diff --git a/policy-rawhide.patch b/policy-rawhide.patch index ee8c8c6..fd1af43 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -110349,7 +110349,7 @@ index 4705ab6..11a1ae6 100644 +gen_tunable(selinuxuser_tcp_server,false) + diff --git a/policy/mcs b/policy/mcs -index f477c7f..4acbe5d 100644 +index f477c7f..4e59b42 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -110359,7 +110359,7 @@ index f477c7f..4acbe5d 100644 # # Define sensitivities # -@@ -69,16 +71,32 @@ gen_levels(1,mcs_num_cats) +@@ -69,28 +71,48 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } @@ -110396,7 +110396,10 @@ index f477c7f..4acbe5d 100644 # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. -@@ -87,10 +105,13 @@ mlsconstrain file { create relabelto } + mlsconstrain file { create relabelto } +- (( h1 dom h2 ) and ( l2 eq h2 )); ++ ((( h1 dom h2 ) and ( l2 eq h2 )) or ++ ( t1 != mcsuntrustedproc )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } @@ -110412,7 +110415,7 @@ index f477c7f..4acbe5d 100644 mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); -@@ -101,6 +122,9 @@ mlsconstrain process { ptrace } +@@ -101,6 +123,9 @@ mlsconstrain process { ptrace } mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); @@ -110422,7 +110425,7 @@ index f477c7f..4acbe5d 100644 # # MCS policy for SELinux-enabled databases # -@@ -144,4 +168,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -144,4 +169,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -127399,7 +127402,7 @@ index fc86b7c..ba6be42 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..af3532c 100644 +index 130ced9..a75282a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -128196,7 +128199,7 @@ index 130ced9..af3532c 100644 ') ######################################## -@@ -1243,10 +1577,536 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -128726,6 +128729,11 @@ index 130ced9..af3532c 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`xserver_xdm_tmp_filetrans',` + gen_require(` @@ -128736,7 +128744,7 @@ index 130ced9..af3532c 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..4f116f0 100644 +index d40f750..f444b4c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -129387,11 +129395,12 @@ index d40f750..4f116f0 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +712,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` + accountsd_read_lib_files(xdm_t) ++ accountsd_dbus_chat(xdm_t) +') + +optional_policy(` @@ -129399,6 +129408,10 @@ index d40f750..4f116f0 100644 +') + +optional_policy(` ++ boinc_dontaudit_getattr_lib(xdm_t) ++') ++ ++optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ') @@ -129409,7 +129422,7 @@ index d40f750..4f116f0 100644 ') optional_policy(` -@@ -514,12 +734,69 @@ optional_policy(` +@@ -514,12 +739,69 @@ optional_policy(` ') optional_policy(` @@ -129479,7 +129492,7 @@ index d40f750..4f116f0 100644 hostname_exec(xdm_t) ') -@@ -537,28 +814,74 @@ optional_policy(` +@@ -537,28 +819,74 @@ optional_policy(` ') optional_policy(` @@ -129563,7 +129576,7 @@ index d40f750..4f116f0 100644 ') optional_policy(` -@@ -570,6 +893,14 @@ optional_policy(` +@@ -570,6 +898,14 @@ optional_policy(` ') optional_policy(` @@ -129578,7 +129591,7 @@ index d40f750..4f116f0 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +925,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +930,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -129591,7 +129604,7 @@ index d40f750..4f116f0 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +947,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -129607,7 +129620,7 @@ index d40f750..4f116f0 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +974,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -129629,7 +129642,7 @@ index d40f750..4f116f0 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +989,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +994,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -129643,7 +129656,7 @@ index d40f750..4f116f0 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1015,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1020,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -129675,7 +129688,7 @@ index d40f750..4f116f0 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1052,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -129689,7 +129702,7 @@ index d40f750..4f116f0 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1066,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1071,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -129713,7 +129726,7 @@ index d40f750..4f116f0 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1131,40 @@ optional_policy(` +@@ -775,16 +1136,40 @@ optional_policy(` ') optional_policy(` @@ -129755,7 +129768,7 @@ index d40f750..4f116f0 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1173,10 @@ optional_policy(` +@@ -793,6 +1178,10 @@ optional_policy(` ') optional_policy(` @@ -129766,7 +129779,7 @@ index d40f750..4f116f0 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1197,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -129780,7 +129793,7 @@ index d40f750..4f116f0 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1208,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -129789,7 +129802,7 @@ index d40f750..4f116f0 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1216,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1221,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -129824,7 +129837,7 @@ index d40f750..4f116f0 100644 ') optional_policy(` -@@ -859,6 +1238,10 @@ optional_policy(` +@@ -859,6 +1243,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -129835,7 +129848,7 @@ index d40f750..4f116f0 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1285,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -129844,7 +129857,7 @@ index d40f750..4f116f0 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1339,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1344,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -129876,7 +129889,7 @@ index d40f750..4f116f0 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1385,44 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1390,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -131905,7 +131918,7 @@ index d2e40b8..3ba2e4c 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..98fad18 100644 +index d26fe81..95c1bd8 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -106,6 +106,8 @@ interface(`init_domain',` @@ -132576,7 +132589,7 @@ index d26fe81..98fad18 100644 ') ######################################## -@@ -1758,7 +2046,129 @@ interface(`init_pid_filetrans_utmp',` +@@ -1758,7 +2046,134 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -132657,6 +132670,11 @@ index d26fe81..98fad18 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`init_pid_filetrans',` + gen_require(` @@ -132688,9 +132706,9 @@ index d26fe81..98fad18 100644 +## The class of the object to be created. +## +## -+## ++## +## -+## The name of the object to be created. ++## The name of the object being created. +## +## +# @@ -132707,7 +132725,7 @@ index d26fe81..98fad18 100644 ## ## Allow the specified domain to connect to daemon with a tcp socket ## -@@ -1792,3 +2202,283 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1792,3 +2207,283 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -136018,7 +136036,7 @@ index 321bb13..267fa2a 100644 + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 0034021..f6f1796 100644 +index 0034021..3cc8544 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.0) @@ -136318,7 +136336,7 @@ index 0034021..f6f1796 100644 userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) -@@ -493,15 +564,35 @@ optional_policy(` +@@ -493,15 +564,36 @@ optional_policy(` ') optional_policy(` @@ -136347,6 +136365,7 @@ index 0034021..f6f1796 100644 optional_policy(` seutil_sigchld_newrole(syslogd_t) + snmp_read_snmp_var_lib_files(syslogd_t) ++ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) +') + +optional_policy(` @@ -136354,7 +136373,7 @@ index 0034021..f6f1796 100644 ') optional_policy(` -@@ -512,3 +603,24 @@ optional_policy(` +@@ -512,3 +604,24 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -140376,10 +140395,10 @@ index 0000000..6d7c302 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..20432cf +index 0000000..5d53f08 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,907 @@ +@@ -0,0 +1,924 @@ +## SELinux policy for systemd components + +####################################### @@ -141057,6 +141076,23 @@ index 0000000..20432cf + allow $1 systemd_unit_file_type:service start; +') + ++####################################### ++## ++## Allow the specified domain to reload all systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_reload_all_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:service reload; ++') + +######################################## +## diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 33e5a37..792089f 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -809,7 +809,7 @@ index 1adca53..18e0e41 100644 /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/accountsd.if b/accountsd.if -index c0f858d..c256428 100644 +index c0f858d..4a3dab6 100644 --- a/accountsd.if +++ b/accountsd.if @@ -5,9 +5,9 @@ @@ -833,7 +833,15 @@ index c0f858d..c256428 100644 ## ## # -@@ -118,28 +118,54 @@ interface(`accountsd_manage_lib_files',` +@@ -93,6 +93,7 @@ interface(`accountsd_read_lib_files',` + ') + + files_search_var_lib($1) ++ allow $1 accountsd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) + ') + +@@ -118,28 +119,54 @@ interface(`accountsd_manage_lib_files',` ######################################## ## @@ -3017,7 +3025,7 @@ index 6480167..e77ad76 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..55e40e0 100644 +index 0833afb..ba4ab9e 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3391,19 +3399,18 @@ index 0833afb..55e40e0 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +543,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +543,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) +kernel_read_network_state(httpd_t) -+kernel_read_network_state(httpd_t) +kernel_search_network_sysctl(httpd_t) -corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +554,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -3424,7 +3431,7 @@ index 0833afb..55e40e0 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +575,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3439,7 +3446,7 @@ index 0833afb..55e40e0 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t) +@@ -396,61 +591,112 @@ domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3560,7 +3567,7 @@ index 0833afb..55e40e0 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +707,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3624,7 +3631,7 @@ index 0833afb..55e40e0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +771,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3647,7 +3654,7 @@ index 0833afb..55e40e0 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +806,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3668,7 +3675,7 @@ index 0833afb..55e40e0 100644 ') optional_policy(` -@@ -525,6 +831,9 @@ optional_policy(` +@@ -525,6 +830,9 @@ optional_policy(` ') optional_policy(` @@ -3678,7 +3685,7 @@ index 0833afb..55e40e0 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +849,24 @@ optional_policy(` +@@ -540,6 +848,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3703,7 +3710,7 @@ index 0833afb..55e40e0 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +876,24 @@ optional_policy(` +@@ -549,13 +875,24 @@ optional_policy(` ') optional_policy(` @@ -3729,7 +3736,7 @@ index 0833afb..55e40e0 100644 ') optional_policy(` -@@ -573,7 +911,21 @@ optional_policy(` +@@ -573,7 +910,21 @@ optional_policy(` ') optional_policy(` @@ -3751,7 +3758,7 @@ index 0833afb..55e40e0 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +936,7 @@ optional_policy(` +@@ -584,6 +935,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3759,11 +3766,12 @@ index 0833afb..55e40e0 100644 ') optional_policy(` -@@ -594,6 +947,40 @@ optional_policy(` +@@ -594,6 +946,41 @@ optional_policy(` ') optional_policy(` + openshift_search_lib(httpd_t) ++ openshift_initrc_signull(httpd_t) +') + +optional_policy(` @@ -6431,10 +6439,10 @@ index 0000000..bda740a +/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if new file mode 100644 -index 0000000..e8ada4b +index 0000000..fbcef10 --- /dev/null +++ b/boinc.if -@@ -0,0 +1,188 @@ +@@ -0,0 +1,206 @@ +## policy for boinc + +######################################## @@ -6473,6 +6481,24 @@ index 0000000..e8ada4b + init_labeled_script_domtrans($1, boinc_initrc_exec_t) +') + ++####################################### ++## ++## Dontaudit getattr on boinc lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_dontaudit_getattr_lib',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ dontaudit $1 boinc_var_lib_t:file getattr; ++') ++ +######################################## +## +## Search boinc lib directories. @@ -8641,10 +8667,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..da41141 +index 0000000..1a2d2fd --- /dev/null +++ b/chrome.te -@@ -0,0 +1,186 @@ +@@ -0,0 +1,187 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -8709,6 +8735,7 @@ index 0000000..da41141 +corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) +corenet_tcp_connect_http_port(chrome_sandbox_t) +corenet_tcp_connect_http_cache_port(chrome_sandbox_t) ++corenet_tcp_connect_msnp_port(chrome_sandbox_t) +corenet_tcp_connect_squid_port(chrome_sandbox_t) +corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) +corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) @@ -10825,7 +10852,7 @@ index 733e4e6..fa2c3cb 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 74505cc..fc79c02 100644 +index 74505cc..10d9a27 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.0) @@ -10882,7 +10909,7 @@ index 74505cc..fc79c02 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -62,22 +76,35 @@ dev_rw_generic_usb_dev(colord_t) +@@ -62,22 +76,36 @@ dev_rw_generic_usb_dev(colord_t) domain_use_interactive_fds(colord_t) files_list_mnt(colord_t) @@ -10910,6 +10937,7 @@ index 74505cc..fc79c02 100644 -sysnet_dns_name_resolve(colord_t) +userdom_home_reader(colord_t) ++userdom_read_inherited_user_home_content_files(colord_t) tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(colord_t) @@ -10921,7 +10949,7 @@ index 74505cc..fc79c02 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +116,12 @@ optional_policy(` +@@ -89,6 +117,12 @@ optional_policy(` ') optional_policy(` @@ -10934,7 +10962,7 @@ index 74505cc..fc79c02 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +129,19 @@ optional_policy(` +@@ -96,5 +130,19 @@ optional_policy(` ') optional_policy(` @@ -11998,7 +12026,7 @@ index 5220c9d..885b25d 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index 04969e5..de92da0 100644 +index 04969e5..7b092d4 100644 --- a/corosync.te +++ b/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -12032,7 +12060,8 @@ index 04969e5..de92da0 100644 allow corosync_t self:sem create_sem_perms; +allow corosync_t self:shm create_shm_perms; allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow corosync_t self:unix_dgram_socket create_socket_perms; +-allow corosync_t self:unix_dgram_socket create_socket_perms; ++allow corosync_t self:unix_dgram_socket { create_socket_perms sendto }; allow corosync_t self:udp_socket create_socket_perms; +can_exec(corosync_t, corosync_exec_t) @@ -14543,7 +14572,7 @@ index 305ddf4..f3cd95f 100644 + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ') diff --git a/cups.te b/cups.te -index e5a8924..d62fe74 100644 +index e5a8924..9d4c4e0 100644 --- a/cups.te +++ b/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -14725,21 +14754,16 @@ index e5a8924..d62fe74 100644 ') optional_policy(` -@@ -341,9 +365,11 @@ optional_policy(` +@@ -341,7 +365,7 @@ optional_policy(` # Cups configuration daemon local policy # -allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; +allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; --allow cupsd_config_t self:process { getsched signal_perms }; -+allow cupsd_config_t self:capability sys_nice; -+allow cupsd_config_t self:process setsched; -+allow cupsd_config_t self:process { setsched signal_perms }; + allow cupsd_config_t self:process { getsched signal_perms }; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; - allow cupsd_config_t self:unix_stream_socket create_socket_perms; - allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -371,8 +397,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +395,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -14750,7 +14774,7 @@ index e5a8924..d62fe74 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -381,7 +408,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) +@@ -381,7 +406,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) kernel_read_system_state(cupsd_config_t) kernel_read_all_sysctls(cupsd_config_t) @@ -14758,15 +14782,7 @@ index e5a8924..d62fe74 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,6 +421,7 @@ dev_read_rand(cupsd_config_t) - dev_rw_generic_usb_dev(cupsd_config_t) - - files_search_all_mountpoints(cupsd_config_t) -+files_dontaudit_list_tmp(cupsd_config_t) - - fs_getattr_all_fs(cupsd_config_t) - fs_search_auto_mountpoints(cupsd_config_t) -@@ -407,7 +434,6 @@ domain_use_interactive_fds(cupsd_config_t) +@@ -407,7 +431,6 @@ domain_use_interactive_fds(cupsd_config_t) domain_dontaudit_search_all_domains_state(cupsd_config_t) files_read_usr_files(cupsd_config_t) @@ -14774,7 +14790,7 @@ index e5a8924..d62fe74 100644 files_read_etc_runtime_files(cupsd_config_t) files_read_var_symlinks(cupsd_config_t) -@@ -418,18 +444,15 @@ auth_use_nsswitch(cupsd_config_t) +@@ -418,18 +441,15 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -14795,7 +14811,7 @@ index e5a8924..d62fe74 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +476,10 @@ optional_policy(` +@@ -453,6 +473,10 @@ optional_policy(` ') optional_policy(` @@ -14806,7 +14822,7 @@ index e5a8924..d62fe74 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +494,10 @@ optional_policy(` +@@ -467,6 +491,10 @@ optional_policy(` ') optional_policy(` @@ -14817,7 +14833,7 @@ index e5a8924..d62fe74 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -526,7 +557,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) +@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) kernel_read_network_state(cupsd_lpd_t) @@ -14825,7 +14841,7 @@ index e5a8924..d62fe74 100644 corenet_all_recvfrom_netlabel(cupsd_lpd_t) corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) corenet_udp_sendrecv_generic_if(cupsd_lpd_t) -@@ -537,19 +567,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,19 +564,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -14846,7 +14862,7 @@ index e5a8924..d62fe74 100644 miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) cups_stream_connect(cupsd_lpd_t) -@@ -577,7 +606,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) +@@ -577,7 +603,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -14854,7 +14870,7 @@ index e5a8924..d62fe74 100644 files_read_usr_files(cups_pdf_t) corecmd_exec_shell(cups_pdf_t) -@@ -585,25 +613,23 @@ corecmd_exec_bin(cups_pdf_t) +@@ -585,25 +610,23 @@ corecmd_exec_bin(cups_pdf_t) auth_use_nsswitch(cups_pdf_t) @@ -14889,18 +14905,7 @@ index e5a8924..d62fe74 100644 ') ######################################## -@@ -613,6 +639,10 @@ tunable_policy(`use_samba_home_dirs',` - - # Needed for USB Scanneer and xsane - allow hplip_t self:capability { dac_override dac_read_search net_raw }; -+#sched_setscheduler -+allow hplip_t self:capability sys_nice; -+allow hplip_t self:process setsched; -+ - dontaudit hplip_t self:capability sys_tty_config; - allow hplip_t self:fifo_file rw_fifo_file_perms; - allow hplip_t self:process signal_perms; -@@ -635,9 +665,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) +@@ -635,9 +658,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14917,7 +14922,7 @@ index e5a8924..d62fe74 100644 manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -647,7 +684,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) +@@ -647,7 +677,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -14928,7 +14933,7 @@ index e5a8924..d62fe74 100644 corenet_all_recvfrom_netlabel(hplip_t) corenet_tcp_sendrecv_generic_if(hplip_t) corenet_udp_sendrecv_generic_if(hplip_t) -@@ -661,10 +700,10 @@ corenet_tcp_bind_generic_node(hplip_t) +@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t) corenet_udp_bind_generic_node(hplip_t) corenet_tcp_bind_hplip_port(hplip_t) corenet_tcp_connect_hplip_port(hplip_t) @@ -14942,7 +14947,7 @@ index e5a8924..d62fe74 100644 dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -@@ -673,31 +712,35 @@ dev_read_rand(hplip_t) +@@ -673,31 +705,34 @@ dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) dev_rw_usbfs(hplip_t) @@ -14959,16 +14964,15 @@ index e5a8924..d62fe74 100644 files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) +files_dontaudit_write_usr_dirs(hplip_t) -+files_dontaudit_list_tmp(hplip_t) -logging_send_syslog_msg(hplip_t) +fs_getattr_all_fs(hplip_t) +fs_search_auto_mountpoints(hplip_t) +fs_rw_anon_inodefs_files(hplip_t) ++ ++term_use_ptmx(hplip_t) -miscfiles_read_localization(hplip_t) -+term_use_ptmx(hplip_t) -+ +auth_read_passwd(hplip_t) + +logging_send_syslog_msg(hplip_t) @@ -14989,7 +14993,7 @@ index e5a8924..d62fe74 100644 optional_policy(` dbus_system_bus_client(hplip_t) -@@ -743,7 +786,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -743,7 +778,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -14997,7 +15001,7 @@ index e5a8924..d62fe74 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -760,13 +802,10 @@ fs_search_auto_mountpoints(ptal_t) +@@ -760,13 +794,10 @@ fs_search_auto_mountpoints(ptal_t) domain_use_interactive_fds(ptal_t) @@ -20371,10 +20375,10 @@ index f590a1f..b1b13b0 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/fail2ban.te b/fail2ban.te -index 2a69e5e..f1aa519 100644 +index 2a69e5e..5dccf2c 100644 --- a/fail2ban.te +++ b/fail2ban.te -@@ -23,20 +23,27 @@ files_type(fail2ban_var_lib_t) +@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -20392,12 +20396,11 @@ index 2a69e5e..f1aa519 100644 # -allow fail2ban_t self:capability { sys_tty_config }; --allow fail2ban_t self:process signal; -+allow fail2ban_t self:capability { dac_read_search dac_override sys_nice sys_tty_config }; -+allow fail2ban_t self:process { setsched signal }; ++allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; + allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow fail2ban_t self:unix_dgram_socket create_socket_perms; +@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files @@ -20424,7 +20427,7 @@ index 2a69e5e..f1aa519 100644 corenet_all_recvfrom_netlabel(fail2ban_t) corenet_tcp_sendrecv_generic_if(fail2ban_t) corenet_tcp_sendrecv_generic_node(fail2ban_t) -@@ -66,12 +77,13 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) +@@ -66,8 +77,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) @@ -20434,12 +20437,7 @@ index 2a69e5e..f1aa519 100644 files_read_etc_runtime_files(fail2ban_t) files_read_usr_files(fail2ban_t) files_list_var(fail2ban_t) - files_search_var_lib(fail2ban_t) -+files_dontaudit_list_tmp(fail2ban_t) - - fs_list_inotifyfs(fail2ban_t) - fs_getattr_all_fs(fail2ban_t) -@@ -81,10 +93,11 @@ auth_use_nsswitch(fail2ban_t) +@@ -81,10 +92,11 @@ auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) logging_send_syslog_msg(fail2ban_t) @@ -20453,7 +20451,7 @@ index 2a69e5e..f1aa519 100644 optional_policy(` apache_read_log(fail2ban_t) ') -@@ -94,5 +107,43 @@ optional_policy(` +@@ -94,5 +106,43 @@ optional_policy(` ') optional_policy(` @@ -20928,10 +20926,10 @@ index 0000000..c4c7510 +') diff --git a/firewalld.te b/firewalld.te new file mode 100644 -index 0000000..9a2b4db +index 0000000..837a7cb --- /dev/null +++ b/firewalld.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,88 @@ + +policy_module(firewalld,1.0.0) + @@ -20964,8 +20962,6 @@ index 0000000..9a2b4db +# firewalld local policy +# +dontaudit firewalld_t self:capability sys_tty_config; -+allow firewalld_t self:capability sys_nice; -+allow firewalld_t self:process setsched; +allow firewalld_t self:fifo_file rw_fifo_file_perms; +allow firewalld_t self:unix_stream_socket create_stream_socket_perms; + @@ -20994,7 +20990,6 @@ index 0000000..9a2b4db + +files_read_etc_files(firewalld_t) +files_read_usr_files(firewalld_t) -+files_dontaudit_list_tmp(firewalld_t) + +fs_getattr_xattr_fs(firewalld_t) + @@ -23177,10 +23172,10 @@ index 00a19e3..20d0474 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..71ec3f4 100644 +index f5afe78..286670b 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,44 +1,1003 @@ +@@ -1,44 +1,1028 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -23307,15 +23302,20 @@ index f5afe78..71ec3f4 100644 +## +## Allow domain to run gkeyring in the $1_gkeyringd_t domain. +## -+## -+## -+## Domain allowed access. -+## ++## ++## ++## The user prefix. ++## +## -+## -+## -+## Role allowed access. -+## ++## ++## ++## The user role. ++## ++## ++## ++## ++## Domain allowed access. ++## +## +# +interface(`gnome_run_gkeyringd',` @@ -23324,7 +23324,7 @@ index f5afe78..71ec3f4 100644 + type gkeyringd_exec_t; + ') + role $2 types $1_gkeyringd_t; -+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) ++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) +') + +######################################## @@ -23502,6 +23502,11 @@ index f5afe78..71ec3f4 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`gnome_cache_filetrans',` + gen_require(` @@ -23533,6 +23538,11 @@ index f5afe78..71ec3f4 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`gnome_config_filetrans',` + gen_require(` @@ -23716,6 +23726,11 @@ index f5afe78..71ec3f4 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`gnome_data_filetrans',` + gen_require(` @@ -23838,6 +23853,11 @@ index f5afe78..71ec3f4 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`gnome_admin_home_gconf_filetrans',` + gen_require(` @@ -24202,7 +24222,7 @@ index f5afe78..71ec3f4 100644 ## ## ## -@@ -46,37 +1005,91 @@ interface(`gnome_role',` +@@ -46,37 +1030,91 @@ interface(`gnome_role',` ## ## # @@ -24305,7 +24325,7 @@ index f5afe78..71ec3f4 100644 ## ## ## -@@ -84,37 +1097,107 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +1122,107 @@ template(`gnome_read_gconf_config',` ## ## # @@ -24424,7 +24444,7 @@ index f5afe78..71ec3f4 100644 ## ## ## -@@ -122,17 +1205,36 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1230,36 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -24465,7 +24485,7 @@ index f5afe78..71ec3f4 100644 ## ## ## -@@ -140,51 +1242,278 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1267,278 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -28731,7 +28751,7 @@ index 3525d24..8c702c9 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index 604f67b..7e5f97e 100644 +index 604f67b..138e1e2 100644 --- a/kerberos.if +++ b/kerberos.if @@ -82,14 +82,11 @@ interface(`kerberos_use',` @@ -28765,7 +28785,7 @@ index 604f67b..7e5f97e 100644 pcscd_stream_connect($1) ') ') -@@ -218,6 +216,25 @@ interface(`kerberos_rw_keytab',` +@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',` ######################################## ## @@ -28776,6 +28796,11 @@ index 604f67b..7e5f97e 100644 +## Domain allowed access. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`kerberos_etc_filetrans_keytab',` + gen_require(` @@ -28791,7 +28816,7 @@ index 604f67b..7e5f97e 100644 ## Create a derived type for kerberos keytab ## ## -@@ -235,8 +252,13 @@ template(`kerberos_keytab_template',` +@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',` type $1_keytab_t; files_type($1_keytab_t) @@ -28805,7 +28830,7 @@ index 604f67b..7e5f97e 100644 kerberos_read_keytab($2) kerberos_use($2) ') -@@ -282,42 +304,21 @@ interface(`kerberos_manage_host_rcache',` +@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',` # does not work in conditionals domain_obj_id_change_exemption($1) @@ -28851,7 +28876,7 @@ index 604f67b..7e5f97e 100644 ## All of the rules required to administrate ## an kerberos environment ## -@@ -338,18 +339,22 @@ interface(`kerberos_admin',` +@@ -338,18 +344,22 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; @@ -28879,7 +28904,7 @@ index 604f67b..7e5f97e 100644 ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -@@ -378,3 +383,116 @@ interface(`kerberos_admin',` +@@ -378,3 +388,121 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -28894,6 +28919,11 @@ index 604f67b..7e5f97e 100644 +## Domain allowed access. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`kerberos_tmp_filetrans_host_rcache',` + gen_require(` @@ -31030,7 +31060,7 @@ index 572b5db..1e55f43 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.te b/logrotate.te -index 7090dae..82749b5 100644 +index 7090dae..a0f46cc 100644 --- a/logrotate.te +++ b/logrotate.te @@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) @@ -31092,7 +31122,7 @@ index 7090dae..82749b5 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -112,21 +114,19 @@ logging_send_audit_msgs(logrotate_t) +@@ -112,21 +114,20 @@ logging_send_audit_msgs(logrotate_t) # cjp: why is this needed? logging_exec_all_logs(logrotate_t) @@ -31100,6 +31130,7 @@ index 7090dae..82749b5 100644 +systemd_exec_systemctl(logrotate_t) +systemd_getattr_unit_files(logrotate_t) +systemd_start_all_unit_files(logrotate_t) ++systemd_reload_all_services(logrotate_t) +init_stream_connect(logrotate_t) -seutil_dontaudit_read_config(logrotate_t) @@ -31122,7 +31153,7 @@ index 7090dae..82749b5 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +138,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +139,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -31131,7 +31162,7 @@ index 7090dae..82749b5 100644 ') optional_policy(` -@@ -154,6 +154,10 @@ optional_policy(` +@@ -154,6 +155,10 @@ optional_policy(` ') optional_policy(` @@ -31142,7 +31173,7 @@ index 7090dae..82749b5 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +166,20 @@ optional_policy(` +@@ -162,10 +167,20 @@ optional_policy(` ') optional_policy(` @@ -31163,7 +31194,7 @@ index 7090dae..82749b5 100644 cups_domtrans(logrotate_t) ') -@@ -178,6 +192,10 @@ optional_policy(` +@@ -178,6 +193,10 @@ optional_policy(` ') optional_policy(` @@ -31174,7 +31205,7 @@ index 7090dae..82749b5 100644 icecast_signal(logrotate_t) ') -@@ -194,15 +212,19 @@ optional_policy(` +@@ -194,15 +213,19 @@ optional_policy(` ') optional_policy(` @@ -31195,7 +31226,7 @@ index 7090dae..82749b5 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -217,6 +239,11 @@ optional_policy(` +@@ -217,6 +240,11 @@ optional_policy(` ') optional_policy(` @@ -31207,7 +31238,7 @@ index 7090dae..82749b5 100644 squid_domtrans(logrotate_t) ') -@@ -228,3 +255,14 @@ optional_policy(` +@@ -228,3 +256,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -31239,7 +31270,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/logwatch.te b/logwatch.te -index 75ce30f..0a72cd5 100644 +index 75ce30f..9279c2d 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0) @@ -31250,7 +31281,7 @@ index 75ce30f..0a72cd5 100644 application_domain(logwatch_t, logwatch_exec_t) role system_r types logwatch_t; -@@ -19,13 +20,19 @@ files_lock_file(logwatch_lock_t) +@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t) type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -31263,15 +31294,6 @@ index 75ce30f..0a72cd5 100644 ######################################## # # Local policy - # - --allow logwatch_t self:capability { dac_override dac_read_search setgid }; --allow logwatch_t self:process signal; -+allow logwatch_t self:capability { dac_override dac_read_search setgid sys_nice }; -+allow logwatch_t self:process { signal setsched }; - allow logwatch_t self:fifo_file rw_file_perms; - allow logwatch_t self:unix_stream_socket create_stream_socket_perms; - @@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) @@ -31292,13 +31314,7 @@ index 75ce30f..0a72cd5 100644 files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -@@ -65,11 +75,16 @@ files_dontaudit_search_home(logwatch_t) - files_dontaudit_search_boot(logwatch_t) - # Execs df and if file system mounted with a context avc raised - files_dontaudit_search_all_dirs(logwatch_t) -+files_dontaudit_list_tmp(logwatch_t) - - fs_getattr_all_fs(logwatch_t) +@@ -70,6 +80,10 @@ fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) @@ -31309,7 +31325,7 @@ index 75ce30f..0a72cd5 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -84,19 +99,19 @@ libs_read_lib_files(logwatch_t) +@@ -84,19 +98,19 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -31333,7 +31349,7 @@ index 75ce30f..0a72cd5 100644 files_getattr_all_file_type_fs(logwatch_t) ') -@@ -145,3 +160,24 @@ optional_policy(` +@@ -145,3 +159,24 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -32181,10 +32197,10 @@ index 0000000..75b9968 +/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) diff --git a/mandb.if b/mandb.if new file mode 100644 -index 0000000..0118b6d +index 0000000..4a4e899 --- /dev/null +++ b/mandb.if -@@ -0,0 +1,193 @@ +@@ -0,0 +1,187 @@ + +## policy for mandb + @@ -32355,12 +32371,6 @@ index 0000000..0118b6d +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`mandb_admin',` + gen_require(` @@ -33997,7 +34007,7 @@ index b397fde..c7c031d 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..9f560f2 100644 +index d4fcb75..38d94e3 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -34160,7 +34170,7 @@ index d4fcb75..9f560f2 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,65 +317,98 @@ optional_policy(` +@@ -297,65 +317,99 @@ optional_policy(` # mozilla_plugin local policy # @@ -34244,6 +34254,7 @@ index d4fcb75..9f560f2 100644 +corenet_tcp_connect_ircd_port(mozilla_plugin_t) +corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) ++corenet_tcp_connect_msnp_port(mozilla_plugin_t) +corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) +corenet_tcp_connect_squid_port(mozilla_plugin_t) @@ -34274,7 +34285,7 @@ index d4fcb75..9f560f2 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,55 +416,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,55 +417,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -34356,7 +34367,7 @@ index d4fcb75..9f560f2 100644 ') optional_policy(` -@@ -422,24 +479,39 @@ optional_policy(` +@@ -422,24 +480,39 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -34400,7 +34411,7 @@ index d4fcb75..9f560f2 100644 ') optional_policy(` -@@ -447,10 +519,113 @@ optional_policy(` +@@ -447,10 +520,113 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -35033,7 +35044,7 @@ index afa18c8..2f102b2 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index 4e2a5ba..def7747 100644 +index 4e2a5ba..ec47fc1 100644 --- a/mta.if +++ b/mta.if @@ -37,6 +37,7 @@ interface(`mta_stub',` @@ -35377,7 +35388,18 @@ index 4e2a5ba..def7747 100644 ') ######################################## -@@ -534,7 +596,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -528,13 +590,18 @@ interface(`mta_manage_aliases',` + ## Domain allowed access. + ## + ## ++## ++## ++## The name of the object being created. ++## ++## + # + interface(`mta_etc_filetrans_aliases',` + gen_require(` type etc_aliases_t; ') @@ -35386,7 +35408,7 @@ index 4e2a5ba..def7747 100644 ') ######################################## -@@ -554,7 +616,7 @@ interface(`mta_rw_aliases',` +@@ -554,7 +621,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -35395,7 +35417,7 @@ index 4e2a5ba..def7747 100644 ') ####################################### -@@ -576,6 +638,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` +@@ -576,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') @@ -35421,7 +35443,7 @@ index 4e2a5ba..def7747 100644 ####################################### ## ## Connect to all mail servers over TCP. (Deprecated) -@@ -648,8 +729,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -648,8 +734,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -35432,7 +35454,19 @@ index 4e2a5ba..def7747 100644 ') ####################################### -@@ -679,7 +760,26 @@ interface(`mta_spool_filetrans',` +@@ -672,6 +758,11 @@ interface(`mta_dontaudit_getattr_spool_files',` + ## The object class of the object being created. + ## + ## ++## ++## ++## The name of the object being created. ++## ++## + # + interface(`mta_spool_filetrans',` + gen_require(` +@@ -679,7 +770,26 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) @@ -35460,7 +35494,7 @@ index 4e2a5ba..def7747 100644 ') ######################################## -@@ -699,8 +799,8 @@ interface(`mta_rw_spool',` +@@ -699,8 +809,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -35471,7 +35505,7 @@ index 4e2a5ba..def7747 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -840,7 +940,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -840,7 +950,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -35480,7 +35514,7 @@ index 4e2a5ba..def7747 100644 ') ######################################## -@@ -866,6 +966,36 @@ interface(`mta_manage_queue',` +@@ -866,6 +976,41 @@ interface(`mta_manage_queue',` ####################################### ## @@ -35502,6 +35536,11 @@ index 4e2a5ba..def7747 100644 +## The object class of the object being created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`mta_spool_filetrans_queue',` + gen_require(` @@ -35517,7 +35556,7 @@ index 4e2a5ba..def7747 100644 ## Read sendmail binary. ## ## -@@ -901,3 +1031,172 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -901,3 +1046,172 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -41512,10 +41551,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..681f8a0 +index 0000000..64a303b --- /dev/null +++ b/openshift.if -@@ -0,0 +1,556 @@ +@@ -0,0 +1,574 @@ + +## policy for openshift + @@ -41540,6 +41579,24 @@ index 0000000..681f8a0 + +######################################## +## ++## Send a null signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signull',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signull; ++') ++ ++######################################## ++## +## Search openshift cache directories. +## +## @@ -42074,10 +42131,10 @@ index 0000000..681f8a0 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..2695755 +index 0000000..8d6a975 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,366 @@ +@@ -0,0 +1,372 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -42220,6 +42277,7 @@ index 0000000..2695755 +manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) +manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) +fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file }) ++can_exec(openshift_domain, openshift_tmpfs_t) + +manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) +manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) @@ -42298,6 +42356,7 @@ index 0000000..2695755 +libs_exec_ld_so(openshift_domain) + +term_use_ptmx(openshift_domain) ++term_use_generic_ptys(openshift_domain) + +selinux_validate_context(openshift_domain) + @@ -42359,6 +42418,10 @@ index 0000000..2695755 +') + +optional_policy(` ++ screen_exec(openshift_domain) ++') ++ ++optional_policy(` + ssh_use_ptys(openshift_domain) + ssh_getattr_user_home_dir(openshift_domain) + ssh_dontaudit_search_user_home_dir(openshift_domain) @@ -42419,7 +42482,7 @@ index 0000000..2695755 +allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms; +allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; + -+ssh_dontaudit_use_ptys(openshift_cgroup_read_t) ++ssh_use_ptys(openshift_cgroup_read_t) + +corecmd_exec_bin(openshift_cgroup_read_t) + @@ -43849,10 +43912,10 @@ index 0000000..4c64b13 +/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0) diff --git a/phpfpm.if b/phpfpm.if new file mode 100644 -index 0000000..9dcdaa8 +index 0000000..18f0425 --- /dev/null +++ b/phpfpm.if -@@ -0,0 +1,168 @@ +@@ -0,0 +1,162 @@ + +## PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. + @@ -43988,19 +44051,13 @@ index 0000000..9dcdaa8 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`phpfpm_admin',` + gen_require(` + type phpfpm_t; + type phpfpm_log_t; + type phpfpm_var_run_t; -+ type phpfpm_unit_file_t; ++ type phpfpm_unit_file_t; + ') + + allow $1 phpfpm_t:process { ptrace signal_perms }; @@ -44676,10 +44733,10 @@ index 0000000..dd1b8f2 +/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0) diff --git a/pkcsslotd.if b/pkcsslotd.if new file mode 100644 -index 0000000..f383566 +index 0000000..848ddc9 --- /dev/null +++ b/pkcsslotd.if -@@ -0,0 +1,161 @@ +@@ -0,0 +1,155 @@ + +## policy for pkcsslotd + @@ -44812,12 +44869,6 @@ index 0000000..f383566 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`pkcsslotd_admin',` + gen_require(` @@ -47045,7 +47096,7 @@ index 1ddfa16..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/postfix.if b/postfix.if -index 46bee12..dacb14d 100644 +index 46bee12..8ef270f 100644 --- a/postfix.if +++ b/postfix.if @@ -28,75 +28,23 @@ interface(`postfix_stub',` @@ -47156,7 +47207,19 @@ index 46bee12..dacb14d 100644 ') ######################################## -@@ -215,7 +164,7 @@ interface(`postfix_config_filetrans',` +@@ -208,6 +157,11 @@ interface(`postfix_read_config',` + ## The object class of the object being created. + ## + ## ++## ++## ++## The name of the object being created. ++## ++## + # + interface(`postfix_config_filetrans',` + gen_require(` +@@ -215,7 +169,7 @@ interface(`postfix_config_filetrans',` ') files_search_etc($1) @@ -47165,7 +47228,7 @@ index 46bee12..dacb14d 100644 ') ######################################## -@@ -257,6 +206,25 @@ interface(`postfix_rw_local_pipes',` +@@ -257,6 +211,25 @@ interface(`postfix_rw_local_pipes',` allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; ') @@ -47191,7 +47254,7 @@ index 46bee12..dacb14d 100644 ######################################## ## ## Allow domain to read postfix local process state -@@ -272,7 +240,8 @@ interface(`postfix_read_local_state',` +@@ -272,7 +245,8 @@ interface(`postfix_read_local_state',` type postfix_local_t; ') @@ -47201,7 +47264,7 @@ index 46bee12..dacb14d 100644 ') ######################################## -@@ -290,7 +259,27 @@ interface(`postfix_read_master_state',` +@@ -290,7 +264,27 @@ interface(`postfix_read_master_state',` type postfix_master_t; ') @@ -47230,7 +47293,7 @@ index 46bee12..dacb14d 100644 ') ######################################## -@@ -376,6 +365,25 @@ interface(`postfix_domtrans_master',` +@@ -376,6 +370,25 @@ interface(`postfix_domtrans_master',` domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -47256,7 +47319,7 @@ index 46bee12..dacb14d 100644 ######################################## ## ## Execute the master postfix program in the -@@ -404,7 +412,6 @@ interface(`postfix_exec_master',` +@@ -404,7 +417,6 @@ interface(`postfix_exec_master',` ## Domain allowed access. ## ## @@ -47264,7 +47327,7 @@ index 46bee12..dacb14d 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -416,6 +423,24 @@ interface(`postfix_stream_connect_master',` +@@ -416,6 +428,24 @@ interface(`postfix_stream_connect_master',` ######################################## ## @@ -47289,7 +47352,7 @@ index 46bee12..dacb14d 100644 ## Execute the master postdrop in the ## postfix_postdrop domain. ## -@@ -462,7 +487,7 @@ interface(`postfix_domtrans_postqueue',` +@@ -462,7 +492,7 @@ interface(`postfix_domtrans_postqueue',` ## ## # @@ -47298,7 +47361,7 @@ index 46bee12..dacb14d 100644 gen_require(` type postfix_postqueue_exec_t; ') -@@ -529,6 +554,25 @@ interface(`postfix_domtrans_smtp',` +@@ -529,6 +559,25 @@ interface(`postfix_domtrans_smtp',` ######################################## ## @@ -47324,7 +47387,7 @@ index 46bee12..dacb14d 100644 ## Search postfix mail spool directories. ## ## -@@ -539,10 +583,10 @@ interface(`postfix_domtrans_smtp',` +@@ -539,10 +588,10 @@ interface(`postfix_domtrans_smtp',` # interface(`postfix_search_spool',` gen_require(` @@ -47337,7 +47400,7 @@ index 46bee12..dacb14d 100644 files_search_spool($1) ') -@@ -558,10 +602,10 @@ interface(`postfix_search_spool',` +@@ -558,10 +607,10 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -47350,7 +47413,7 @@ index 46bee12..dacb14d 100644 files_search_spool($1) ') -@@ -577,11 +621,11 @@ interface(`postfix_list_spool',` +@@ -577,11 +626,11 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -47364,7 +47427,7 @@ index 46bee12..dacb14d 100644 ') ######################################## -@@ -596,11 +640,31 @@ interface(`postfix_read_spool_files',` +@@ -596,11 +645,31 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -47398,7 +47461,7 @@ index 46bee12..dacb14d 100644 ') ######################################## -@@ -621,3 +685,155 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +690,155 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -49480,14 +49543,15 @@ index 96cc023..5919bbd 100644 ## ## Execute ptchown in the ptchown domain, and diff --git a/ptchown.te b/ptchown.te -index d90245a..f041531 100644 +index d90245a..546474f 100644 --- a/ptchown.te +++ b/ptchown.te -@@ -28,4 +28,3 @@ term_setattr_all_ptys(ptchown_t) +@@ -28,4 +28,4 @@ term_setattr_all_ptys(ptchown_t) term_use_generic_ptys(ptchown_t) term_use_ptmx(ptchown_t) -miscfiles_read_localization(ptchown_t) ++auth_read_passwd(ptchown_t) diff --git a/pulseaudio.fc b/pulseaudio.fc index 84f23dc..5be2738 100644 --- a/pulseaudio.fc @@ -52346,12 +52410,59 @@ index 0000000..4cb2ad8 +files_read_etc_files(rabbitmq_epmd_t) + +logging_send_syslog_msg(rabbitmq_epmd_t) +diff --git a/radius.fc b/radius.fc +index 09f7b50..3ef25cd 100644 +--- a/radius.fc ++++ b/radius.fc +@@ -9,6 +9,8 @@ + /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) + /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) + ++/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0) ++ + /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) + + /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) diff --git a/radius.if b/radius.if -index 75e5dc4..87d75fe 100644 +index 75e5dc4..a366f85 100644 --- a/radius.if +++ b/radius.if -@@ -38,8 +38,11 @@ interface(`radius_admin',` - type radiusd_initrc_exec_t; +@@ -14,6 +14,29 @@ interface(`radius_use',` + refpolicywarn(`$0($*) has been deprecated.') + ') + ++####################################### ++## ++## Execute radiusd server in the radiusd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`radiusd_systemctl',` ++ gen_require(` ++ type radiusd_unit_file_t; ++ type radiusd_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 radiusd_unit_file_t:file read_file_perms; ++ allow $1 radiusd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, radiusd_t) ++') ++ + ######################################## + ## + ## All of the rules required to administrate +@@ -35,11 +58,14 @@ interface(`radius_admin',` + gen_require(` + type radiusd_t, radiusd_etc_t, radiusd_log_t; + type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; +- type radiusd_initrc_exec_t; ++ type radiusd_initrc_exec_t, radiusd_unit_file_t; ') - allow $1 radiusd_t:process { ptrace signal_perms }; @@ -52363,11 +52474,31 @@ index 75e5dc4..87d75fe 100644 init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) +@@ -59,4 +85,9 @@ interface(`radius_admin',` + + files_list_pids($1) + admin_pattern($1, radiusd_var_run_t) ++ ++ admin_pattern($1, radiusd_unit_file_t) ++ bind_systemctl($1) ++ allow $1 radiusd_unit_file_t:service all_service_perms; ++ + ') diff --git a/radius.te b/radius.te -index b1ed1bf..3edb33c 100644 +index b1ed1bf..8b3f408 100644 --- a/radius.te +++ b/radius.te -@@ -62,11 +62,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) + type radiusd_var_run_t; + files_pid_file(radiusd_var_run_t) + ++type radiusd_unit_file_t; ++systemd_unit_file(radiusd_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -62,11 +65,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -52380,7 +52511,7 @@ index b1ed1bf..3edb33c 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t) +@@ -77,6 +80,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) @@ -52388,7 +52519,7 @@ index b1ed1bf..3edb33c 100644 corenet_tcp_connect_mysqld_port(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) corenet_sendrecv_radius_server_packets(radiusd_t) -@@ -99,7 +100,6 @@ corecmd_exec_shell(radiusd_t) +@@ -99,7 +103,6 @@ corecmd_exec_shell(radiusd_t) domain_use_interactive_fds(radiusd_t) files_read_usr_files(radiusd_t) @@ -52396,7 +52527,7 @@ index b1ed1bf..3edb33c 100644 files_read_etc_runtime_files(radiusd_t) auth_use_nsswitch(radiusd_t) -@@ -110,9 +110,10 @@ libs_exec_lib_files(radiusd_t) +@@ -110,9 +113,10 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -53224,10 +53355,10 @@ index 0000000..e38693b +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..8ef2a1b +index 0000000..9015745 --- /dev/null +++ b/realmd.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,99 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -53263,6 +53394,8 @@ index 0000000..8ef2a1b +files_read_etc_files(realmd_t) +files_read_usr_files(realmd_t) + ++fs_getattr_all_fs(realmd_t) ++ +auth_use_nsswitch(realmd_t) + +logging_send_syslog_msg(realmd_t) @@ -54082,7 +54215,7 @@ index de37806..aee7ba7 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/rhcs.te b/rhcs.te -index 93c896a..06a8e3c 100644 +index 93c896a..8aa7362 100644 --- a/rhcs.te +++ b/rhcs.te @@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0) @@ -54219,7 +54352,7 @@ index 93c896a..06a8e3c 100644 ') optional_policy(` -@@ -114,13 +164,46 @@ optional_policy(` +@@ -114,13 +164,52 @@ optional_policy(` lvm_read_config(fenced_t) ') @@ -54228,6 +54361,12 @@ index 93c896a..06a8e3c 100644 + snmp_manage_var_lib_dirs(fenced_t) +') + ++optional_policy(` ++ virt_domtrans(fenced_t) ++ virt_read_config(fenced_t) ++ virt_read_pid_files(fenced_t) ++ virt_stream_connect(fenced_t) ++') + +####################################### +# @@ -54267,7 +54406,7 @@ index 93c896a..06a8e3c 100644 allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +222,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -139,10 +228,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -54278,7 +54417,7 @@ index 93c896a..06a8e3c 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,12 +233,12 @@ optional_policy(` +@@ -154,12 +239,12 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -54293,7 +54432,7 @@ index 93c896a..06a8e3c 100644 init_rw_script_tmp_files(groupd_t) -@@ -168,8 +247,7 @@ init_rw_script_tmp_files(groupd_t) +@@ -168,8 +253,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -54303,7 +54442,7 @@ index 93c896a..06a8e3c 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -182,7 +260,7 @@ kernel_read_system_state(qdiskd_t) +@@ -182,7 +266,7 @@ kernel_read_system_state(qdiskd_t) kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) @@ -54312,7 +54451,7 @@ index 93c896a..06a8e3c 100644 corecmd_exec_shell(qdiskd_t) dev_read_sysfs(qdiskd_t) -@@ -197,19 +275,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t) +@@ -197,19 +281,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t) files_dontaudit_getattr_all_sockets(qdiskd_t) files_dontaudit_getattr_all_pipes(qdiskd_t) @@ -54336,7 +54475,7 @@ index 93c896a..06a8e3c 100644 optional_policy(` netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +298,24 @@ optional_policy(` +@@ -223,18 +304,24 @@ optional_policy(` # rhcs domains common policy # @@ -54755,7 +54894,7 @@ index 0000000..8559999 + rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.if b/rhsmcertd.if -index 137605a..7624759 100644 +index 137605a..fd40b90 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -194,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',` @@ -54812,7 +54951,20 @@ index 137605a..7624759 100644 ') ######################################## -@@ -279,18 +279,7 @@ interface(`rhsmcertd_admin',` +@@ -264,12 +264,6 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # + interface(`rhsmcertd_admin',` + gen_require(` +@@ -279,18 +273,7 @@ interface(`rhsmcertd_admin',` allow $1 rhsmcertd_t:process signal_perms; ps_process_pattern($1, rhsmcertd_t) @@ -57367,7 +57519,7 @@ index a07b2f4..22e0db0 100644 + +userdom_getattr_user_terminals(rwho_t) diff --git a/samba.fc b/samba.fc -index 69a6074..c9dbc93 100644 +index 69a6074..2722318 100644 --- a/samba.fc +++ b/samba.fc @@ -14,6 +14,9 @@ @@ -57380,7 +57532,14 @@ index 69a6074..c9dbc93 100644 /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -@@ -36,6 +39,10 @@ +@@ -31,11 +34,17 @@ + /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + ++/var/nmbd/unexpected(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++ + /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) @@ -57391,7 +57550,7 @@ index 69a6074..c9dbc93 100644 /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -@@ -48,6 +55,11 @@ +@@ -48,6 +57,11 @@ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) @@ -57748,7 +57907,7 @@ index 82cb169..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 905883f..674ca82 100644 +index 905883f..7339ebc 100644 --- a/samba.te +++ b/samba.te @@ -12,7 +12,7 @@ policy_module(samba, 1.15.0) @@ -58138,13 +58297,13 @@ index 905883f..674ca82 100644 +dev_read_urand(smbcontrol_t) + +files_read_usr_files(smbcontrol_t) -+ -+term_use_console(smbcontrol_t) -miscfiles_read_localization(smbcontrol_t) -+sysnet_use_ldap(smbcontrol_t) ++term_use_console(smbcontrol_t) -userdom_use_user_terminals(smbcontrol_t) ++sysnet_use_ldap(smbcontrol_t) ++ +userdom_use_inherited_user_terminals(smbcontrol_t) + +optional_policy(` @@ -58279,7 +58438,7 @@ index 905883f..674ca82 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -813,21 +862,25 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -813,21 +862,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -58295,12 +58454,14 @@ index 905883f..674ca82 100644 manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, file) +- +files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) +filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) +# /run/samba/krb5cc_samba +manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) ++manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) - ++ +kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) @@ -58311,7 +58472,7 @@ index 905883f..674ca82 100644 corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) corenet_udp_sendrecv_generic_if(winbind_t) -@@ -840,12 +893,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -840,12 +894,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -58327,7 +58488,7 @@ index 905883f..674ca82 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -855,12 +911,14 @@ auth_manage_cache(winbind_t) +@@ -855,12 +912,14 @@ auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) @@ -58344,7 +58505,7 @@ index 905883f..674ca82 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -871,6 +929,15 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -871,6 +930,15 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -58360,7 +58521,7 @@ index 905883f..674ca82 100644 kerberos_use(winbind_t) ') -@@ -909,9 +976,7 @@ auth_use_nsswitch(winbind_helper_t) +@@ -909,9 +977,7 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -58371,7 +58532,7 @@ index 905883f..674ca82 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -929,19 +994,34 @@ optional_policy(` +@@ -929,19 +995,34 @@ optional_policy(` # optional_policy(` @@ -58417,7 +58578,7 @@ index 905883f..674ca82 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index 1898dbd..a4431bb 100644 +index 1898dbd..1d5e802 100644 --- a/sambagui.te +++ b/sambagui.te @@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0) @@ -58430,21 +58591,11 @@ index 1898dbd..a4431bb 100644 ######################################## # -@@ -15,6 +16,8 @@ dbus_system_domain(sambagui_t, sambagui_exec_t) - # - - allow sambagui_t self:capability dac_override; -+allow sambagui_t self:capability sys_nice; -+allow sambagui_t self:process setsched; - allow sambagui_t self:fifo_file rw_fifo_file_perms; - allow sambagui_t self:unix_dgram_socket create_socket_perms; - -@@ -27,21 +30,29 @@ corecmd_exec_bin(sambagui_t) +@@ -27,21 +28,28 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) -files_read_etc_files(sambagui_t) -+files_list_tmp(sambagui_t) +files_read_usr_files(sambagui_t) files_search_var_lib(sambagui_t) files_read_usr_files(sambagui_t) @@ -58471,7 +58622,7 @@ index 1898dbd..a4431bb 100644 nscd_dontaudit_search_pid(sambagui_t) ') -@@ -56,6 +67,7 @@ optional_policy(` +@@ -56,6 +64,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -60630,10 +60781,10 @@ index 0000000..e1ef619 +/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/sensord.if b/sensord.if new file mode 100644 -index 0000000..ef53e87 +index 0000000..5eba5fd --- /dev/null +++ b/sensord.if -@@ -0,0 +1,80 @@ +@@ -0,0 +1,75 @@ + +## Sensor information logging daemon + @@ -60689,11 +60840,6 @@ index 0000000..ef53e87 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`sensord_admin',` @@ -64258,10 +64404,10 @@ index 0000000..0ccce59 +/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) diff --git a/stapserver.if b/stapserver.if new file mode 100644 -index 0000000..89b20d3 +index 0000000..80c6480 --- /dev/null +++ b/stapserver.if -@@ -0,0 +1,156 @@ +@@ -0,0 +1,151 @@ + +## Instrumentation System Server + @@ -64390,11 +64536,6 @@ index 0000000..89b20d3 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`stapserver_admin',` @@ -65878,10 +66019,10 @@ index c2ed23a..d9e875d 100644 + stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) +') diff --git a/tgtd.te b/tgtd.te -index 80fe75c..1c6e2df 100644 +index 80fe75c..6e81911 100644 --- a/tgtd.te +++ b/tgtd.te -@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t) +@@ -21,15 +21,19 @@ files_tmpfs_file(tgtd_tmpfs_t) type tgtd_var_lib_t; files_type(tgtd_var_lib_t) @@ -65891,8 +66032,10 @@ index 80fe75c..1c6e2df 100644 ######################################## # # TGTD personal policy. -@@ -29,7 +32,7 @@ files_type(tgtd_var_lib_t) + # + allow tgtd_t self:capability sys_resource; ++allow tgtd_t self:capability2 block_suspend; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; @@ -65900,7 +66043,7 @@ index 80fe75c..1c6e2df 100644 allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:sem create_sem_perms; allow tgtd_t self:tcp_socket create_stream_socket_perms; -@@ -46,10 +49,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +@@ -46,10 +50,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) @@ -65917,7 +66060,7 @@ index 80fe75c..1c6e2df 100644 corenet_tcp_sendrecv_generic_if(tgtd_t) corenet_tcp_sendrecv_generic_node(tgtd_t) corenet_tcp_sendrecv_iscsi_port(tgtd_t) -@@ -57,10 +65,16 @@ corenet_tcp_bind_generic_node(tgtd_t) +@@ -57,10 +66,16 @@ corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) @@ -66569,10 +66712,10 @@ index 0000000..a8385bc +/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) diff --git a/tomcat.if b/tomcat.if new file mode 100644 -index 0000000..c531b5e +index 0000000..9abef48 --- /dev/null +++ b/tomcat.if -@@ -0,0 +1,400 @@ +@@ -0,0 +1,395 @@ + +## policy for tomcat + @@ -66933,11 +67076,6 @@ index 0000000..c531b5e +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`tomcat_admin',` @@ -67314,7 +67452,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..f0b3e04 100644 +index db9d2a5..8843888 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -67379,7 +67517,7 @@ index db9d2a5..f0b3e04 100644 -files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) -+files_dontaudit_list_tmp(tuned_t) ++files_list_tmp(tuned_t) -logging_send_syslog_msg(tuned_t) +fs_getattr_all_fs(tuned_t) @@ -68784,10 +68922,10 @@ index 2124b6a..e55e393 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..be0e5a5 100644 +index 6f0736b..d08fa16 100644 --- a/virt.if +++ b/virt.if -@@ -13,64 +13,61 @@ +@@ -13,67 +13,30 @@ # template(`virt_domain_template',` gen_require(` @@ -68812,20 +68950,16 @@ index 6f0736b..be0e5a5 100644 + type $1_devpts_t, virt_ptynode; term_pty($1_devpts_t) - type $1_tmp_t; - files_tmp_file($1_tmp_t) +- type $1_tmp_t; +- files_tmp_file($1_tmp_t) ++ kernel_read_system_state($1_t) - type $1_tmpfs_t; -+ type $1_tmpfs_t, virt_tmpfs_type; - files_tmpfs_file($1_tmpfs_t) - - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) -+ dev_associate_sysfs($1_image_t) -+ -+ kernel_read_system_state($1_t) -+ +- files_tmpfs_file($1_tmpfs_t) +- +- type $1_image_t, virt_image_type; +- files_type($1_image_t) +- dev_node($1_image_t) + auth_use_nsswitch($1_t) - type $1_var_run_t; @@ -68835,27 +68969,22 @@ index 6f0736b..be0e5a5 100644 - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) -+ manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -+ rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) -+ fs_hugetlbfs_filetrans($1_t, $1_image_t, file) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) +- +- manage_dirs_pattern($1_t, $1_image_t, $1_image_t) +- manage_files_pattern($1_t, $1_image_t, $1_image_t) +- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) +- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) +- +- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) +- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) +- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) -+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir lnk_file }) -+ userdom_user_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file }) - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - +- +- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) +- - stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) - manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) @@ -68870,10 +68999,13 @@ index 6f0736b..be0e5a5 100644 - - auth_use_nsswitch($1_t) - - optional_policy(` - xserver_rw_shm($1_t) - ') -@@ -98,14 +95,32 @@ interface(`virt_image',` +- optional_policy(` +- xserver_rw_shm($1_t) +- ') + ') + + ######################################## +@@ -98,14 +61,32 @@ interface(`virt_image',` dev_node($1) ') @@ -68908,7 +69040,7 @@ index 6f0736b..be0e5a5 100644 ## # interface(`virt_domtrans',` -@@ -116,9 +131,45 @@ interface(`virt_domtrans',` +@@ -116,9 +97,45 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') @@ -68955,7 +69087,7 @@ index 6f0736b..be0e5a5 100644 ## ## ## -@@ -166,13 +217,13 @@ interface(`virt_attach_tun_iface',` +@@ -166,13 +183,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -68971,7 +69103,7 @@ index 6f0736b..be0e5a5 100644 ') ######################################## -@@ -187,13 +238,13 @@ interface(`virt_read_config',` +@@ -187,13 +204,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -68987,7 +69119,7 @@ index 6f0736b..be0e5a5 100644 ') ######################################## -@@ -233,6 +284,24 @@ interface(`virt_read_content',` +@@ -233,6 +250,24 @@ interface(`virt_read_content',` ######################################## ## @@ -69012,7 +69144,7 @@ index 6f0736b..be0e5a5 100644 ## Read virt PID files. ## ## -@@ -252,6 +321,28 @@ interface(`virt_read_pid_files',` +@@ -252,6 +287,28 @@ interface(`virt_read_pid_files',` ######################################## ## @@ -69041,7 +69173,7 @@ index 6f0736b..be0e5a5 100644 ## Manage virt pid files. ## ## -@@ -263,10 +354,42 @@ interface(`virt_read_pid_files',` +@@ -263,10 +320,47 @@ interface(`virt_read_pid_files',` interface(`virt_manage_pid_files',` gen_require(` type virt_var_run_t; @@ -69074,6 +69206,11 @@ index 6f0736b..be0e5a5 100644 +## the transition will occur. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`virt_pid_filetrans',` + gen_require(` @@ -69084,7 +69221,7 @@ index 6f0736b..be0e5a5 100644 ') ######################################## -@@ -310,6 +433,24 @@ interface(`virt_read_lib_files',` +@@ -310,6 +404,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -69109,7 +69246,7 @@ index 6f0736b..be0e5a5 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -354,9 +495,9 @@ interface(`virt_read_log',` +@@ -354,9 +466,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -69121,7 +69258,7 @@ index 6f0736b..be0e5a5 100644 ## # interface(`virt_append_log',` -@@ -390,6 +531,25 @@ interface(`virt_manage_log',` +@@ -390,6 +502,25 @@ interface(`virt_manage_log',` ######################################## ## @@ -69147,7 +69284,7 @@ index 6f0736b..be0e5a5 100644 ## Allow domain to read virt image files ## ## -@@ -410,6 +570,7 @@ interface(`virt_read_images',` +@@ -410,6 +541,7 @@ interface(`virt_read_images',` read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -69155,7 +69292,7 @@ index 6f0736b..be0e5a5 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -426,6 +587,24 @@ interface(`virt_read_images',` +@@ -426,6 +558,24 @@ interface(`virt_read_images',` ######################################## ## @@ -69180,7 +69317,7 @@ index 6f0736b..be0e5a5 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -435,15 +614,15 @@ interface(`virt_read_images',` +@@ -435,15 +585,15 @@ interface(`virt_read_images',` ## ## # @@ -69201,7 +69338,7 @@ index 6f0736b..be0e5a5 100644 ') ######################################## -@@ -468,18 +647,52 @@ interface(`virt_manage_images',` +@@ -468,18 +618,52 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -69263,7 +69400,7 @@ index 6f0736b..be0e5a5 100644 ') ######################################## -@@ -502,10 +715,20 @@ interface(`virt_manage_images',` +@@ -502,10 +686,20 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -69285,7 +69422,7 @@ index 6f0736b..be0e5a5 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -517,4 +740,299 @@ interface(`virt_admin',` +@@ -517,4 +711,299 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -69586,15 +69723,29 @@ index 6f0736b..be0e5a5 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..83c3900 100644 +index 947bbc6..7a8c24b 100644 --- a/virt.te +++ b/virt.te -@@ -5,56 +5,94 @@ policy_module(virt, 1.5.0) +@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) # Declarations # +attribute virsh_transition_domain; +attribute virt_ptynode; ++attribute virt_domain; ++attribute virt_image_type; ++attribute virt_tmpfs_type; ++ ++type svirt_tmp_t; ++files_tmp_file(svirt_tmp_t) ++ ++type svirt_tmpfs_t, virt_tmpfs_type; ++files_tmpfs_file(svirt_tmpfs_t) ++ ++type svirt_image_t, virt_image_type; ++files_type(svirt_image_t) ++dev_node(svirt_image_t) ++dev_associate_sysfs(svirt_image_t) + ## ##

@@ -69678,13 +69829,11 @@ index 947bbc6..83c3900 100644 -type svirt_cache_t; -files_type(svirt_cache_t) -+virt_domain_template(svirt_prot_exec) -+role system_r types svirt_prot_exec_t; ++virt_domain_template(svirt_nokvm) ++role system_r types svirt_nokvm_t; - attribute virt_domain; - attribute virt_image_type; -+attribute virt_tmpfs_type; -+ +-attribute virt_domain; +-attribute virt_image_type; +type qemu_exec_t; + +type virt_cache_t alias svirt_cache_t; @@ -69692,7 +69841,7 @@ index 947bbc6..83c3900 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -62,26 +100,37 @@ files_config_file(virt_etc_t) +@@ -62,26 +110,37 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) @@ -69733,7 +69882,7 @@ index 947bbc6..83c3900 100644 type virtd_t; type virtd_exec_t; -@@ -89,9 +138,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) +@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) domain_obj_id_change_exemption(virtd_t) domain_subj_id_change_exemption(virtd_t) @@ -69751,7 +69900,7 @@ index 947bbc6..83c3900 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -100,6 +157,46 @@ ifdef(`enable_mls',` +@@ -100,29 +167,50 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -69777,125 +69926,107 @@ index 947bbc6..83c3900 100644 +type virt_qemu_ga_log_t; +logging_log_file(virt_qemu_ga_log_t) + -+######################################## -+# + ######################################## + # +-# svirt local policy +# Declarations -+# + # +attribute svirt_lxc_domain; -+ + +-allow svirt_t self:udp_socket create_socket_perms; +- +-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +-files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) +type virtd_lxc_t; +type virtd_lxc_exec_t; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -+ + +-read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) +type virt_lxc_var_run_t; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; -+ + +-allow svirt_t svirt_image_t:dir search_dir_perms; +-manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) +-manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) +-fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) +- +-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +-read_files_pattern(svirt_t, virt_content_t, virt_content_t) +-dontaudit svirt_t virt_content_t:file write_file_perms; +-dontaudit svirt_t virt_content_t:dir write; +# virt lxc container files +type svirt_lxc_file_t; +files_mountpoint(svirt_lxc_file_t) -+ - ######################################## - # - # svirt local policy -@@ -107,15 +204,13 @@ ifdef(`enable_mls',` - allow svirt_t self:udp_socket create_socket_perms; ++######################################## ++# ++# svirt local policy ++# + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) +@@ -131,67 +219,65 @@ corenet_udp_bind_all_ports(svirt_t) + corenet_tcp_bind_all_ports(svirt_t) + corenet_tcp_connect_all_ports(svirt_t) --manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) --manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) --files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) +-dev_list_sysfs(svirt_t) - - read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) - - allow svirt_t svirt_image_t:dir search_dir_perms; - manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) - manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -+manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -+manage_sock_files_pattern(svirt_t, svirt_image_t, svirt_image_t) - fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) - - list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,9 +228,17 @@ corenet_tcp_connect_all_ports(svirt_t) - - dev_list_sysfs(svirt_t) - -+fs_getattr_xattr_fs(svirt_t) -+ - userdom_search_user_home_content(svirt_t) - userdom_read_user_home_content_symlinks(svirt_t) - userdom_read_all_users_state(svirt_t) -+append_files_pattern(svirt_t, virt_home_t, virt_home_t) -+manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -+manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, { dir sock_file file }) -+stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - - tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(svirt_t) -@@ -143,18 +246,26 @@ tunable_policy(`virt_use_comm',` - ') - - tunable_policy(`virt_use_fusefs',` +-userdom_search_user_home_content(svirt_t) +-userdom_read_user_home_content_symlinks(svirt_t) +-userdom_read_all_users_state(svirt_t) +- +-tunable_policy(`virt_use_comm',` +- term_use_unallocated_ttys(svirt_t) +- dev_rw_printer(svirt_t) +-') +- +-tunable_policy(`virt_use_fusefs',` - fs_read_fusefs_files(svirt_t) -+ fs_manage_fusefs_dirs(svirt_t) -+ fs_manage_fusefs_files(svirt_t) - fs_read_fusefs_symlinks(svirt_t) -+ fs_getattr_fusefs(svirt_t) - ') - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(svirt_t) - fs_manage_nfs_files(svirt_t) -+ fs_manage_nfs_named_sockets(svirt_t) -+ fs_read_nfs_symlinks(svirt_t) -+ fs_getattr_nfs(svirt_t) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(svirt_t) - fs_manage_cifs_files(svirt_t) -+ fs_manage_cifs_named_sockets(svirt_t) -+ fs_read_cifs_symlinks(virtd_t) -+ fs_getattr_cifs(svirt_t) - ') - - tunable_policy(`virt_use_sysfs',` -@@ -163,11 +274,32 @@ tunable_policy(`virt_use_sysfs',` - - tunable_policy(`virt_use_usb',` - dev_rw_usbfs(svirt_t) -+ dev_read_sysfs(svirt_t) - fs_manage_dos_dirs(svirt_t) - fs_manage_dos_files(svirt_t) - ') - +- fs_read_fusefs_symlinks(svirt_t) +-') +- +-tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs(svirt_t) +- fs_manage_nfs_files(svirt_t) +-') +- +-tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs(svirt_t) +- fs_manage_cifs_files(svirt_t) +-') +- +-tunable_policy(`virt_use_sysfs',` +- dev_rw_sysfs(svirt_t) +-') +- +-tunable_policy(`virt_use_usb',` +- dev_rw_usbfs(svirt_t) +- fs_manage_dos_dirs(svirt_t) +- fs_manage_dos_files(svirt_t) +-') +- optional_policy(` -+ tunable_policy(`virt_use_sanlock',` -+ sanlock_stream_connect(svirt_t) -+ ') -+') -+ -+tunable_policy(`virt_use_rawip',` -+ allow svirt_t self:rawip_socket create_socket_perms; -+') -+ -+optional_policy(` -+ tunable_policy(`virt_use_xserver',` -+ xserver_stream_connect(svirt_t) -+ ') -+') -+ -+optional_policy(` -+ virt_domtrans_bridgehelper(svirt_t) -+') -+ -+optional_policy(` xen_rw_image_files(svirt_t) ') -@@ -176,22 +308,42 @@ optional_policy(` ++####################################### ++# ++# svirt_prot_exec local policy ++# ++ ++allow svirt_nokvm_t self:process { execmem execstack }; ++corenet_udp_sendrecv_generic_if(svirt_nokvm_t) ++corenet_udp_sendrecv_generic_node(svirt_nokvm_t) ++corenet_udp_sendrecv_all_ports(svirt_nokvm_t) ++corenet_udp_bind_generic_node(svirt_nokvm_t) ++corenet_udp_bind_all_ports(svirt_nokvm_t) ++corenet_tcp_bind_all_ports(svirt_nokvm_t) ++corenet_tcp_connect_all_ports(svirt_nokvm_t) ++ + ######################################## + # # virtd local policy # @@ -69945,7 +70076,7 @@ index 947bbc6..83c3900 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +354,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +288,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -69980,7 +70111,7 @@ index 947bbc6..83c3900 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +386,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +320,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -70004,7 +70135,7 @@ index 947bbc6..83c3900 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +414,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -70038,7 +70169,7 @@ index 947bbc6..83c3900 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +446,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -70057,7 +70188,7 @@ index 947bbc6..83c3900 100644 mcs_process_set_categories(virtd_t) -@@ -284,7 +472,8 @@ term_use_ptmx(virtd_t) +@@ -284,7 +406,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -70067,7 +70198,7 @@ index 947bbc6..83c3900 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +482,33 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +416,33 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -70101,7 +70232,7 @@ index 947bbc6..83c3900 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +527,10 @@ optional_policy(` +@@ -322,6 +461,10 @@ optional_policy(` ') optional_policy(` @@ -70112,7 +70243,7 @@ index 947bbc6..83c3900 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +544,34 @@ optional_policy(` +@@ -335,19 +478,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -70148,7 +70279,7 @@ index 947bbc6..83c3900 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +586,12 @@ optional_policy(` +@@ -362,6 +520,12 @@ optional_policy(` ') optional_policy(` @@ -70161,7 +70292,7 @@ index 947bbc6..83c3900 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +599,11 @@ optional_policy(` +@@ -369,11 +533,11 @@ optional_policy(` ') optional_policy(` @@ -70178,7 +70309,7 @@ index 947bbc6..83c3900 100644 ') optional_policy(` -@@ -384,6 +614,7 @@ optional_policy(` +@@ -384,6 +548,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -70186,10 +70317,11 @@ index 947bbc6..83c3900 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,34 +634,48 @@ optional_policy(` +@@ -402,35 +567,84 @@ optional_policy(` + # # virtual domains common policy # - +- -allow virt_domain self:capability { dac_read_search dac_override kill }; -allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; @@ -70199,11 +70331,48 @@ index 947bbc6..83c3900 100644 allow virt_domain self:unix_stream_socket create_stream_socket_perms; allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; - ++allow virt_domain self:udp_socket create_socket_perms; ++ ++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) ++read_files_pattern(virt_domain, virt_content_t, virt_content_t) ++dontaudit virt_domain virt_content_t:file write_file_perms; ++dontaudit virt_domain virt_content_t:dir write; ++ ++userdom_search_user_home_content(virt_domain) ++userdom_read_user_home_content_symlinks(virt_domain) ++userdom_read_all_users_state(virt_domain) ++append_files_pattern(virt_domain, virt_home_t, virt_home_t) ++manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t) ++manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t) ++manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) ++filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) ++stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) ++ +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) + ++read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) ++ ++manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) ++manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file) ++ ++manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) ++files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file }) ++userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) ++manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) ++manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) ++fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file }) ++ +manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) @@ -70214,14 +70383,13 @@ index 947bbc6..83c3900 100644 +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; + +dontaudit virt_domain virt_tmpfs_type:file { read write }; -+ + append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -kernel_read_system_state(virt_domain) -+fs_getattr_xattr_fs(virt_domain) - +- corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) @@ -70237,12 +70405,13 @@ index 947bbc6..83c3900 100644 corenet_tcp_connect_virt_migration_port(virt_domain) +corenet_rw_inherited_tun_tap_dev(virt_domain) ++dev_list_sysfs(virt_domain) +dev_getattr_fs(virt_domain) +dev_read_generic_symlinks(virt_domain) dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +683,11 @@ dev_write_sound(virt_domain) +@@ -438,34 +652,591 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -70255,7 +70424,8 @@ index 947bbc6..83c3900 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,23 +695,525 @@ files_search_all(virt_domain) + ++fs_getattr_xattr_fs(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -70263,12 +70433,12 @@ index 947bbc6..83c3900 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -70297,7 +70467,67 @@ index 947bbc6..83c3900 100644 virt_read_lib_files(virt_domain) virt_read_content(virt_domain) virt_stream_connect(virt_domain) - ') ++ virt_domtrans_bridgehelper(virt_domain) ++') ++ ++optional_policy(` ++ xserver_rw_shm(virt_domain) ++') ++ ++tunable_policy(`virt_use_comm',` ++ term_use_unallocated_ttys(virt_domain) ++ dev_rw_printer(virt_domain) ++') ++ ++tunable_policy(`virt_use_fusefs',` ++ fs_manage_fusefs_dirs(virt_domain) ++ fs_manage_fusefs_files(virt_domain) ++ fs_read_fusefs_symlinks(virt_domain) ++ fs_getattr_fusefs(virt_domain) ++') ++ ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(virt_domain) ++ fs_manage_nfs_files(virt_domain) ++ fs_manage_nfs_named_sockets(virt_domain) ++ fs_read_nfs_symlinks(virt_domain) ++ fs_getattr_nfs(virt_domain) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_cifs_dirs(virt_domain) ++ fs_manage_cifs_files(virt_domain) ++ fs_manage_cifs_named_sockets(virt_domain) ++ fs_read_cifs_symlinks(virt_domain) ++ fs_getattr_cifs(virt_domain) ++') ++ ++tunable_policy(`virt_use_sysfs',` ++ dev_rw_sysfs(virt_domain) ++') ++ ++tunable_policy(`virt_use_usb',` ++ dev_rw_usbfs(virt_domain) ++ dev_read_sysfs(virt_domain) ++ fs_manage_dos_dirs(virt_domain) ++ fs_manage_dos_files(virt_domain) ++') ++ ++optional_policy(` ++ tunable_policy(`virt_use_sanlock',` ++ sanlock_stream_connect(virt_domain) ++ ') ++') ++ ++tunable_policy(`virt_use_rawip',` ++ allow virt_domain self:rawip_socket create_socket_perms; ++') ++ ++optional_policy(` ++ tunable_policy(`virt_use_xserver',` ++ xserver_stream_connect(virt_domain) ++ ') ++') + +######################################## +# @@ -70694,13 +70924,6 @@ index 947bbc6..83c3900 100644 + +userdom_use_inherited_user_ptys(svirt_lxc_net_t) + -+####################################### -+# -+# svirt_prot_exec local policy -+# -+ -+allow svirt_prot_exec_t self:process { execmem execstack }; -+ +######################################## +# +# virt_qmf local policy @@ -70783,7 +71006,7 @@ index 947bbc6..83c3900 100644 + +optional_policy(` + devicekit_manage_pid_files(virt_qemu_ga_t) -+') + ') diff --git a/vlock.te b/vlock.te index 2511093..669dc13 100644 --- a/vlock.te @@ -71794,7 +72017,7 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 07033bb..08d37ba 100644 +index 07033bb..5e3cb73 100644 --- a/xen.te +++ b/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.12.0) @@ -71988,6 +72211,15 @@ index 07033bb..08d37ba 100644 ######################################## # # Xen console local policy +@@ -359,7 +381,7 @@ allow xenconsoled_t self:process setrlimit; + allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; + allow xenconsoled_t self:fifo_file rw_fifo_file_perms; + +-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; ++allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr }; + + # pid file + manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) @@ -374,8 +396,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -71997,15 +72229,16 @@ index 07033bb..08d37ba 100644 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) -@@ -390,7 +410,6 @@ term_use_console(xenconsoled_t) +@@ -390,7 +410,7 @@ term_use_console(xenconsoled_t) init_use_fds(xenconsoled_t) init_use_script_ptys(xenconsoled_t) -miscfiles_read_localization(xenconsoled_t) ++auth_read_passwd(xenconsoled_t) xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) -@@ -413,9 +432,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +433,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -72017,7 +72250,7 @@ index 07033bb..08d37ba 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,111 +462,24 @@ files_read_etc_files(xenstored_t) +@@ -442,111 +463,24 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -72131,7 +72364,7 @@ index 07033bb..08d37ba 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +492,4 @@ optional_policy(` +@@ -559,8 +493,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index da03fb8..cd0b2f0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 53%{?dist} +Release: 54%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -523,6 +523,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Nov 15 2012 Miroslav Grepl 3.11.1-54 +- Fix filetrans interface definitions +- Dontaudit xdm_t to getattr on BOINC lib files +- Add systemd_reload_all_services() interface +- Dontaudit write access on /var/lib/net-snmp/mib_indexes +- Only stop mcsuntrustedproc from relableing files +- Allow accountsd to dbus chat with gdm +- Allow realmd to getattr on all fs +- Allow logrotate to reload all services +- Add systemd unit file for radiusd +- Allow winbind to create samba pid dir +- Add labeling for /var/nmbd/unexpected +- Allow chrome and mozilla plugin to connect to msnp ports + * Mon Nov 12 2012 Miroslav Grepl 3.11.1-53 - Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - Dontaudit setfiles reading /dev/random