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11462,7 +11503,7 @@ index 64ff4d7..8eb459b 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6773,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6791,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11471,7 +11512,7 @@ index 64ff4d7..8eb459b 100644 ## ## ## -@@ -5631,12 +6781,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6799,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11487,7 +11528,7 @@ index 64ff4d7..8eb459b 100644 ') ######################################## -@@ -5654,6 +6805,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6823,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11495,7 +11536,7 @@ index 64ff4d7..8eb459b 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6832,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6850,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11523,7 +11564,7 @@ index 64ff4d7..8eb459b 100644 ## ## ## -@@ -5688,13 +6859,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6877,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11540,7 +11581,7 @@ index 64ff4d7..8eb459b 100644 ') ######################################## -@@ -5713,7 +6883,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6901,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11549,7 +11590,7 @@ index 64ff4d7..8eb459b 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6916,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6934,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11557,7 +11598,7 @@ index 64ff4d7..8eb459b 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5761,7 +6930,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5761,7 +6948,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11566,7 +11607,7 @@ index 64ff4d7..8eb459b 100644 ## ## ## -@@ -5769,13 +6938,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,13 +6956,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11601,7 +11642,7 @@ index 64ff4d7..8eb459b 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6980,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6998,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11619,7 +11660,7 @@ index 64ff4d7..8eb459b 100644 ') ######################################## -@@ -5816,9 +7004,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +7022,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11630,7 +11671,7 @@ index 64ff4d7..8eb459b 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +7046,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +7064,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11640,7 +11681,7 @@ index 64ff4d7..8eb459b 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +7068,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +7086,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11650,7 +11691,7 @@ index 64ff4d7..8eb459b 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +7105,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +7123,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11660,7 +11701,7 @@ index 64ff4d7..8eb459b 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +7144,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +7162,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11669,7 +11710,7 @@ index 64ff4d7..8eb459b 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +7164,48 @@ interface(`files_search_pids',` +@@ -5981,18 +7182,56 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11678,11 +11719,16 @@ index 64ff4d7..8eb459b 100644 search_dirs_pattern($1, var_t, var_run_t) ') +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search +-## the /var/run directory. +## Add and remove entries from pid directories. -+## -+## + ## + ## +-## +-## Domain to not audit. +## +## Domain allowed access. +## @@ -11715,10 +11761,18 @@ index 64ff4d7..8eb459b 100644 + allow $1 var_run_t:dir create_dir_perms; +') + - ######################################## - ## - ## Do not audit attempts to search -@@ -6007,6 +7228,25 @@ interface(`files_dontaudit_search_pids',` ++######################################## ++## ++## Do not audit attempts to search ++## the /var/run directory. ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -6007,6 +7246,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11744,7 +11798,7 @@ index 64ff4d7..8eb459b 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6021,7 +7261,7 @@ interface(`files_list_pids',` +@@ -6021,7 +7279,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11753,7 +11807,7 @@ index 64ff4d7..8eb459b 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6040,7 +7280,7 @@ interface(`files_read_generic_pids',` +@@ -6040,7 +7298,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11762,7 +11816,7 @@ index 64ff4d7..8eb459b 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7300,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7318,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11771,7 +11825,7 @@ index 64ff4d7..8eb459b 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7362,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7380,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11779,7 +11833,7 @@ index 64ff4d7..8eb459b 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6151,6 +7390,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6151,6 +7408,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11804,7 +11858,7 @@ index 64ff4d7..8eb459b 100644 ## Read and write generic process ID files. ## ## -@@ -6164,7 +7421,7 @@ interface(`files_rw_generic_pids',` +@@ -6164,7 +7439,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11813,236 +11867,392 @@ index 64ff4d7..8eb459b 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,6 +7488,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7506,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## +-## Read all process ID files. +## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` +interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` +interface(`files_delete_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6287,42 +7550,35 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Create all pid named pipes -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6330,18 +7586,18 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_pid_pipes',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute pidfile; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## manage all pidfile directories +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6349,37 +7605,40 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` +interface(`files_manage_all_pid_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + manage_dirs_pattern($1,pidfile,pidfile) -+') -+ + ') + + -+######################################## -+## - ## Read all process ID files. + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. ++## Read all process ID files. ## ## -@@ -6243,12 +7610,86 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_search_spool',` ++interface(`files_read_all_pids',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_spool_t; ++ attribute pidfile; + type var_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Relable all pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6387,18 +7646,17 @@ interface(`files_dontaudit_search_spool',` + ## + ## + # +-interface(`files_list_spool',` +interface(`files_relabel_all_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Execute generic programs in /var/run in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6406,18 +7664,18 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_exec_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6425,19 +7683,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_manage_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + manage_files_pattern($1,pidfile,pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Mount filesystems on all polyinstantiation +## member directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6445,55 +7702,43 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` +interface(`files_mounton_all_poly_members',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute polymember; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + allow $1 polymember:dir mounton; ') ######################################## -@@ -6268,8 +7709,8 @@ interface(`files_delete_all_pids',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) -@@ -6293,36 +7734,80 @@ interface(`files_delete_all_pid_dirs',` - type var_t, var_run_t; + ## +-## Create objects in the spool directory +-## with a private type with a type transition. ++## Delete all process IDs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## ++## + # +-interface(`files_spool_filetrans',` ++interface(`files_delete_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; ++ type var_t, var_run_t; ') + files_search_pids($1) allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) +- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content +-## Allow access to manage all polyinstantiated +-## directories on the system. ++## Delete all process ID directories. + ## + ## + ## +@@ -6501,53 +7746,68 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` ++interface(`files_delete_all_pid_dirs',` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; ++ attribute pidfile; ++ type var_t, var_run_t; + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') + +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) ++######################################## ++## +## Make the specified type a file +## used for spool files. +## @@ -12083,56 +12293,49 @@ index 64ff4d7..8eb459b 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; -+ ') + ') + + files_type($1) + typeattribute $1 spoolfile; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Create all spool sockets ## ## ## --## Domain alloed access. -+## Domain allowed access. +@@ -6555,10 +7815,785 @@ interface(`files_polyinstantiate_all',` ## ## # --interface(`files_manage_all_pids',` +-interface(`files_unconfined',` +interface(`files_create_all_spool_sockets',` gen_require(` -- attribute pidfile; +- attribute files_unconfined_type; + attribute spoolfile; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) +- typeattribute $1 files_unconfined_type; + allow $1 spoolfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Delete all spool sockets - ## - ## - ## -@@ -6330,12 +7815,33 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute spoolfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -12155,13 +12358,232 @@ index 64ff4d7..8eb459b 100644 + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6562,3 +8068,514 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++ ++ dontaudit $1 var_spool_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of generic spool ++## (/var/spool) directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool_dirs',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Read generic spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_spool_filetrans',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Allow access to manage all polyinstantiated ++## directories on the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_polyinstantiate_all',` ++ gen_require(` ++ attribute polydir, polymember, polyparent; ++ type poly_t; ++ ') ++ ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') ++') ++ ++######################################## ++## ++## Unconfined access to files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_unconfined',` ++ gen_require(` ++ attribute files_unconfined_type; ++ ') ++ ++ typeattribute $1 files_unconfined_type; ++') + +######################################## +## @@ -12672,7 +13094,7 @@ index 64ff4d7..8eb459b 100644 + ') + + allow $1 etc_t:service status; -+') + ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 148d87a..ccbcb66 100644 --- a/policy/modules/kernel/files.te @@ -14319,7 +14741,7 @@ index 8416beb..c6cd3eb 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..1198b51 100644 +index 9e603f5..3b8dd74 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); @@ -14342,12 +14764,13 @@ index 9e603f5..1198b51 100644 type bdev_t; fs_type(bdev_t) -@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) +type oracleasmfs_t; +fs_type(oracleasmfs_t) ++dev_node(oracleasmfs_t) +files_mountpoint(oracleasmfs_t) +genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) + @@ -14361,7 +14784,7 @@ index 9e603f5..1198b51 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +99,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -14373,7 +14796,7 @@ index 9e603f5..1198b51 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +111,7 @@ type hugetlbfs_t; +@@ -97,6 +112,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -14381,7 +14804,7 @@ index 9e603f5..1198b51 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -119,12 +135,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -14399,7 +14822,7 @@ index 9e603f5..1198b51 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +165,6 @@ fs_type(spufs_t) +@@ -145,11 +166,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -14411,7 +14834,7 @@ index 9e603f5..1198b51 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +182,8 @@ type vxfs_t; +@@ -167,6 +183,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -14420,7 +14843,7 @@ index 9e603f5..1198b51 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +193,8 @@ fs_type(tmpfs_t) +@@ -176,6 +194,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -14429,7 +14852,7 @@ index 9e603f5..1198b51 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +275,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -14438,7 +14861,7 @@ index 9e603f5..1198b51 100644 files_mountpoint(removable_t) # -@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +296,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -17363,7 +17786,7 @@ index 0000000..48caabc +allow domain unlabeled_t:packet { send recv }; + diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 834a065..c769f81 100644 +index 834a065..ff93697 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) @@ -17375,10 +17798,12 @@ index 834a065..c769f81 100644 ######################################## # -@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t) +@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t) domain_kill_all_domains(auditadm_t) ++mls_file_read_all_levels(auditadm_t) ++ +selinux_read_policy(auditadm_t) + logging_send_syslog_msg(auditadm_t) @@ -17455,7 +17880,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..6412825 100644 +index 5da7870..5247b99 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) @@ -17680,7 +18105,7 @@ index 5da7870..6412825 100644 ') optional_policy(` -@@ -52,11 +230,57 @@ optional_policy(` +@@ -52,11 +230,61 @@ optional_policy(` ') optional_policy(` @@ -17725,6 +18150,10 @@ index 5da7870..6412825 100644 ') optional_policy(` ++ vmtools_run_helper(staff_t, staff_r) ++') ++ ++optional_policy(` + vnstatd_read_lib_files(staff_t) +') + @@ -17738,7 +18167,7 @@ index 5da7870..6412825 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +289,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +293,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17749,7 +18178,7 @@ index 5da7870..6412825 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +298,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +302,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -17760,7 +18189,7 @@ index 5da7870..6412825 100644 ') optional_policy(` -@@ -101,10 +317,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +321,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17771,7 +18200,7 @@ index 5da7870..6412825 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +337,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +341,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17782,7 +18211,7 @@ index 5da7870..6412825 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +349,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +353,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17793,7 +18222,7 @@ index 5da7870..6412825 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +380,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +384,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -17845,7 +18274,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..f520b74 100644 +index 88d0028..4a77968 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) @@ -18354,7 +18783,7 @@ index 88d0028..f520b74 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +575,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +575,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18421,6 +18850,10 @@ index 88d0028..f520b74 100644 + userhelper_role_template(sysadm, sysadm_r, sysadm_t) + ') + ++ optional_policy(` ++ vmtools_run_helper(sysadm_t, sysadm_r) ++ ') ++ + optional_policy(` + vmware_role(sysadm_r, sysadm_t) + ') @@ -19137,10 +19570,10 @@ index 0000000..b1163a6 +') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..539c163 +index 0000000..b126e2b --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,332 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19301,6 +19734,10 @@ index 0000000..539c163 + sandbox_x_transition(unconfined_t, unconfined_r) + ') + ++ optional_policy(` ++ vmtools_run_helper(unconfined_t, unconfined_r) ++ ') ++ + optional_policy(` + gen_require(` + type user_tmpfs_t; @@ -19480,7 +19917,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index cdfddf4..ad1f001 100644 +index cdfddf4..e53ec1a 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -19636,7 +20073,18 @@ index cdfddf4..ad1f001 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +263,15 @@ ifndef(`distro_redhat',` +@@ -153,6 +255,10 @@ ifndef(`distro_redhat',` + userhelper_role_template(user, user_r, user_t) + ') + ++ optional_policy(` ++ vmtools_run_helper(user_t, user_r) ++ ') ++ + optional_policy(` + vmware_role(user_r, user_t) + ') +@@ -161,3 +267,15 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -20270,7 +20718,7 @@ index 76d9f66..5c271ce 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..c0413e8 100644 +index fe0c682..e8dcfa7 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -20521,7 +20969,7 @@ index fe0c682..c0413e8 100644 allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; -+ allow $3 ssh_t:key read; ++ allow $3 ssh_t:key { write search read view }; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) @@ -27031,7 +27479,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..45d0b37 100644 +index 24e7804..e28a0ca 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28013,7 +28461,7 @@ index 24e7804..45d0b37 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2338,432 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2338,450 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -28427,6 +28875,24 @@ index 24e7804..45d0b37 100644 + +######################################## +## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_manage_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service { start stop reload status }; ++') ++ ++######################################## ++## +## Transition to init named content +## +## @@ -28447,7 +28913,7 @@ index 24e7804..45d0b37 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..b3ddfe3 100644 +index dd3be8d..381903f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28502,7 +28968,7 @@ index dd3be8d..b3ddfe3 100644 # Mark file type as a daemon run directory attribute daemonrundir; -@@ -35,12 +64,14 @@ attribute daemonrundir; +@@ -35,12 +64,20 @@ attribute daemonrundir; # # init_t is the domain of the init process. # @@ -28515,10 +28981,16 @@ index dd3be8d..b3ddfe3 100644 kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; +init_initrc_domain(init_t) ++ ++# ++# init_tmp_t is the type for content in /tmp directory ++# ++type init_tmp_t; ++files_tmp_file(init_tmp_t) # # init_var_run_t is the type for /var/run/shutdown.pid. -@@ -49,6 +80,15 @@ type init_var_run_t; +@@ -49,6 +86,15 @@ type init_var_run_t; files_pid_file(init_var_run_t) # @@ -28534,7 +29006,7 @@ index dd3be8d..b3ddfe3 100644 # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -@@ -57,7 +97,7 @@ type initctl_t; +@@ -57,7 +103,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) @@ -28543,7 +29015,7 @@ index dd3be8d..b3ddfe3 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -98,7 +138,9 @@ ifdef(`enable_mls',` +@@ -98,7 +144,9 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -28554,7 +29026,7 @@ index dd3be8d..b3ddfe3 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -28577,6 +29049,11 @@ index dd3be8d..b3ddfe3 100644 +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto }; +allow initrc_t init_t:fifo_file rw_fifo_file_perms; + ++manage_files_pattern(init_t, init_tmp_t, init_tmp_t) ++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t) ++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t) ++files_tmp_filetrans(init_t, init_tmp_t, { file dir }) ++ +manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) @@ -28598,7 +29075,7 @@ index dd3be8d..b3ddfe3 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -28618,7 +29095,7 @@ index dd3be8d..b3ddfe3 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -28636,10 +29113,11 @@ index dd3be8d..b3ddfe3 100644 # Run /etc/X11/prefdm: files_exec_etc_files(init_t) +files_read_usr_files(init_t) ++files_write_root_dirs(init_t) # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -28682,20 +29160,20 @@ index dd3be8d..b3ddfe3 100644 seutil_read_config(init_t) +seutil_read_module_store(init_t) -+ + +-miscfiles_read_localization(init_t) +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) + +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +286,210 @@ ifdef(`distro_gentoo',` +@@ -186,29 +298,225 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28871,9 +29349,24 @@ index dd3be8d..b3ddfe3 100644 +auth_rw_login_records(init_t) +auth_domtrans_chk_passwd(init_t) + -+optional_policy(` -+ ipsec_read_config(init_t) -+ ipsec_manage_pid(init_t) ++ifdef(`distro_redhat',` ++ # it comes from setupr scripts used in systemd unit files ++ # has been covered by initrc_t ++ optional_policy(` ++ bind_manage_config_dirs(init_t) ++ bind_manage_config(init_t) ++ bind_write_config(init_t) ++ bind_setattr_zone_dirs(init_t) ++ ') ++ ++ optional_policy(` ++ ipsec_read_config(init_t) ++ ipsec_manage_pid(init_t) ++ ') ++ ++ optional_policy(` ++ rpc_manage_nfs_state_data(init_t) ++ ') +') + +optional_policy(` @@ -28893,18 +29386,18 @@ index dd3be8d..b3ddfe3 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + networkmanager_stream_connect(init_t) +') + @@ -28914,7 +29407,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -216,7 +497,30 @@ optional_policy(` +@@ -216,7 +524,30 @@ optional_policy(` ') optional_policy(` @@ -28945,7 +29438,7 @@ index dd3be8d..b3ddfe3 100644 ') ######################################## -@@ -225,8 +529,9 @@ optional_policy(` +@@ -225,8 +556,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28957,7 +29450,7 @@ index dd3be8d..b3ddfe3 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +562,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +589,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28974,7 +29467,7 @@ index dd3be8d..b3ddfe3 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +587,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +614,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29017,7 +29510,7 @@ index dd3be8d..b3ddfe3 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +624,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +651,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29029,7 +29522,7 @@ index dd3be8d..b3ddfe3 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +636,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +663,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29040,7 +29533,7 @@ index dd3be8d..b3ddfe3 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +647,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +674,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29050,7 +29543,7 @@ index dd3be8d..b3ddfe3 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +656,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +683,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29058,7 +29551,7 @@ index dd3be8d..b3ddfe3 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +663,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +690,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29066,7 +29559,7 @@ index dd3be8d..b3ddfe3 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +671,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +698,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29084,7 +29577,7 @@ index dd3be8d..b3ddfe3 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +689,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +716,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29098,7 +29591,7 @@ index dd3be8d..b3ddfe3 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +704,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +731,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29112,7 +29605,7 @@ index dd3be8d..b3ddfe3 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +717,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +744,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29120,7 +29613,7 @@ index dd3be8d..b3ddfe3 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +729,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +756,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29128,7 +29621,7 @@ index dd3be8d..b3ddfe3 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +748,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +775,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29152,7 +29645,7 @@ index dd3be8d..b3ddfe3 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +781,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +808,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29160,7 +29653,7 @@ index dd3be8d..b3ddfe3 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +815,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +842,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29171,7 +29664,7 @@ index dd3be8d..b3ddfe3 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +839,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +866,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29180,7 +29673,7 @@ index dd3be8d..b3ddfe3 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +854,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +881,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29188,7 +29681,7 @@ index dd3be8d..b3ddfe3 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +875,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +902,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29196,7 +29689,7 @@ index dd3be8d..b3ddfe3 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +885,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +912,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29241,7 +29734,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -558,14 +930,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +957,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29273,7 +29766,7 @@ index dd3be8d..b3ddfe3 100644 ') ') -@@ -576,6 +965,39 @@ ifdef(`distro_suse',` +@@ -576,6 +992,39 @@ ifdef(`distro_suse',` ') ') @@ -29313,7 +29806,7 @@ index dd3be8d..b3ddfe3 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1010,8 @@ optional_policy(` +@@ -588,6 +1037,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29322,7 +29815,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -609,6 +1033,7 @@ optional_policy(` +@@ -609,6 +1060,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29330,7 +29823,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -625,6 +1050,17 @@ optional_policy(` +@@ -625,6 +1077,17 @@ optional_policy(` ') optional_policy(` @@ -29348,7 +29841,7 @@ index dd3be8d..b3ddfe3 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1077,13 @@ optional_policy(` +@@ -641,9 +1104,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29362,7 +29855,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -656,15 +1096,11 @@ optional_policy(` +@@ -656,15 +1123,11 @@ optional_policy(` ') optional_policy(` @@ -29380,7 +29873,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -685,6 +1121,15 @@ optional_policy(` +@@ -685,6 +1148,15 @@ optional_policy(` ') optional_policy(` @@ -29396,7 +29889,7 @@ index dd3be8d..b3ddfe3 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1170,7 @@ optional_policy(` +@@ -725,6 +1197,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29404,7 +29897,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -742,7 +1188,13 @@ optional_policy(` +@@ -742,7 +1215,13 @@ optional_policy(` ') optional_policy(` @@ -29419,7 +29912,7 @@ index dd3be8d..b3ddfe3 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1217,10 @@ optional_policy(` +@@ -765,6 +1244,10 @@ optional_policy(` ') optional_policy(` @@ -29430,7 +29923,7 @@ index dd3be8d..b3ddfe3 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1230,20 @@ optional_policy(` +@@ -774,10 +1257,20 @@ optional_policy(` ') optional_policy(` @@ -29451,7 +29944,7 @@ index dd3be8d..b3ddfe3 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1252,10 @@ optional_policy(` +@@ -786,6 +1279,10 @@ optional_policy(` ') optional_policy(` @@ -29462,7 +29955,7 @@ index dd3be8d..b3ddfe3 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1277,6 @@ optional_policy(` +@@ -807,8 +1304,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29471,7 +29964,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -817,6 +1285,10 @@ optional_policy(` +@@ -817,6 +1312,10 @@ optional_policy(` ') optional_policy(` @@ -29482,7 +29975,7 @@ index dd3be8d..b3ddfe3 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1298,12 @@ optional_policy(` +@@ -826,10 +1325,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29495,7 +29988,7 @@ index dd3be8d..b3ddfe3 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1330,35 @@ optional_policy(` +@@ -856,12 +1357,35 @@ optional_policy(` ') optional_policy(` @@ -29532,7 +30025,7 @@ index dd3be8d..b3ddfe3 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1368,18 @@ optional_policy(` +@@ -871,6 +1395,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29551,7 +30044,7 @@ index dd3be8d..b3ddfe3 100644 ') optional_policy(` -@@ -886,6 +1395,10 @@ optional_policy(` +@@ -886,6 +1422,10 @@ optional_policy(` ') optional_policy(` @@ -29562,7 +30055,7 @@ index dd3be8d..b3ddfe3 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1409,218 @@ optional_policy(` +@@ -896,3 +1436,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -32546,10 +33039,39 @@ index 879bb1e..633e449 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..f0de612 100644 +index 58bc27f..4e8728f 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',` +@@ -86,6 +86,28 @@ interface(`lvm_read_config',` + + ######################################## + ## ++## Read LVM configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`lvm_read_metadata',` ++ gen_require(` ++ type lvm_etc_t; ++ type lvm_metadata_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 lvm_etc_t:dir list_dir_perms; ++ read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) ++') ++ ++######################################## ++## + ## Manage LVM configuration files. + ## + ## +@@ -123,3 +145,113 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -36455,7 +36977,7 @@ index 6944526..86c7a82 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..087fe08 100644 +index b7686d5..28f16ce 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -36707,7 +37229,7 @@ index b7686d5..087fe08 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -36731,6 +37253,7 @@ index b7686d5..087fe08 100644 +files_dontaudit_rw_inherited_locks(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) ++files_dontaudit_rw_var_files(ifconfig_t) + files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) @@ -36738,7 +37261,7 @@ index b7686d5..087fe08 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -36766,7 +37289,7 @@ index b7686d5..087fe08 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -36789,7 +37312,7 @@ index b7686d5..087fe08 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -36803,7 +37326,7 @@ index b7686d5..087fe08 100644 ') optional_policy(` -@@ -339,7 +432,15 @@ optional_policy(` +@@ -339,7 +433,15 @@ optional_policy(` ') optional_policy(` @@ -36820,7 +37343,7 @@ index b7686d5..087fe08 100644 ') optional_policy(` -@@ -360,3 +461,13 @@ optional_policy(` +@@ -360,3 +462,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -40341,7 +40864,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..1e5eb3b 100644 +index 3c5dba7..519b132 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40931,7 +41454,7 @@ index 3c5dba7..1e5eb3b 100644 ') ') -@@ -491,7 +659,8 @@ template(`userdom_common_user_template',` +@@ -491,51 +659,63 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -40941,7 +41464,10 @@ index 3c5dba7..1e5eb3b 100644 ############################## # -@@ -501,41 +670,51 @@ template(`userdom_common_user_template',` + # User domain Local policy + # ++ allow $1_t self:packet_socket create_socket_perms; + # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -41016,7 +41542,7 @@ index 3c5dba7..1e5eb3b 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +725,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +726,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -41175,7 +41701,7 @@ index 3c5dba7..1e5eb3b 100644 ') optional_policy(` -@@ -642,23 +848,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +849,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -41204,7 +41730,7 @@ index 3c5dba7..1e5eb3b 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +875,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +876,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -41213,7 +41739,7 @@ index 3c5dba7..1e5eb3b 100644 ') optional_policy(` -@@ -680,9 +884,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +885,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -41226,7 +41752,7 @@ index 3c5dba7..1e5eb3b 100644 ') ') -@@ -693,32 +897,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +898,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -41273,7 +41799,7 @@ index 3c5dba7..1e5eb3b 100644 ') ') -@@ -743,17 +950,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +951,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -41311,7 +41837,7 @@ index 3c5dba7..1e5eb3b 100644 userdom_change_password_template($1) -@@ -761,83 +984,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +985,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -41455,7 +41981,7 @@ index 3c5dba7..1e5eb3b 100644 ') ####################################### -@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1116,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -41468,7 +41994,7 @@ index 3c5dba7..1e5eb3b 100644 ############################## # # Local policy -@@ -907,42 +1160,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1161,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -41581,7 +42107,7 @@ index 3c5dba7..1e5eb3b 100644 ') optional_policy(` -@@ -951,19 +1261,40 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,19 +1262,40 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -41630,7 +42156,7 @@ index 3c5dba7..1e5eb3b 100644 ## ##

## The template for creating a unprivileged user roughly -@@ -990,27 +1321,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1322,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -41668,7 +42194,7 @@ index 3c5dba7..1e5eb3b 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1358,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1359,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -41739,7 +42265,7 @@ index 3c5dba7..1e5eb3b 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1420,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1421,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -41750,7 +42276,7 @@ index 3c5dba7..1e5eb3b 100644 ') ') -@@ -1082,7 +1458,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1459,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -41761,7 +42287,7 @@ index 3c5dba7..1e5eb3b 100644 ') ############################## -@@ -1098,6 +1476,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1477,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -41769,25 +42295,24 @@ index 3c5dba7..1e5eb3b 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1109,6 +1488,7 @@ template(`userdom_admin_user_template',` +@@ -1108,14 +1488,8 @@ template(`userdom_admin_user_template',` + # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; -+ allow $1_t self:capability2 { block_suspend syslog }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; -@@ -1117,6 +1497,9 @@ template(`userdom_admin_user_template',` - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; - +- allow $1_t self:capability ~{ sys_module audit_control audit_write }; +- allow $1_t self:process { setexec setfscreate }; +- allow $1_t self:netlink_audit_socket nlmsg_readpriv; +- allow $1_t self:tun_socket create; +- # Set password information for other users. +- allow $1_t self:passwd { passwd chfn chsh }; +- # Skip authentication when pam_rootok is specified. +- allow $1_t self:passwd rootok; + # Manipulate other users crontab. + allow $1_t self:passwd crontab; -+ + kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) -@@ -1131,6 +1514,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -41795,7 +42320,7 @@ index 3c5dba7..1e5eb3b 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1532,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -41810,7 +42335,7 @@ index 3c5dba7..1e5eb3b 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -41853,7 +42378,7 @@ index 3c5dba7..1e5eb3b 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -41862,7 +42387,7 @@ index 3c5dba7..1e5eb3b 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -41881,7 +42406,7 @@ index 3c5dba7..1e5eb3b 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1637,7 @@ template(`userdom_admin_user_template',` ##

## # @@ -41890,7 +42415,7 @@ index 3c5dba7..1e5eb3b 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1253,6 +1656,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -41899,7 +42424,7 @@ index 3c5dba7..1e5eb3b 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1670,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -41911,7 +42436,7 @@ index 3c5dba7..1e5eb3b 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1684,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -41954,7 +42479,7 @@ index 3c5dba7..1e5eb3b 100644 ') optional_policy(` -@@ -1360,14 +1769,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -41973,7 +42498,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -1408,6 +1820,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -42025,7 +42550,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1969,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -42057,7 +42582,7 @@ index 3c5dba7..1e5eb3b 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +2035,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -42072,7 +42597,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -1573,9 +2058,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -42084,7 +42609,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -1632,6 +2119,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -42127,7 +42652,7 @@ index 3c5dba7..1e5eb3b 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2234,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -42136,7 +42661,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -1744,10 +2269,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -42151,7 +42676,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -1772,7 +2299,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -42178,7 +42703,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -1782,53 +2327,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -42261,7 +42786,7 @@ index 3c5dba7..1e5eb3b 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2410,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -42287,7 +42812,7 @@ index 3c5dba7..1e5eb3b 100644 ## Mmap user home files. ## ## -@@ -1878,15 +2459,18 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -42303,48 +42828,39 @@ index 3c5dba7..1e5eb3b 100644 ######################################## ## --## Do not audit attempts to read user home files. +## Do not audit attempts to getattr user home files. - ## - ## - ## -@@ -1894,18 +2478,18 @@ interface(`userdom_read_user_home_content_files',` - ## - ## - # --interface(`userdom_dontaudit_read_user_home_content_files',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`userdom_dontaudit_getattr_user_home_content',` - gen_require(` -- type user_home_t; ++ gen_require(` + attribute user_home_type; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; ++ ') ++ + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; - ') - - ######################################## - ## --## Do not audit attempts to append user home files. -+## Do not audit attempts to read user home files. ++') ++ ++######################################## ++## + ## Do not audit attempts to read user home files. ## ## - ## -@@ -1913,17 +2497,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',` - ## - ## +@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',` # --interface(`userdom_dontaudit_append_user_home_content_files',` -+interface(`userdom_dontaudit_read_user_home_content_files',` + interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` - type user_home_t; + attribute user_home_type; + type user_home_dir_t; ') -- dontaudit $1 user_home_t:file append_file_perms; +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -42352,40 +42868,21 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## - ## --## Do not audit attempts to write user home files. -+## Do not audit attempts to append user home files. - ## - ## - ## -@@ -1931,32 +2519,30 @@ interface(`userdom_dontaudit_append_user_home_content_files',` - ## - ## - # --interface(`userdom_dontaudit_write_user_home_content_files',` -+interface(`userdom_dontaudit_append_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- dontaudit $1 user_home_t:file write_file_perms; -+ dontaudit $1 user_home_t:file append_file_perms; - ') +@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## -## Delete all user home content files. -+## Do not audit attempts to write user home files. ++## Delete files in a user home subdirectory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # -interface(`userdom_delete_all_user_home_content_files',` -+interface(`userdom_dontaudit_write_user_home_content_files',` ++interface(`userdom_delete_user_home_content_files',` gen_require(` - attribute user_home_content_type; - type user_home_dir_t; @@ -42394,34 +42891,34 @@ index 3c5dba7..1e5eb3b 100644 - userdom_search_user_home_content($1) - delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) -+ dontaudit $1 user_home_t:file write_file_perms; ++ allow $1 user_home_t:file delete_file_perms; ') ######################################## -@@ -1979,11 +2565,83 @@ interface(`userdom_delete_user_home_content_files',` - - ######################################## ## --## Do not audit attempts to write user home files. +-## Delete files in a user home subdirectory. +## Delete all files in a user home subdirectory. ## ## ## --## Domain to not audit. -+## Domain allowed access. -+## -+## -+# +@@ -1969,17 +2564,71 @@ interface(`userdom_delete_all_user_home_content_files',` + ## + ## + # +-interface(`userdom_delete_user_home_content_files',` +interface(`userdom_delete_all_user_home_content_files',` -+ gen_require(` + gen_require(` +- type user_home_t; + attribute user_home_type; -+ ') -+ + ') + +- allow $1 user_home_t:file delete_file_perms; + allow $1 user_home_type:file delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write user home files. +## Delete sock files in a user home subdirectory. +## +## @@ -42477,14 +42974,10 @@ index 3c5dba7..1e5eb3b 100644 +######################################## +## +## Do not audit attempts to write user home files. -+## -+## -+## -+## Domain to not audit. - ## - ## - # -@@ -2010,8 +2668,7 @@ interface(`userdom_read_user_home_content_symlinks',` + ## + ## + ## +@@ -2010,8 +2659,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -42494,7 +42987,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -2027,21 +2684,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2675,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -42508,19 +43001,18 @@ index 3c5dba7..1e5eb3b 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -2123,7 +2774,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -42529,7 +43021,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -2131,19 +2782,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -42553,7 +43045,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -2151,12 +2800,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -42569,7 +43061,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -2393,11 +3042,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -42584,7 +43076,7 @@ index 3c5dba7..1e5eb3b 100644 files_search_tmp($1) ') -@@ -2417,7 +3066,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -42593,7 +43085,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -2664,6 +3313,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -42619,7 +43111,7 @@ index 3c5dba7..1e5eb3b 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3348,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -42635,7 +43127,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -2707,7 +3376,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -42644,7 +43136,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -2715,14 +3384,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -42679,7 +43171,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -2817,6 +3502,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -42704,7 +43196,7 @@ index 3c5dba7..1e5eb3b 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3538,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -42747,7 +43239,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -2859,14 +3574,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -42785,7 +43277,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -2885,8 +3619,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -42815,7 +43307,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -2958,69 +3711,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -42916,7 +43408,7 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -3028,12 +3780,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -42931,7 +43423,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -3097,7 +3849,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -42940,7 +43432,7 @@ index 3c5dba7..1e5eb3b 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3865,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -42974,7 +43466,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -3217,7 +3953,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -43001,7 +43493,7 @@ index 3c5dba7..1e5eb3b 100644 ') ######################################## -@@ -3272,12 +4026,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -43017,42 +43509,90 @@ index 3c5dba7..1e5eb3b 100644 ## ## ## -@@ -3285,12 +4040,87 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,44 +4031,120 @@ interface(`userdom_write_user_tmp_files',` ## ## # -interface(`userdom_dontaudit_use_user_ttys',` +interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` +- type user_tty_device_t; ++ type user_tmp_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tmp_t:file write; + ') + + ######################################## + ## +-## Read the process state of all user domains. ++## Do not audit attempts to delete users ++## temporary files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_delete_user_tmp_files',` + gen_require(` +- attribute userdomain; ++ type user_tmp_t; + ') + +- read_files_pattern($1, userdomain, userdomain) +- kernel_search_proc($1) ++ dontaudit $1 user_tmp_t:file delete_file_perms; + ') + + ######################################## + ## +-## Get the attributes of all user domains. ++## Do not audit attempts to read/write users ++## temporary fifo files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`userdom_getattr_all_users',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + -+ dontaudit $1 user_tmp_t:file write; ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Do not audit attempts to delete users -+## temporary files. ++## Allow domain to read/write inherited users ++## fifo files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`userdom_dontaudit_delete_user_tmp_files',` ++interface(`userdom_rw_inherited_user_pipes',` + gen_require(` -+ type user_tmp_t; ++ attribute userdomain; + ') + -+ dontaudit $1 user_tmp_t:file delete_file_perms; ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Do not audit attempts to read/write users -+## temporary fifo files. ++## Do not audit attempts to use user ttys. +## +## +## @@ -43060,18 +43600,17 @@ index 3c5dba7..1e5eb3b 100644 +## +## +# -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` ++interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` -+ type user_tmp_t; ++ type user_tty_device_t; + ') + -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; +') + +######################################## +## -+## Allow domain to read/write inherited users -+## fifo files. ++## Read the process state of all user domains. +## +## +## @@ -43079,43 +43618,31 @@ index 3c5dba7..1e5eb3b 100644 +## +## +# -+interface(`userdom_rw_inherited_user_pipes',` ++interface(`userdom_read_all_users_state',` + gen_require(` + attribute userdomain; + ') + -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ++ read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) ++ kernel_search_proc($1) +') + +######################################## +## -+## Do not audit attempts to use user ttys. ++## Get the attributes of all user domains. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_getattr_all_users',` gen_require(` - type user_tty_device_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; - ') - - ######################################## -@@ -3309,6 +4139,7 @@ interface(`userdom_read_all_users_state',` + attribute userdomain; ') - - read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) - kernel_search_proc($1) - ') - -@@ -3385,6 +4216,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4207,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -43158,7 +43685,7 @@ index 3c5dba7..1e5eb3b 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4272,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4263,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -43183,7 +43710,32 @@ index 3c5dba7..1e5eb3b 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4323,1671 @@ interface(`userdom_dbus_send_all_users',` +@@ -3423,6 +4299,24 @@ interface(`userdom_create_all_users_keys',` + + ######################################## + ## ++## Manage keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key manage_key_perms; ++') ++ ++######################################## ++## + ## Send a dbus message to all user domains. + ## + ## +@@ -3438,4 +4332,1661 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -43312,6 +43864,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir search_dir_perms; +') + @@ -43330,6 +43883,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir list_dir_perms; +') + @@ -43348,6 +43902,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir list_dir_perms; +') + @@ -43366,8 +43921,9 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; -+') + ') + +######################################## +## @@ -43385,7 +43941,7 @@ index 3c5dba7..1e5eb3b 100644 + ') + + allow $1 unpriv_userdomain:sem rw_sem_perms; - ') ++') + +######################################## +## @@ -43460,6 +44016,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, admin_home_t, admin_home_t) +') + @@ -43479,6 +44036,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:file delete_file_perms; +') + @@ -43498,6 +44056,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + exec_files_pattern($1, admin_home_t, admin_home_t) +') + @@ -43646,6 +44205,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, admin_home_t, $2, $3, $4) +') + @@ -43687,25 +44247,6 @@ index 3c5dba7..1e5eb3b 100644 + +######################################## +## -+## Manage keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_all_users_keys',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:key manage_key_perms; -+') -+ -+ -+######################################## -+## +## Do not audit attempts to read and write +## unserdomain stream. +## @@ -44166,6 +44707,7 @@ index 3c5dba7..1e5eb3b 100644 + type admin_home_t; + ') + ++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:file read_file_perms; +') + @@ -44856,7 +45398,7 @@ index 3c5dba7..1e5eb3b 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..af7e095 100644 +index e2b538b..066ae4d 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) @@ -44945,7 +45487,7 @@ index e2b538b..af7e095 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,379 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -45188,8 +45730,21 @@ index e2b538b..af7e095 100644 +# +gen_require(` + class context contains; ++ class passwd { passwd chfn chsh rootok }; +') + ++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write }; ++allow confined_admindomain self:capability2 { block_suspend syslog }; ++allow confined_admindomain self:process { setexec setfscreate }; ++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv; ++allow confined_admindomain self:tun_socket create_socket_perms; ++allow confined_admindomain self:packet_socket create_socket_perms; ++ ++# Set password information for other users. ++allow confined_admindomain self:passwd { passwd chfn chsh }; ++# Skip authentication when pam_rootok is specified. ++allow confined_admindomain self:passwd rootok; ++ +corecmd_shell_entry_type(confined_admindomain) +corecmd_bin_entry_type(confined_admindomain) + diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 210ca24..7461ae5 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -10045,10 +10045,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..daceb19 +index 0000000..e49e117 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,64 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10084,6 +10084,7 @@ index 0000000..daceb19 + +kernel_read_system_state(bumblebee_t) +kernel_dontaudit_access_check_proc(bumblebee_t) ++kernel_manage_debugfs(bumblebee_t) + +corecmd_exec_shell(bumblebee_t) +corecmd_exec_bin(bumblebee_t) @@ -10108,6 +10109,10 @@ index 0000000..daceb19 +optional_policy(` + apm_stream_connect(bumblebee_t) +') ++ ++optional_policy(` ++ unconfined_domain(bumblebee_t) ++') diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 --- a/cachefilesd.fc @@ -10387,7 +10392,7 @@ index 581c8ef..2c71b1d 100644 + +init_sigchld_script(cachefiles_kernel_t) diff --git a/calamaris.if b/calamaris.if -index cd9c528..9de38c4 100644 +index cd9c528..ba793b7 100644 --- a/calamaris.if +++ b/calamaris.if @@ -42,7 +42,7 @@ interface(`calamaris_run',` @@ -10395,7 +10400,7 @@ index cd9c528..9de38c4 100644 ') - lightsquid_domtrans($1) -+ clamd_domtrans($1) ++ calamaris_domtrans($1) roleattribute $2 calamaris_roles; ') @@ -13090,10 +13095,10 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..dc0423c 100644 +index 6471fa8..3b69f43 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) +@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -13108,7 +13113,11 @@ index 6471fa8..dc0423c 100644 ######################################## # # Local policy -@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal }; + # + +-allow collectd_t self:capability { ipc_lock sys_nice }; ++allow collectd_t self:capability { ipc_lock net_admin sys_nice }; + allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; @@ -13126,13 +13135,13 @@ index 6471fa8..dc0423c 100644 +kernel_read_all_sysctls(collectd_t) +kernel_read_all_proc(collectd_t) +kernel_list_all_proc(collectd_t) -+ -+auth_getattr_passwd(collectd_t) -+auth_read_passwd(collectd_t) -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) ++auth_getattr_passwd(collectd_t) ++auth_read_passwd(collectd_t) ++ +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) @@ -13154,10 +13163,14 @@ index 6471fa8..dc0423c 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +89,30 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` ++ mysql_stream_connect(collectd_t) ++') ++ ++optional_policy(` + netutils_domtrans_ping(collectd_t) +') + @@ -18020,7 +18033,7 @@ index 06da9a0..c7834c8 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..0663b64 100644 +index 9f34c2e..ae75cc4 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -18444,7 +18457,7 @@ index 9f34c2e..0663b64 100644 ') optional_policy(` -+ gnome_dontaudit_search_config(cupsd_config_t) ++ gnome_dontaudit_read_config(cupsd_config_t) +') + +optional_policy(` @@ -19189,7 +19202,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..7574fa1 100644 +index afcf3a2..98a4fb7 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -19709,7 +19722,7 @@ index afcf3a2..7574fa1 100644 ## ## ## Type to be used as a domain. -@@ -396,81 +402,66 @@ interface(`dbus_manage_lib_files',` +@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -19734,6 +19747,7 @@ index afcf3a2..7574fa1 100644 + domain_entry_file($1, $2) + + domtrans_pattern(system_dbusd_t, $2, $1) ++ init_system_domain($1, $2) + + ps_process_pattern($1, system_dbusd_t) + @@ -19818,7 +19832,7 @@ index afcf3a2..7574fa1 100644 ## ## ## -@@ -478,18 +469,18 @@ interface(`dbus_spec_session_domain',` +@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',` ## ## # @@ -19842,7 +19856,7 @@ index afcf3a2..7574fa1 100644 ## ## ## -@@ -497,98 +488,80 @@ interface(`dbus_connect_system_bus',` +@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -19969,7 +19983,7 @@ index afcf3a2..7574fa1 100644 ## ## ## -@@ -596,28 +569,32 @@ interface(`dbus_use_system_bus_fds',` +@@ -596,28 +570,32 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23576,7 +23590,7 @@ index c880070..4448055 100644 -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if -index dbcac59..66d42bb 100644 +index dbcac59..067c453 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,29 +1,49 @@ @@ -23703,8 +23717,29 @@ index dbcac59..66d42bb 100644 ## ## ## -@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',` + allow $1 dovecot_tmp_t:file write; + ') ++#################################### ++## ++## Read dovecot configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dovecot_read_config',` ++ gen_require(` ++ type dovecot_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t) ++') ++ ######################################## ## -## All of the rules required to @@ -23714,7 +23749,7 @@ index dbcac59..66d42bb 100644 ## ## ## -@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -132,21 +167,24 @@ interface(`dovecot_write_inherited_tmp_files',` ## ## ## @@ -23745,7 +23780,7 @@ index dbcac59..66d42bb 100644 init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) -@@ -156,20 +175,25 @@ interface(`dovecot_admin',` +@@ -156,20 +194,25 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) @@ -28065,7 +28100,7 @@ index e39de43..6a6db28 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..4155cd4 100644 +index d03fd43..394cbf1 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,157 @@ @@ -29552,7 +29587,7 @@ index d03fd43..4155cd4 100644 +# +interface(`gnome_create_home_config_dirs',` + gen_require(` -+ type cache_home_t; ++ type config_home_t; + ') + + allow $1 config_home_t:dir create_dir_perms; @@ -32629,7 +32664,7 @@ index 0000000..9278f85 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..c6cf456 +index 0000000..deb738f --- /dev/null +++ b/ipa.if @@ -0,0 +1,21 @@ @@ -32647,7 +32682,7 @@ index 0000000..c6cf456 +# +interface(`ipa_domtrans_otpd',` + gen_require(` -+ type ipa_otpd_t, ipa_otpd_t_exec_t; ++ type ipa_otpd_t, ipa_otpd_exec_t; + ') + + corecmd_search_bin($1) @@ -32656,10 +32691,10 @@ index 0000000..c6cf456 + diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..02f7cfa +index 0000000..589066e --- /dev/null +++ b/ipa.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,38 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -32686,6 +32721,11 @@ index 0000000..02f7cfa + +corenet_tcp_connect_radius_port(ipa_otpd_t) + ++dev_read_urand(ipa_otpd_t) ++dev_read_rand(ipa_otpd_t) ++ ++sysnet_dns_name_resolve(ipa_otpd_t) ++ +optional_policy(` + dirsrv_stream_connect(ipa_otpd_t) +') @@ -35073,11 +35113,165 @@ index e7f5c81..8c75bc8 100644 +optional_policy(` + policykit_dbus_chat(kdumpgui_t) ') +diff --git a/keepalived.fc b/keepalived.fc +new file mode 100644 +index 0000000..7e6f8be +--- /dev/null ++++ b/keepalived.fc +@@ -0,0 +1,5 @@ ++/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0) ++ ++/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0) ++ ++/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0) +diff --git a/keepalived.if b/keepalived.if +new file mode 100644 +index 0000000..0d61849 +--- /dev/null ++++ b/keepalived.if +@@ -0,0 +1,84 @@ ++ ++## keepalived - load-balancing and high-availability service ++ ++######################################## ++## ++## Execute keepalived in the keepalived domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`keepalived_domtrans',` ++ gen_require(` ++ type keepalived_t, keepalived_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, keepalived_exec_t, keepalived_t) ++') ++######################################## ++## ++## Execute keepalived server in the keepalived domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`keepalived_systemctl',` ++ gen_require(` ++ type keepalived_t; ++ type keepalived_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 keepalived_unit_file_t:file read_file_perms; ++ allow $1 keepalived_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, keepalived_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an keepalived environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`keepalived_admin',` ++ gen_require(` ++ type keepalived_t; ++ type keepalived_unit_file_t; ++ ') ++ ++ allow $1 keepalived_t:process { signal_perms }; ++ ps_process_pattern($1, keepalived_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 keepalived_t:process ptrace; ++ ') ++ ++ keepalived_systemctl($1) ++ admin_pattern($1, keepalived_unit_file_t) ++ allow $1 keepalived_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/keepalived.te b/keepalived.te +new file mode 100644 +index 0000000..535f79b +--- /dev/null ++++ b/keepalived.te +@@ -0,0 +1,47 @@ ++policy_module(keepalived, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type keepalived_t; ++type keepalived_exec_t; ++init_daemon_domain(keepalived_t, keepalived_exec_t) ++ ++type keepalived_unit_file_t; ++systemd_unit_file(keepalived_unit_file_t) ++ ++type keepalived_var_run_t; ++files_pid_file(keepalived_var_run_t) ++ ++######################################## ++# ++# keepalived local policy ++# ++allow keepalived_t self:capability { net_admin net_raw }; ++allow keepalived_t self:process { signal_perms }; ++allow keepalived_t self:netlink_socket create_socket_perms; ++allow keepalived_t self:netlink_route_socket nlmsg_write; ++allow keepalived_t self:packet_socket create_socket_perms; ++allow keepalived_t self:rawip_socket create_socket_perms; ++ ++ ++manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t) ++files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file }) ++ ++kernel_read_system_state(keepalived_t) ++kernel_read_network_state(keepalived_t) ++ ++auth_use_nsswitch(keepalived_t) ++ ++corenet_tcp_connect_connlcli_port(keepalived_t) ++corenet_tcp_connect_http_port(keepalived_t) ++corenet_tcp_connect_smtp_port(keepalived_t) ++ ++dev_read_urand(keepalived_t) ++ ++modutils_domtrans_insmod(keepalived_t) ++ ++logging_send_syslog_msg(keepalived_t) ++ diff --git a/kerberos.fc b/kerberos.fc -index 4fe75fd..8c702c9 100644 +index 4fe75fd..b029c28 100644 --- a/kerberos.fc +++ b/kerberos.fc -@@ -1,52 +1,44 @@ +@@ -1,52 +1,46 @@ -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -35111,25 +35305,33 @@ index 4fe75fd..8c702c9 100644 -/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -- ++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + -/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -- ++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) + -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -- ++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) ++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) + -/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -- ++/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0) + -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) - /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) @@ -35144,13 +35346,6 @@ index 4fe75fd..8c702c9 100644 -/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+ -+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) -+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) -+ -+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+ +/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) @@ -35161,7 +35356,7 @@ index 4fe75fd..8c702c9 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f9de9fc..11e6268 100644 +index f9de9fc..11504e6 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -35487,16 +35682,20 @@ index f9de9fc..11e6268 100644 ## ## ## -@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',` +@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',` ## # template(`kerberos_keytab_template',` -- ++ gen_require(` ++ attribute kerberos_keytab_domain; ++ ') + - ######################################## - # - # Declarations - # -- ++ typeattribute $2 kerberos_keytab_domain; + type $1_keytab_t; files_type($1_keytab_t) @@ -35514,7 +35713,7 @@ index f9de9fc..11e6268 100644 kerberos_read_keytab($2) kerberos_use($2) -@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',` +@@ -376,7 +277,7 @@ template(`kerberos_keytab_template',` ######################################## ## @@ -35523,7 +35722,7 @@ index f9de9fc..11e6268 100644 ## ## ## -@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',` +@@ -396,8 +297,7 @@ interface(`kerberos_read_kdc_config',` ######################################## ## @@ -35533,7 +35732,7 @@ index f9de9fc..11e6268 100644 ## ## ## -@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',` +@@ -411,34 +311,99 @@ interface(`kerberos_manage_host_rcache',` type krb5_host_rcache_t; ') @@ -35573,8 +35772,7 @@ index f9de9fc..11e6268 100644 ## -## +## - ## --## Class of the object being created. ++## +## The role to be allowed to manage the kerberos domain. +## +## @@ -35636,12 +35834,13 @@ index f9de9fc..11e6268 100644 +## to the krb5_host_rcache type. +## +## -+## + ## +-## Class of the object being created. +## Domain allowed access. ## ## ## -@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` +@@ -452,12 +417,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` type krb5_host_rcache_t; ') @@ -35657,7 +35856,7 @@ index f9de9fc..11e6268 100644 ## ## ## -@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',` +@@ -465,82 +431,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',` ## ## # @@ -35798,7 +35997,7 @@ index f9de9fc..11e6268 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 3465a9a..15b3d6d 100644 +index 3465a9a..cf08ae1 100644 --- a/kerberos.te +++ b/kerberos.te @@ -1,4 +1,4 @@ @@ -35807,7 +36006,7 @@ index 3465a9a..15b3d6d 100644 ######################################## # -@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7) +@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7) # ## @@ -35820,10 +36019,12 @@ index 3465a9a..15b3d6d 100644 ## -gen_tunable(allow_kerberos, false) +gen_tunable(kerberos_enabled, false) ++ ++attribute kerberos_keytab_domain; type kadmind_t; type kadmind_exec_t; -@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) +@@ -35,23 +37,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) domain_obj_id_change_exemption(kpropd_t) type krb5_conf_t; @@ -35849,13 +36050,13 @@ index 3465a9a..15b3d6d 100644 type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) +files_lock_file(krb5kdc_lock_t) - + + +# types for KDC principal file(s) type krb5kdc_principal_t; files_type(krb5kdc_principal_t) -@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t) +@@ -74,28 +80,31 @@ files_pid_file(krb5kdc_var_run_t) # kadmind local policy # @@ -35893,7 +36094,7 @@ index 3465a9a..15b3d6d 100644 manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) -@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) +@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) @@ -35912,7 +36113,7 @@ index 3465a9a..15b3d6d 100644 corenet_all_recvfrom_netlabel(kadmind_t) corenet_tcp_sendrecv_generic_if(kadmind_t) corenet_udp_sendrecv_generic_if(kadmind_t) -@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) +@@ -119,31 +130,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) @@ -35959,7 +36160,7 @@ index 3465a9a..15b3d6d 100644 sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,11 +173,16 @@ optional_policy(` +@@ -154,11 +175,16 @@ optional_policy(` ') optional_policy(` @@ -35976,7 +36177,7 @@ index 3465a9a..15b3d6d 100644 ') optional_policy(` -@@ -174,24 +198,27 @@ optional_policy(` +@@ -174,24 +200,27 @@ optional_policy(` # Krb5kdc local policy # @@ -36008,12 +36209,17 @@ index 3465a9a..15b3d6d 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) - files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) +@@ -201,56 +230,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) + files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) --can_exec(krb5kdc_t, krb5kdc_exec_t) + manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) +-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - +-can_exec(krb5kdc_t, krb5kdc_exec_t) ++manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) ++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) ++files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file }) + kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctls(krb5kdc_t) +kernel_list_proc(krb5kdc_t) @@ -36074,7 +36280,7 @@ index 3465a9a..15b3d6d 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +287,11 @@ optional_policy(` +@@ -261,11 +291,11 @@ optional_policy(` ') optional_policy(` @@ -36088,7 +36294,7 @@ index 3465a9a..15b3d6d 100644 ') optional_policy(` -@@ -273,6 +299,10 @@ optional_policy(` +@@ -273,6 +303,10 @@ optional_policy(` ') optional_policy(` @@ -36099,7 +36305,7 @@ index 3465a9a..15b3d6d 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +311,12 @@ optional_policy(` +@@ -281,10 +315,12 @@ optional_policy(` # kpropd local policy # @@ -36115,7 +36321,7 @@ index 3465a9a..15b3d6d 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +339,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -44986,7 +45192,7 @@ index f42896c..cb2791a 100644 -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..26c97cd 100644 +index ed81cac..e968c28 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -46095,7 +46301,7 @@ index ed81cac..26c97cd 100644 + type etc_mail_t; + ') + -+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) ++ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) + mta_etc_filetrans_aliases($1, "aliases") + mta_etc_filetrans_aliases($1, "aliases.db") + mta_etc_filetrans_aliases($1, "aliasesdb-stamp") @@ -46103,7 +46309,7 @@ index ed81cac..26c97cd 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..5979160 100644 +index afd2fad..b995f01 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -46300,15 +46506,15 @@ index afd2fad..5979160 100644 init_use_script_ptys(system_mail_t) +init_dontaudit_rw_stream_socket(system_mail_t) - --userdom_use_user_terminals(system_mail_t) ++ +userdom_use_inherited_user_terminals(system_mail_t) +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) + +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) -+ + +-userdom_use_user_terminals(system_mail_t) +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) + @@ -46528,7 +46734,18 @@ index afd2fad..5979160 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +282,177 @@ optional_policy(` +@@ -378,6 +273,10 @@ optional_policy(` + ') + + optional_policy(` ++ pcp_read_lib_files(mailserver_delivery) ++') ++ ++optional_policy(` + postfix_rw_inherited_master_pipes(mailserver_delivery) + ') + +@@ -387,24 +286,177 @@ optional_policy(` ######################################## # @@ -53722,7 +53939,7 @@ index 379af96..41ff159 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..54bd4d7 100644 +index 57c0161..dae3360 100644 --- a/nut.if +++ b/nut.if @@ -1,39 +1,24 @@ @@ -53778,7 +53995,7 @@ index 57c0161..54bd4d7 100644 - files_search_pids($1) - admin_pattern($1, nut_var_run_t) -+ ps_process_pattern($1, swift_t) ++ ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te index 0c9deb7..76988d6 100644 @@ -55691,16 +55908,24 @@ index 0000000..9451b83 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..3c4beaf +index 0000000..e13b578 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,558 @@ +@@ -0,0 +1,573 @@ +policy_module(openshift,1.0.0) + +gen_require(` + role system_r; +') + ++## ++##

++## Allow openshift to access nfs file systems without labels ++##

++## ++gen_tunable(openshift_use_nfs, false) ++ ++ +######################################## +# +# Declarations @@ -56253,6 +56478,13 @@ index 0000000..3c4beaf + ssh_dontaudit_read_server_keys(openshift_cron_t) +') + ++tunable_policy(`openshift_use_nfs',` ++ fs_list_auto_mountpoints(openshift_domain) ++ fs_manage_nfs_dirs(openshift_domain) ++ fs_manage_nfs_files(openshift_domain) ++ fs_manage_nfs_symlinks(openshift_domain) ++ fs_exec_nfs_files(openshift_domain) ++') diff --git a/opensm.fc b/opensm.fc new file mode 100644 index 0000000..51650fa @@ -57084,7 +57316,7 @@ index 9b15730..eedd136 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..dd3be82 100644 +index 508fedf..452ad74 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -57107,7 +57339,7 @@ index 508fedf..dd3be82 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t) +@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t) type openvswitch_log_t; logging_log_file(openvswitch_log_t) @@ -57135,6 +57367,7 @@ index 508fedf..dd3be82 100644 -allow openvswitch_t self:rawip_socket create_socket_perms; -allow openvswitch_t self:unix_stream_socket { accept connectto listen }; +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow openvswitch_t self:tcp_socket create_stream_socket_perms; +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; @@ -57149,7 +57382,7 @@ index 508fedf..dd3be82 100644 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -45,45 +52,55 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -57182,6 +57415,8 @@ index 508fedf..dd3be82 100644 -corenet_raw_sendrecv_generic_if(openvswitch_t) -corenet_raw_sendrecv_generic_node(openvswitch_t) +corenet_tcp_connect_openflow_port(openvswitch_t) ++corenet_tcp_bind_generic_node(openvswitch_t) ++corenet_tcp_bind_openvswitch_port(openvswitch_t) corecmd_exec_bin(openvswitch_t) +corecmd_exec_shell(openvswitch_t) @@ -58473,10 +58708,10 @@ index 0000000..9b8cb6b +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..4f074cb +index 0000000..ba24b40 --- /dev/null +++ b/pcp.if -@@ -0,0 +1,100 @@ +@@ -0,0 +1,139 @@ +## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation + +###################################### @@ -58504,6 +58739,24 @@ index 0000000..4f074cb + +') + ++###################################### ++## ++## Allow domain to read pcp lib files ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++interface(`pcp_read_lib_files',` ++ gen_require(` ++ type pcp_var_lib_t; ++ ') ++ libs_search_lib($1) ++ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -58577,12 +58830,33 @@ index 0000000..4f074cb + corecmd_search_bin($1) + can_exec($1, pcp_pmie_exec_t) +') ++ ++######################################## ++## ++## Allow the specified domain to execute pcp_pmlogger ++## in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pcp_pmlogger_exec',` ++ gen_require(` ++ type pcp_pmlogger_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, pcp_pmlogger_exec_t) ++') ++ diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..8ec3a48 +index 0000000..d21c5d7 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,164 @@ +@@ -0,0 +1,192 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -58648,6 +58922,8 @@ index 0000000..8ec3a48 + +dev_read_urand(pcp_domain) + ++files_read_etc_files(pcp_domain) ++ +fs_getattr_all_fs(pcp_domain) + +auth_read_passwd(pcp_domain) @@ -58665,6 +58941,8 @@ index 0000000..8ec3a48 +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; + ++auth_use_nsswitch(pcp_pmcd_t) ++ +kernel_read_network_state(pcp_pmcd_t) +kernel_read_system_state(pcp_pmcd_t) +kernel_read_state(pcp_pmcd_t) @@ -58686,9 +58964,9 @@ index 0000000..8ec3a48 +fs_getattr_all_dirs(pcp_pmcd_t) +fs_list_cgroup_dirs(pcp_pmcd_t) + -+storage_getattr_fixed_disk_dev(pcp_pmcd_t) ++logging_send_syslog_msg(pcp_pmcd_t) + -+auth_use_nsswitch(pcp_pmcd_t) ++storage_getattr_fixed_disk_dev(pcp_pmcd_t) + +optional_policy(` + dbus_system_bus_client(pcp_pmcd_t) @@ -58705,9 +58983,12 @@ index 0000000..8ec3a48 + +allow pcp_pmproxy_t self:process setsched; +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms; + +auth_use_nsswitch(pcp_pmproxy_t) + ++logging_send_syslog_msg(pcp_pmproxy_t) ++ +######################################## +# +# pcp_pmwebd local policy @@ -58721,21 +59002,27 @@ index 0000000..8ec3a48 +# + +allow pcp_pmmgr_t self:process { setpgid }; -+ ++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms; +allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto; + +kernel_read_system_state(pcp_pmmgr_t) + ++auth_use_nsswitch(pcp_pmmgr_t) ++ +corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t) + ++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t) ++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t) ++ +corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t) + +corecmd_exec_bin(pcp_pmmgr_t) + -+auth_use_nsswitch(pcp_pmmgr_t) ++logging_send_syslog_msg(pcp_pmmgr_t) + +optional_policy(` + pcp_pmie_exec(pcp_pmmgr_t) ++ pcp_pmlogger_exec(pcp_pmmgr_t) +') + +######################################## @@ -58747,6 +59034,21 @@ index 0000000..8ec3a48 + +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; + ++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t) ++ ++######################################## ++# ++# pcp_pmlogger local policy ++# ++ ++allow pcp_pmlogger_t self:process setpgid; ++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read }; ++ ++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto; ++ ++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t) ++corenet_tcp_bind_generic_node(pcp_pmlogger_t) ++ diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -58761,7 +59063,7 @@ index 43d50f9..7f77d32 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 96db654..6d3feb9 100644 +index 96db654..a958595 100644 --- a/pcscd.te +++ b/pcscd.te @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") @@ -58787,7 +59089,14 @@ index 96db654..6d3feb9 100644 corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t) +@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) + corenet_tcp_connect_http_port(pcscd_t) + corenet_tcp_sendrecv_http_port(pcscd_t) + ++domain_read_all_domains_state(pcscd_t) ++ + dev_rw_generic_usb_dev(pcscd_t) + dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) dev_read_sysfs(pcscd_t) @@ -58795,7 +59104,7 @@ index 96db654..6d3feb9 100644 files_read_etc_runtime_files(pcscd_t) term_use_unallocated_ttys(pcscd_t) -@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t) +@@ -60,16 +61,22 @@ locallogin_use_fds(pcscd_t) logging_send_syslog_msg(pcscd_t) @@ -58803,8 +59112,24 @@ index 96db654..6d3feb9 100644 - sysnet_dns_name_resolve(pcscd_t) ++userdom_read_all_users_state(pcscd_t) ++ optional_policy(` -@@ -85,3 +82,7 @@ optional_policy(` + dbus_system_bus_client(pcscd_t) + + optional_policy(` + hal_dbus_chat(pcscd_t) + ') ++ ++ optional_policy(` ++ policykit_dbus_chat(pcscd_t) ++ policykit_dbus_chat_auth(pcscd_t) ++ ') ++ + ') + + optional_policy(` +@@ -85,3 +92,7 @@ optional_policy(` optional_policy(` udev_read_db(pcscd_t) ') @@ -58958,7 +59283,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..a8401a8 100644 +index 7bcf327..8ad2a04 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -58982,7 +59307,7 @@ index 7bcf327..a8401a8 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,304 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,316 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -59160,6 +59485,7 @@ index 7bcf327..a8401a8 100644 +# pegasus openlmi service local policy +# + ++init_manage_transient_unit(pegasus_openlmi_admin_t) +init_disable_services(pegasus_openlmi_admin_t) +init_enable_services(pegasus_openlmi_admin_t) +init_reload_services(pegasus_openlmi_admin_t) @@ -59180,7 +59506,7 @@ index 7bcf327..a8401a8 100644 +') + +optional_policy(` -+ sssd_search_lib(pegasus_openlmi_admin_t) ++ sssd_stream_connect(pegasus_openlmi_admin_t) +') + +###################################### @@ -59206,9 +59532,11 @@ index 7bcf327..a8401a8 100644 +files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage") + +kernel_read_all_sysctls(pegasus_openlmi_storage_t) ++kernel_read_network_state(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) +kernel_request_load_module(pegasus_openlmi_storage_t) + ++dev_read_raw_memory(pegasus_openlmi_storage_t) +dev_read_rand(pegasus_openlmi_storage_t) +dev_read_urand(pegasus_openlmi_storage_t) + @@ -59220,6 +59548,7 @@ index 7bcf327..a8401a8 100644 +seutil_read_file_contexts(pegasus_openlmi_storage_t) + +storage_raw_read_removable_device(pegasus_openlmi_storage_t) ++storage_raw_write_removable_device(pegasus_openlmi_storage_t) +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + @@ -59232,6 +59561,8 @@ index 7bcf327..a8401a8 100644 +udev_domtrans(pegasus_openlmi_storage_t) +udev_read_pid_files(pegasus_openlmi_storage_t) + ++init_read_state(pegasus_openlmi_storage_t) ++ +miscfiles_read_hwdata(pegasus_openlmi_storage_t) + +optional_policy(` @@ -59244,10 +59575,16 @@ index 7bcf327..a8401a8 100644 + +optional_policy(` + iscsi_manage_lock(pegasus_openlmi_storage_t) ++ iscsi_read_lib_files(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ libs_exec_ldconfig(pegasus_openlmi_storage_t) +') + +optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) ++ lvm_read_metadata(pegasus_openlmi_storage_t) +') + +optional_policy(` @@ -59292,7 +59629,7 @@ index 7bcf327..a8401a8 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +349,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -59323,7 +59660,7 @@ index 7bcf327..a8401a8 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +375,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -59356,7 +59693,7 @@ index 7bcf327..a8401a8 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +403,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -59368,7 +59705,7 @@ index 7bcf327..a8401a8 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +419,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -59404,7 +59741,7 @@ index 7bcf327..a8401a8 100644 ') optional_policy(` -@@ -151,16 +441,24 @@ optional_policy(` +@@ -151,16 +453,24 @@ optional_policy(` ') optional_policy(` @@ -59433,7 +59770,7 @@ index 7bcf327..a8401a8 100644 ') optional_policy(` -@@ -168,7 +466,7 @@ optional_policy(` +@@ -168,7 +478,7 @@ optional_policy(` ') optional_policy(` @@ -66823,7 +67160,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index d447152..2f0ae78 100644 +index d447152..f3e6fbf 100644 --- a/procmail.te +++ b/procmail.te @@ -1,4 +1,4 @@ @@ -66858,7 +67195,7 @@ index d447152..2f0ae78 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,89 +44,107 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -66965,6 +67302,7 @@ index d447152..2f0ae78 100644 optional_policy(` - cyrus_stream_connect(procmail_t) + dovecot_stream_connect(procmail_t) ++ dovecot_read_config(procmail_t) ') optional_policy(` @@ -67003,16 +67341,17 @@ index d447152..2f0ae78 100644 ') optional_policy(` -@@ -131,6 +153,8 @@ optional_policy(` +@@ -131,6 +154,9 @@ optional_policy(` ') optional_policy(` + mta_read_config(procmail_t) ++ mta_mailserver_delivery(procmail_t) + mta_manage_home_rw(procmail_t) sendmail_domtrans(procmail_t) sendmail_signal(procmail_t) sendmail_dontaudit_rw_tcp_sockets(procmail_t) -@@ -145,3 +169,8 @@ optional_policy(` +@@ -145,3 +171,8 @@ optional_policy(` spamassassin_domtrans_client(procmail_t) spamassassin_read_lib_files(procmail_t) ') @@ -74297,16 +74636,15 @@ index 0000000..638d6b4 +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/redis.if b/redis.if new file mode 100644 -index 0000000..72a2d7b +index 0000000..2640ab5 --- /dev/null +++ b/redis.if -@@ -0,0 +1,271 @@ -+ -+## redis-server SELinux policy +@@ -0,0 +1,266 @@ ++## Advanced key-value store + +######################################## +## -+## Execute TEMPLATE in the redis domin. ++## Execute redis server in the redis domin. +## +## +## @@ -74340,6 +74678,7 @@ index 0000000..72a2d7b + + init_labeled_script_domtrans($1, redis_initrc_exec_t) +') ++ +######################################## +## +## Read redis's log files. @@ -74349,7 +74688,6 @@ index 0000000..72a2d7b +## Domain allowed access. +## +## -+## +# +interface(`redis_read_log',` + gen_require(` @@ -74512,14 +74850,13 @@ index 0000000..72a2d7b + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 redis_unit_file_t:file read_file_perms; + allow $1 redis_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, redis_t) +') + -+ +######################################## +## +## All of the rules required to administrate @@ -74539,18 +74876,14 @@ index 0000000..72a2d7b +# +interface(`redis_admin',` + gen_require(` -+ type redis_t; -+ type redis_initrc_exec_t; -+ type redis_log_t; -+ type redis_var_lib_t; -+ type redis_var_run_t; -+ type redis_unit_file_t; ++ type redis_t, redis_initrc_exec_t, redis_var_lib_t; ++ type redis_log_t, redis_var_run_t, redis_unit_file_t; + ') + + allow $1 redis_t:process { ptrace signal_perms }; + ps_process_pattern($1, redis_t) + -+ redis_initrc_domtrans($1) ++ init_labeled_script_domtrans($1, redis_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 redis_initrc_exec_t system_r; + allow $2 system_r; @@ -74567,6 +74900,7 @@ index 0000000..72a2d7b + redis_systemctl($1) + admin_pattern($1, redis_unit_file_t) + allow $1 redis_unit_file_t:service all_service_perms; ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) @@ -82583,7 +82917,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..ded3288 100644 +index 57c034b..3ac0bb1 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -82962,7 +83296,7 @@ index 57c034b..ded3288 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -315,43 +328,33 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -83013,11 +83347,11 @@ index 57c034b..ded3288 100644 -files_dontaudit_getattr_all_dirs(smbd_t) -files_dontaudit_list_all_mountpoints(smbd_t) -files_list_mnt(smbd_t) -- ++domain_dontaudit_signull_all_domains(smbd_t) + fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) - fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +363,55 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -83084,7 +83418,7 @@ index 57c034b..ded3288 100644 ') tunable_policy(`samba_domain_controller',` -@@ -413,20 +427,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -83107,7 +83441,7 @@ index 57c034b..ded3288 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -435,6 +439,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -83115,7 +83449,7 @@ index 57c034b..ded3288 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -442,17 +447,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -83133,7 +83467,7 @@ index 57c034b..ded3288 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -460,6 +454,7 @@ optional_policy(` +@@ -460,6 +456,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -83141,7 +83475,7 @@ index 57c034b..ded3288 100644 ') optional_policy(` -@@ -473,6 +468,11 @@ optional_policy(` +@@ -473,6 +470,11 @@ optional_policy(` ') optional_policy(` @@ -83153,7 +83487,7 @@ index 57c034b..ded3288 100644 lpd_exec_lpr(smbd_t) ') -@@ -482,6 +482,10 @@ optional_policy(` +@@ -482,6 +484,10 @@ optional_policy(` ') optional_policy(` @@ -83164,7 +83498,7 @@ index 57c034b..ded3288 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -493,9 +497,33 @@ optional_policy(` +@@ -493,9 +499,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -83199,7 +83533,7 @@ index 57c034b..ded3288 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +534,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +536,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -83214,7 +83548,7 @@ index 57c034b..ded3288 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +550,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +552,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -83238,7 +83572,7 @@ index 57c034b..ded3288 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +567,42 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +569,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -83305,7 +83639,7 @@ index 57c034b..ded3288 100644 ') optional_policy(` -@@ -600,19 +615,26 @@ optional_policy(` +@@ -600,19 +617,26 @@ optional_policy(` ######################################## # @@ -83337,7 +83671,7 @@ index 57c034b..ded3288 100644 samba_search_var(smbcontrol_t) samba_read_winbind_pid(smbcontrol_t) -@@ -620,16 +642,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +644,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -83355,7 +83689,7 @@ index 57c034b..ded3288 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +655,23 @@ optional_policy(` +@@ -637,22 +657,23 @@ optional_policy(` ######################################## # @@ -83387,7 +83721,7 @@ index 57c034b..ded3288 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +680,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -83423,7 +83757,7 @@ index 57c034b..ded3288 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +707,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +709,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -83515,7 +83849,7 @@ index 57c034b..ded3288 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +786,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -83539,7 +83873,7 @@ index 57c034b..ded3288 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +800,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +802,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -83582,7 +83916,7 @@ index 57c034b..ded3288 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +830,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +832,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -83596,7 +83930,7 @@ index 57c034b..ded3288 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +854,19 @@ optional_policy(` +@@ -834,16 +856,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -83620,7 +83954,7 @@ index 57c034b..ded3288 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +876,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -83631,7 +83965,7 @@ index 57c034b..ded3288 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +887,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -83661,7 +83995,7 @@ index 57c034b..ded3288 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +910,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +912,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -83682,7 +84016,7 @@ index 57c034b..ded3288 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +928,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -83693,7 +84027,7 @@ index 57c034b..ded3288 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +936,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -83735,7 +84069,7 @@ index 57c034b..ded3288 100644 ') optional_policy(` -@@ -952,31 +984,29 @@ optional_policy(` +@@ -952,31 +986,29 @@ optional_policy(` # Winbind helper local policy # @@ -83773,7 +84107,7 @@ index 57c034b..ded3288 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1020,38 @@ optional_policy(` +@@ -990,25 +1022,38 @@ optional_policy(` ######################################## # @@ -88692,7 +89026,7 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..838f907 +index 0000000..a299f53 --- /dev/null +++ b/snapper.te @@ -0,0 +1,66 @@ @@ -88710,8 +89044,8 @@ index 0000000..838f907 +type snapperd_log_t; +logging_log_file(snapperd_log_t) + -+type snappperd_conf_t; -+files_config_file(snappperd_conf_t) ++type snapperd_conf_t; ++files_config_file(snapperd_conf_t) + +type snapperd_data_t; +files_type(snapperd_data_t) @@ -88904,7 +89238,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 81864ce..4b6b771 100644 +index 81864ce..7408ed7 100644 --- a/snmp.te +++ b/snmp.te @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) @@ -88987,6 +89321,14 @@ index 81864ce..4b6b771 100644 ') optional_policy(` +@@ -140,6 +146,7 @@ optional_policy(` + + optional_policy(` + mta_read_config(snmpd_t) ++ mta_read_aliases(snmpd_t) + mta_search_queue(snmpd_t) + ') + diff --git a/snort.if b/snort.if index 7d86b34..5f58180 100644 --- a/snort.if @@ -89850,7 +90192,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index 4faa7e0..d5d1214 100644 +index 4faa7e0..32f670e 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,4 +1,4 @@ @@ -89929,7 +90271,7 @@ index 4faa7e0..d5d1214 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +39,198 @@ type spamd_log_t; +@@ -72,87 +39,199 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -90133,6 +90475,7 @@ index 4faa7e0..d5d1214 100644 + userdom_manage_user_home_content_dirs(spamd_t) + userdom_manage_user_home_content_files(spamd_t) + userdom_manage_user_home_content_symlinks(spamd_t) ++ userdom_exec_user_bin_files(spamd_t) ') -tunable_policy(`use_samba_home_dirs',` @@ -90150,7 +90493,7 @@ index 4faa7e0..d5d1214 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +238,8 @@ optional_policy(` +@@ -160,6 +239,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -90159,7 +90502,7 @@ index 4faa7e0..d5d1214 100644 ') ######################################## -@@ -167,72 +247,85 @@ optional_policy(` +@@ -167,72 +248,85 @@ optional_policy(` # Client local policy # @@ -90276,7 +90619,7 @@ index 4faa7e0..d5d1214 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +336,7 @@ optional_policy(` +@@ -243,6 +337,7 @@ optional_policy(` ') optional_policy(` @@ -90284,7 +90627,7 @@ index 4faa7e0..d5d1214 100644 evolution_stream_connect(spamc_t) ') -@@ -251,52 +345,55 @@ optional_policy(` +@@ -251,52 +346,55 @@ optional_policy(` ') optional_policy(` @@ -90365,7 +90708,7 @@ index 4faa7e0..d5d1214 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +405,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -90375,7 +90718,7 @@ index 4faa7e0..d5d1214 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +415,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -90391,7 +90734,7 @@ index 4faa7e0..d5d1214 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +430,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -90495,7 +90838,7 @@ index 4faa7e0..d5d1214 100644 ') optional_policy(` -@@ -421,21 +501,13 @@ optional_policy(` +@@ -421,21 +502,13 @@ optional_policy(` ') optional_policy(` @@ -90519,7 +90862,7 @@ index 4faa7e0..d5d1214 100644 ') optional_policy(` -@@ -443,8 +515,8 @@ optional_policy(` +@@ -443,8 +516,8 @@ optional_policy(` ') optional_policy(` @@ -90529,7 +90872,7 @@ index 4faa7e0..d5d1214 100644 ') optional_policy(` -@@ -455,7 +527,12 @@ optional_policy(` +@@ -455,7 +528,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -90543,7 +90886,7 @@ index 4faa7e0..d5d1214 100644 ') optional_policy(` -@@ -463,9 +540,9 @@ optional_policy(` +@@ -463,9 +541,9 @@ optional_policy(` ') optional_policy(` @@ -90554,7 +90897,7 @@ index 4faa7e0..d5d1214 100644 ') optional_policy(` -@@ -474,32 +551,32 @@ optional_policy(` +@@ -474,32 +552,32 @@ optional_policy(` ######################################## # @@ -90597,7 +90940,7 @@ index 4faa7e0..d5d1214 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +585,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -101471,19 +101814,21 @@ index 9ead775..b5285e7 100644 +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmtools.fc b/vmtools.fc new file mode 100644 -index 0000000..5726cdb +index 0000000..c5deffb --- /dev/null +++ b/vmtools.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,5 @@ +/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0) + ++/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0) ++ +/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0) diff --git a/vmtools.if b/vmtools.if new file mode 100644 -index 0000000..044be2f +index 0000000..7933d80 --- /dev/null +++ b/vmtools.if -@@ -0,0 +1,78 @@ +@@ -0,0 +1,122 @@ +## VMware Tools daemon + +######################################## @@ -101504,6 +101849,50 @@ index 0000000..044be2f + corecmd_search_bin($1) + domtrans_pattern($1, vmtools_exec_t, vmtools_t) +') ++ ++######################################## ++## ++## Execute vmtools in the vmtools domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vmtools_domtrans_helper',` ++ gen_require(` ++ type vmtools_helper_t, vmtools_helper_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t) ++') ++ ++######################################## ++## ++## Execute vmtools helpers in the vmtools_heler domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the mozilla_plugin domain. ++## ++## ++# ++interface(`vmtools_run_helper',` ++ gen_require(` ++ attribute_role vmtools_helper_roles; ++ ') ++ ++ vmtools_domtrans_helper($1) ++ roleattribute $2 vmtools_helper_roles; ++') ++ +######################################## +## +## Execute vmtools server in the vmtools domain. @@ -101551,7 +101940,7 @@ index 0000000..044be2f + ps_process_pattern($1, vmtools_t) + + tunable_policy(`deny_ptrace',`',` -+ allow $1 ninfod_t:process ptrace; ++ allow $1 vmtools_t:process ptrace; + ') + + vmtools_systemctl($1) @@ -101564,10 +101953,10 @@ index 0000000..044be2f +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..5549375 +index 0000000..b881c53 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,82 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -101575,9 +101964,19 @@ index 0000000..5549375 +# Declarations +# + ++attribute_role vmtools_helper_roles; ++ ++roleattribute system_r vmtools_helper_roles; ++ +type vmtools_t; +type vmtools_exec_t; +init_daemon_domain(vmtools_t, vmtools_exec_t) ++role vmtools_helper_roles types vmtools_t; ++ ++type vmtools_helper_t; ++type vmtools_helper_exec_t; ++application_domain(vmtools_helper_t, vmtools_helper_exec_t) ++role vmtools_helper_roles types vmtools_t; + +type vmtools_unit_file_t; +systemd_unit_file(vmtools_unit_file_t) @@ -101613,7 +102012,33 @@ index 0000000..5549375 + +auth_use_nsswitch(vmtools_t) + ++#shutdown ++init_rw_utmp(vmtools_t) ++init_stream_connect(vmtools_t) ++init_telinit(vmtools_t) ++ +logging_send_syslog_msg(vmtools_t) ++ ++systemd_exec_systemctl(vmtools_t) ++ ++sysnet_domtrans_ifconfig(vmtools_t) ++ ++xserver_stream_connect_xdm(vmtools_t) ++xserver_stream_connect(vmtools_t) ++ ++optional_policy(` ++ unconfined_domain(vmtools_t) ++') ++ ++######################################## ++# ++# vmtools-helper local policy ++# ++ ++domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t) ++can_exec(vmtools_helper_t, vmtools_helper_exec_t) ++ ++userdom_stream_connect(vmtools_helper_t) diff --git a/vmware.if b/vmware.if index 20a1fb2..470ea95 100644 --- a/vmware.if @@ -102021,6 +102446,28 @@ index 9329eae..824e86f 100644 -optional_policy(` - seutil_use_newrole_fds(vpnc_t) -') +diff --git a/w3c.te b/w3c.te +index bcb76b6..d3cf4a8 100644 +--- a/w3c.te ++++ b/w3c.te +@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1) + + apache_content_template(w3c_validator) + ++type httpd_w3c_validator_tmp_t; ++files_tmp_file(httpd_w3c_validator_tmp_t) ++ + ######################################## + # + # Local policy + # ++manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) ++manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) ++files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) ++ + + corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) + corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) diff --git a/watchdog.fc b/watchdog.fc index eecd0e0..8df2e8c 100644 --- a/watchdog.fc @@ -104555,7 +105002,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..47847ad 100644 +index 46e4cd3..20fc1ba 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3) @@ -104760,7 +105207,7 @@ index 46e4cd3..47847ad 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) @@ -104774,7 +105221,9 @@ index 46e4cd3..47847ad 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t) ++auth_use_nsswitch(zabbix_agent_t) ++ + init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) @@ -105614,7 +106063,7 @@ index 0000000..8c61505 +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..d02a6f4 +index 0000000..e0604c7 --- /dev/null +++ b/zoneminder.if @@ -0,0 +1,374 @@ @@ -105827,7 +106276,7 @@ index 0000000..d02a6f4 +# +interface(`zoneminder_manage_lib_sock_files',` + gen_require(` -+ type sock_var_lib_t; ++ type zoneminder_sock_var_lib_t; + ') + files_search_var_lib($1) + manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9b35494..17b87f4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 125%{?dist} +Release: 126%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,63 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Feb 18 2014 Miroslav Grepl 3.12.1-126 +- Add lvm_read_metadata() +- Allow auditadm to search /var/log/audit dir +- Add lvm_read_metadata() interface +- Allow confined users to run vmtools helpers +- Fix userdom_common_user_template() +- Generic systemd unit scripts do write check on / +- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files +- Add additional fixes needed for init_t and setup script running in generic unit files +- Allow general users to create packet_sockets +- added connlcli port +- Add init_manage_transient_unit() interface +- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t +- Fix userdomain.te to require passwd class +- devicekit_power sends out a signal to all processes on the message bus when power is going down +- Dontaudit rendom domains listing /proc and hittping system_map_t +- Dontauit leaks of var_t into ifconfig_t +- Allow domains that transition to ssh_t to manipulate its keyring +- Define oracleasm_t as a device node +- Change to handle /root as a symbolic link for os-tree +- Allow sysadm_t to create packet_socket, also move some rules to attributes +- Add label for openvswitch port +- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. +- Allow postfix_local to read .forward in pcp lib files +- Allow pegasus_openlmi_storage_t to read lvm metadata +- Add additional fixes for pegasus_openlmi_storage_t +- Allow bumblebee to manage debugfs +- Make bumblebee as unconfined domain +- Allow snmp to read etc_aliases_t +- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem +- Allow pegasus_openlmi_storage_t to read /proc/1/environ +- Dontaudit read gconf files for cupsd_config_t +- make vmtools as unconfined domain +- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. +- Allow collectd_t to use a mysql database +- Allow ipa-otpd to perform DNS name resolution +- Added new policy for keepalived +- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd +- Add additional fixes new pscs-lite+polkit support +- Add labeling for /run/krb5kdc +- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 +- Allow pcscd to read users proc info +- Dontaudit smbd_t sending out random signuls +- Add boolean to allow openshift domains to use nfs +- Allow w3c_validator to create content in /tmp +- zabbix_agent uses nsswitch +- Allow procmail and dovecot to work together to deliver mail +- Allow spamd to execute files in homedir if boolean turned on +- Allow openvswitch to listen on port 6634 +- Add net_admin capability in collectd policy +- Fixed snapperd policy +- Fixed bugsfor pcp policy +- Allow dbus_system_domains to be started by init +- Fixed some interfaces +- Add kerberos_keytab_domain attribute +- Fix snapperd_conf_t def + * Tue Feb 11 2014 Miroslav Grepl 3.12.1-125 - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages.