diff --git a/policy-f18-base.patch b/policy-f18-base.patch index 466c477..296fcb6 100644 --- a/policy-f18-base.patch +++ b/policy-f18-base.patch @@ -112462,7 +112462,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..8fe3bea 100644 +index db981df..1d870e2 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -112544,7 +112544,7 @@ index db981df..8fe3bea 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -174,53 +185,80 @@ ifdef(`distro_gentoo',` +@@ -174,53 +185,82 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -112619,7 +112619,9 @@ index db981df..8fe3bea 100644 -/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) @@ -112645,7 +112647,7 @@ index db981df..8fe3bea 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -235,10 +273,15 @@ ifdef(`distro_gentoo',` +@@ -235,10 +275,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -112661,7 +112663,7 @@ index db981df..8fe3bea 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -251,11 +294,17 @@ ifdef(`distro_gentoo',` +@@ -251,11 +296,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -112683,7 +112685,7 @@ index db981df..8fe3bea 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,10 +320,15 @@ ifdef(`distro_gentoo',` +@@ -271,10 +322,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -112699,7 +112701,7 @@ index db981df..8fe3bea 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -289,16 +343,22 @@ ifdef(`distro_gentoo',` +@@ -289,16 +345,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -112724,7 +112726,7 @@ index db981df..8fe3bea 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,20 +374,27 @@ ifdef(`distro_redhat', ` +@@ -314,20 +376,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -112753,7 +112755,7 @@ index db981df..8fe3bea 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +443,15 @@ ifdef(`distro_suse', ` +@@ -376,11 +445,15 @@ ifdef(`distro_suse', ` # # /var # @@ -112770,7 +112772,7 @@ index db981df..8fe3bea 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +461,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +463,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -121734,7 +121736,7 @@ index 7c6b791..6ceb348 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 376bae8..1b6da2c 100644 +index 376bae8..1c59819 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); @@ -121754,7 +121756,17 @@ index 376bae8..1b6da2c 100644 type bdev_t; fs_type(bdev_t) -@@ -67,7 +70,7 @@ fs_type(capifs_t) +@@ -62,12 +65,17 @@ fs_type(binfmt_misc_fs_t) + files_mountpoint(binfmt_misc_fs_t) + genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) + ++type oracleasmfs_t; ++fs_type(oracleasmfs_t) ++files_mountpoint(oracleasmfs_t) ++genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) ++ + type capifs_t; + fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -121763,7 +121775,7 @@ index 376bae8..1b6da2c 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -88,6 +91,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +96,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -121775,7 +121787,7 @@ index 376bae8..1b6da2c 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +104,7 @@ type hugetlbfs_t; +@@ -96,6 +109,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -121783,7 +121795,7 @@ index 376bae8..1b6da2c 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -124,6 +133,10 @@ type oprofilefs_t; +@@ -124,6 +138,10 @@ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -121794,7 +121806,7 @@ index 376bae8..1b6da2c 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -144,11 +157,6 @@ fs_type(spufs_t) +@@ -144,11 +162,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -121806,7 +121818,7 @@ index 376bae8..1b6da2c 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -166,6 +174,8 @@ type vxfs_t; +@@ -166,6 +179,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -121815,7 +121827,7 @@ index 376bae8..1b6da2c 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -175,6 +185,7 @@ fs_type(tmpfs_t) +@@ -175,6 +190,7 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -121823,7 +121835,7 @@ index 376bae8..1b6da2c 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -254,6 +265,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -254,6 +270,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -121832,7 +121844,7 @@ index 376bae8..1b6da2c 100644 files_mountpoint(removable_t) # -@@ -273,6 +286,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -273,6 +291,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -122461,7 +122473,7 @@ index 4bf45cb..9f81200 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index ab9b6cd..9d941da 100644 +index ab9b6cd..52e9d9f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -122517,7 +122529,7 @@ index ab9b6cd..9d941da 100644 type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -+fs_associate(unlabeled_t) ++allow unlabeled_t self:filesystem associate; # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -127365,10 +127377,10 @@ index 4318f73..67baac4 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..022c7db 100644 +index 078bcd7..72e7b08 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,9 +1,23 @@ +@@ -1,16 +1,38 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + @@ -127392,7 +127404,11 @@ index 078bcd7..022c7db 100644 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) -@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) + ++/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) ++/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) ++ /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -127404,7 +127420,7 @@ index 078bcd7..022c7db 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..da12170 100644 +index fe0c682..2e18809 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -127933,7 +127949,7 @@ index fe0c682..da12170 100644 ') ###################################### -@@ -754,3 +854,101 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -128035,11 +128051,34 @@ index fe0c682..da12170 100644 + + allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') ++ ++######################################## ++## ++## Execute sshd server in the sshd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ssh_systemctl',` ++ gen_require(` ++ type sshd_t; ++ type sshd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 sshd_unit_file_t:file manage_file_perms; ++ allow $1 sshd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sshd_t) ++') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..7bf776d 100644 +index b17e27a..e700e11 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) +@@ -6,43 +6,53 @@ policy_module(ssh, 2.3.0) # ## @@ -128088,25 +128127,27 @@ index b17e27a..7bf776d 100644 ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) +mls_trusted_object(sshd_t) -+ + +-type sshd_key_t; +-files_type(sshd_key_t) +type sshd_initrc_exec_t; +init_script_file(sshd_initrc_exec_t) - type sshd_key_t; - files_type(sshd_key_t) - -type sshd_tmp_t; -files_tmp_file(sshd_tmp_t) -files_poly_parent(sshd_tmp_t) -- ++type sshd_unit_file_t; ++systemd_unit_file(sshd_unit_file_t) + -ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) -') -- ++type sshd_key_t; ++files_type(sshd_key_t) + type ssh_t; type ssh_exec_t; - typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -73,6 +80,11 @@ type ssh_home_t; +@@ -73,6 +83,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -128118,7 +128159,7 @@ index b17e27a..7bf776d 100644 ############################## # -@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +98,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -128126,7 +128167,7 @@ index b17e27a..7bf776d 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +106,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -128143,7 +128184,7 @@ index b17e27a..7bf776d 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -108,32 +117,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -108,32 +120,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -128190,7 +128231,7 @@ index b17e27a..7bf776d 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t) +@@ -156,38 +178,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) @@ -128252,7 +128293,7 @@ index b17e27a..7bf776d 100644 ') optional_policy(` -@@ -195,28 +218,24 @@ optional_policy(` +@@ -195,28 +221,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -128285,7 +128326,7 @@ index b17e27a..7bf776d 100644 ################################# # # sshd local policy -@@ -227,33 +246,50 @@ optional_policy(` +@@ -227,33 +249,50 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -128345,7 +128386,7 @@ index b17e27a..7bf776d 100644 ') optional_policy(` -@@ -261,11 +297,24 @@ optional_policy(` +@@ -261,11 +300,24 @@ optional_policy(` ') optional_policy(` @@ -128371,7 +128412,7 @@ index b17e27a..7bf776d 100644 ') optional_policy(` -@@ -273,6 +322,10 @@ optional_policy(` +@@ -273,6 +325,10 @@ optional_policy(` ') optional_policy(` @@ -128382,7 +128423,7 @@ index b17e27a..7bf776d 100644 rpm_use_script_fds(sshd_t) ') -@@ -283,13 +336,69 @@ optional_policy(` +@@ -283,13 +339,69 @@ optional_policy(` ') optional_policy(` @@ -128452,7 +128493,7 @@ index b17e27a..7bf776d 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +407,26 @@ optional_policy(` +@@ -298,19 +410,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -128480,7 +128521,7 @@ index b17e27a..7bf776d 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +443,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -327,9 +446,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -128494,7 +128535,7 @@ index b17e27a..7bf776d 100644 ') optional_policy(` -@@ -339,3 +457,124 @@ optional_policy(` +@@ -339,3 +460,124 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -128769,7 +128810,7 @@ index fc86b7c..c65935b 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..31366ca 100644 +index 130ced9..6d63773 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -129561,7 +129602,7 @@ index 130ced9..31366ca 100644 - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) -+ dontaudit $1 xdm_t:unix_stream_socket { read write }; ++ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write }; ') ######################################## @@ -130160,16 +130201,16 @@ index 130ced9..31366ca 100644 + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ #userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") @@ -130200,16 +130241,16 @@ index 130ced9..31366ca 100644 + + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ #userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") @@ -136532,7 +136573,7 @@ index 0646ee7..da1337a 100644 ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index ef8bbaf..8c14853 100644 +index ef8bbaf..5cc272f 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -136686,7 +136727,7 @@ index ef8bbaf..8c14853 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +307,148 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +307,149 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -136839,6 +136880,7 @@ index ef8bbaf..8c14853 100644 +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index f6343ab..1a70344 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -1573,10 +1573,10 @@ index 0000000..8ba128b +') + diff --git a/alsa.fc b/alsa.fc -index d362d9c..230a2f6 100644 +index d362d9c..673b444 100644 --- a/alsa.fc +++ b/alsa.fc -@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) +@@ -11,10 +11,16 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) @@ -1591,6 +1591,8 @@ index d362d9c..230a2f6 100644 /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) + +/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) ++ ++/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) diff --git a/alsa.if b/alsa.if index 1392679..64e685f 100644 --- a/alsa.if @@ -1674,10 +1676,16 @@ index 1392679..64e685f 100644 + ps_process_pattern($1, alsa_t) +') diff --git a/alsa.te b/alsa.te -index dc1b088..1fdd2c2 100644 +index dc1b088..2845757 100644 --- a/alsa.te +++ b/alsa.te -@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t) +@@ -19,9 +19,15 @@ files_tmp_file(alsa_tmp_t) + type alsa_var_lib_t; + files_type(alsa_var_lib_t) + ++type alsa_var_run_t; ++files_pid_file(alsa_var_run_t) ++ type alsa_home_t; userdom_user_home_content(alsa_home_t) @@ -1687,15 +1695,27 @@ index dc1b088..1fdd2c2 100644 ######################################## # # Local policy -@@ -29,6 +32,7 @@ userdom_user_home_content(alsa_home_t) +@@ -29,6 +35,7 @@ userdom_user_home_content(alsa_home_t) allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; dontaudit alsa_t self:capability sys_admin; -+allow alsa_t self:process signal_perms; ++allow alsa_t self:process { getsched setsched signal_perms }; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket create_stream_socket_perms; -@@ -59,7 +63,6 @@ dev_read_sysfs(alsa_t) +@@ -51,6 +58,11 @@ manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + files_search_var_lib(alsa_t) + ++manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) ++files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir }) ++ + kernel_read_system_state(alsa_t) + + dev_read_sound(alsa_t) +@@ -59,7 +71,6 @@ dev_read_sysfs(alsa_t) corecmd_exec_bin(alsa_t) @@ -1703,7 +1723,7 @@ index dc1b088..1fdd2c2 100644 files_read_usr_files(alsa_t) term_dontaudit_use_console(alsa_t) -@@ -72,8 +75,6 @@ init_use_fds(alsa_t) +@@ -72,8 +83,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -3239,7 +3259,7 @@ index 6480167..c0ece1b 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..e8bbca3 100644 +index 0833afb..36feff2 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3289,7 +3309,7 @@ index 0833afb..e8bbca3 100644 ## ##

-@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false) +@@ -50,6 +73,27 @@ gen_tunable(httpd_can_network_connect, false) ## ##

@@ -3300,6 +3320,13 @@ index 0833afb..e8bbca3 100644 + +## +##

++## Allow HTTPD scripts and modules to server cobbler files. ++##

++## ++gen_tunable(httpd_serve_cobbler_files, false) ++ ++## ++##

+## Allow HTTPD to connect to port 80 for graceful shutdown +##

+## @@ -3310,7 +3337,7 @@ index 0833afb..e8bbca3 100644 ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -57,12 +94,33 @@ gen_tunable(httpd_can_network_connect_db, false) +@@ -57,12 +101,33 @@ gen_tunable(httpd_can_network_connect_db, false) ## ##

@@ -3344,7 +3371,7 @@ index 0833afb..e8bbca3 100644 ##

## Allow http daemon to send mail ##

-@@ -93,6 +151,21 @@ gen_tunable(httpd_enable_ftp_server, false) +@@ -93,6 +158,21 @@ gen_tunable(httpd_enable_ftp_server, false) ## ##

@@ -3366,7 +3393,7 @@ index 0833afb..e8bbca3 100644 ## Allow httpd to read home directories ##

## -@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false) +@@ -100,6 +180,27 @@ gen_tunable(httpd_enable_homedirs, false) ## ##

@@ -3394,7 +3421,7 @@ index 0833afb..e8bbca3 100644 ## Allow httpd daemon to change its resource limits ##

## -@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false) +@@ -114,6 +215,13 @@ gen_tunable(httpd_ssi_exec, false) ## ##

@@ -3408,7 +3435,7 @@ index 0833afb..e8bbca3 100644 ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false) +@@ -130,12 +238,26 @@ gen_tunable(httpd_unified, false) ## ##

@@ -3435,7 +3462,7 @@ index 0833afb..e8bbca3 100644 ##

## Allow httpd to run gpg ##

-@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false) +@@ -149,12 +271,28 @@ gen_tunable(httpd_use_gpg, false) ## gen_tunable(httpd_use_nfs, false) @@ -3464,7 +3491,7 @@ index 0833afb..e8bbca3 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -163,6 +294,10 @@ attribute httpd_script_domains; +@@ -163,6 +301,10 @@ attribute httpd_script_domains; type httpd_t; type httpd_exec_t; @@ -3475,7 +3502,7 @@ index 0833afb..e8bbca3 100644 init_daemon_domain(httpd_t, httpd_exec_t) role system_r types httpd_t; -@@ -173,7 +308,7 @@ files_type(httpd_cache_t) +@@ -173,7 +315,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -3484,7 +3511,7 @@ index 0833afb..e8bbca3 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -184,10 +319,19 @@ role system_r types httpd_helper_t; +@@ -184,10 +326,19 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -3504,7 +3531,7 @@ index 0833afb..e8bbca3 100644 logging_log_file(httpd_log_t) # httpd_modules_t is the type given to module files (libraries) -@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -223,7 +374,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -3527,7 +3554,7 @@ index 0833afb..e8bbca3 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -233,6 +398,11 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -3539,7 +3566,7 @@ index 0833afb..e8bbca3 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -240,6 +410,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -3547,7 +3574,7 @@ index 0833afb..e8bbca3 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -259,16 +423,28 @@ type httpd_var_lib_t; +@@ -259,16 +430,28 @@ type httpd_var_lib_t; files_type(httpd_var_lib_t) type httpd_var_run_t; @@ -3576,7 +3603,7 @@ index 0833afb..e8bbca3 100644 ######################################## # # Apache server local policy -@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -288,11 +471,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -3590,7 +3617,7 @@ index 0833afb..e8bbca3 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms; +@@ -305,6 +490,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms; files_lock_filetrans(httpd_t, httpd_lock_t, file) allow httpd_t httpd_log_t:dir setattr; @@ -3598,7 +3625,7 @@ index 0833afb..e8bbca3 100644 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -336,8 +522,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -3610,7 +3637,7 @@ index 0833afb..e8bbca3 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -346,8 +534,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -3621,7 +3648,7 @@ index 0833afb..e8bbca3 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +551,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3632,7 +3659,7 @@ index 0833afb..e8bbca3 100644 corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +562,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -3653,7 +3680,7 @@ index 0833afb..e8bbca3 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +583,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3668,7 +3695,7 @@ index 0833afb..e8bbca3 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t) +@@ -396,61 +599,112 @@ domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3789,7 +3816,7 @@ index 0833afb..e8bbca3 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +715,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3853,7 +3880,7 @@ index 0833afb..e8bbca3 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +779,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3876,7 +3903,7 @@ index 0833afb..e8bbca3 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,23 +814,43 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3888,7 +3915,21 @@ index 0833afb..e8bbca3 100644 + userdom_dontaudit_use_user_terminals(httpd_suexec_t) +') + ++ +optional_policy(` ++ cobbler_list_config(httpd_t) ++ cobbler_read_config(httpd_t) ++ ++ tunable_policy(`httpd_serve_cobbler_files',` ++ cobbler_manage_lib_files(httpd_t) ++',` ++ cobbler_read_lib_files(httpd_t) ++ cobbler_search_lib(httpd_t) ++ ') + ') + + optional_policy(` +- calamaris_read_www_files(httpd_t) + # Support for ABRT retrace server + # mod_wsgi + abrt_manage_spool_retrace(httpd_t) @@ -3897,17 +3938,20 @@ index 0833afb..e8bbca3 100644 ') optional_policy(` -@@ -525,6 +831,9 @@ optional_policy(` +- ccs_read_config(httpd_t) ++ calamaris_read_www_files(httpd_t) ') optional_policy(` -+ cobbler_list_config(httpd_t) -+ cobbler_read_config(httpd_t) -+ cobbler_read_lib_files(httpd_t) - cobbler_search_lib(httpd_t) +- cobbler_search_lib(httpd_t) ++ ccs_read_config(httpd_t) ') -@@ -540,6 +849,24 @@ optional_policy(` ++ + optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) + ') +@@ -540,6 +863,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3932,7 +3976,7 @@ index 0833afb..e8bbca3 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +876,24 @@ optional_policy(` +@@ -549,13 +890,24 @@ optional_policy(` ') optional_policy(` @@ -3958,7 +4002,7 @@ index 0833afb..e8bbca3 100644 ') optional_policy(` -@@ -573,7 +911,25 @@ optional_policy(` +@@ -573,7 +925,25 @@ optional_policy(` ') optional_policy(` @@ -3984,7 +4028,7 @@ index 0833afb..e8bbca3 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +940,7 @@ optional_policy(` +@@ -584,6 +954,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3992,7 +4036,7 @@ index 0833afb..e8bbca3 100644 ') optional_policy(` -@@ -594,6 +951,46 @@ optional_policy(` +@@ -594,6 +965,46 @@ optional_policy(` ') optional_policy(` @@ -4039,7 +4083,7 @@ index 0833afb..e8bbca3 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +1005,11 @@ optional_policy(` +@@ -608,6 +1019,11 @@ optional_policy(` ') optional_policy(` @@ -4051,7 +4095,7 @@ index 0833afb..e8bbca3 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +1022,12 @@ optional_policy(` +@@ -620,6 +1036,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -4064,7 +4108,7 @@ index 0833afb..e8bbca3 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1041,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1055,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -4109,7 +4153,7 @@ index 0833afb..e8bbca3 100644 ######################################## # -@@ -671,28 +1115,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1129,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -4153,7 +4197,7 @@ index 0833afb..e8bbca3 100644 ') ######################################## -@@ -702,6 +1148,7 @@ optional_policy(` +@@ -702,6 +1162,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -4161,7 +4205,7 @@ index 0833afb..e8bbca3 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1163,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1177,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4190,7 +4234,7 @@ index 0833afb..e8bbca3 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1193,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1207,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -4208,7 +4252,7 @@ index 0833afb..e8bbca3 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1211,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1225,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -4241,7 +4285,7 @@ index 0833afb..e8bbca3 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1258,25 @@ optional_policy(` +@@ -786,6 +1272,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4267,7 +4311,7 @@ index 0833afb..e8bbca3 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1297,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1311,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4285,7 +4329,7 @@ index 0833afb..e8bbca3 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1316,51 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1330,51 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4345,7 +4389,7 @@ index 0833afb..e8bbca3 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1368,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1382,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4386,7 +4430,7 @@ index 0833afb..e8bbca3 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,15 +1408,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +@@ -854,15 +1422,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) @@ -4413,7 +4457,7 @@ index 0833afb..e8bbca3 100644 ') ######################################## -@@ -878,11 +1443,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1457,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4425,7 +4469,7 @@ index 0833afb..e8bbca3 100644 ######################################## # -@@ -908,11 +1471,143 @@ optional_policy(` +@@ -908,11 +1485,143 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -8472,7 +8516,7 @@ index c3e3f79..54c74eb 100644 + unconfined_domain(certmonger_unconfined_t) +') diff --git a/certwatch.te b/certwatch.te -index e07cef5..20cb64f 100644 +index e07cef5..ebadfa9 100644 --- a/certwatch.te +++ b/certwatch.te @@ -17,6 +17,11 @@ role system_r types certwatch_t; @@ -8487,7 +8531,7 @@ index e07cef5..20cb64f 100644 dev_read_urand(certwatch_t) files_read_etc_files(certwatch_t) -@@ -27,17 +32,18 @@ files_list_tmp(certwatch_t) +@@ -27,22 +32,27 @@ files_list_tmp(certwatch_t) fs_list_inotifyfs(certwatch_t) auth_manage_cache(certwatch_t) @@ -8509,6 +8553,15 @@ index e07cef5..20cb64f 100644 apache_exec_modules(certwatch_t) apache_read_config(certwatch_t) ') + + optional_policy(` ++ mta_send_mail(certwatch_t) ++') ++ ++optional_policy(` + cron_system_entry(certwatch_t, certwatch_exec_t) + ') + diff --git a/cfengine.fc b/cfengine.fc new file mode 100644 index 0000000..4c52fa3 @@ -10408,10 +10461,10 @@ index 28fdd8a..5605ed7 100644 corosync_stream_connect(cmirrord_t) ') diff --git a/cobbler.fc b/cobbler.fc -index 1cf6c4e..0858f92 100644 +index 1cf6c4e..a5882d4 100644 --- a/cobbler.fc +++ b/cobbler.fc -@@ -1,7 +1,35 @@ +@@ -1,7 +1,38 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) @@ -10422,8 +10475,11 @@ index 1cf6c4e..0858f92 100644 + +/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0) + ++ +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) + ++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++ +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) @@ -10666,7 +10722,7 @@ index 116d60f..49f30af 100644 + allow $1 cobblerd_unit_file_t:service all_service_perms; ') diff --git a/cobbler.te b/cobbler.te -index 0258b48..c68160d 100644 +index 0258b48..fd0cb06 100644 --- a/cobbler.te +++ b/cobbler.te @@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) @@ -10709,7 +10765,7 @@ index 0258b48..c68160d 100644 type cobblerd_t; type cobblerd_exec_t; init_daemon_domain(cobblerd_t, cobblerd_exec_t) -@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t) +@@ -26,25 +48,41 @@ files_config_file(cobbler_etc_t) type cobbler_var_log_t; logging_log_file(cobbler_var_log_t) @@ -10749,14 +10805,12 @@ index 0258b48..c68160d 100644 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) +manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file }) -+ -+# Something really needs to write to cobbler.log. Ideally this should not be happening. -+allow cobblerd_t cobbler_var_log_t:file write; ++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) ++files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler") append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -52,57 +92,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +@@ -52,57 +90,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) @@ -10892,7 +10946,7 @@ index 0258b48..c68160d 100644 ') optional_policy(` -@@ -110,12 +224,21 @@ optional_policy(` +@@ -110,12 +222,21 @@ optional_policy(` ') optional_policy(` @@ -10917,7 +10971,7 @@ index 0258b48..c68160d 100644 ') ######################################## -@@ -123,6 +246,10 @@ optional_policy(` +@@ -123,6 +244,10 @@ optional_policy(` # Cobbler web local policy. # @@ -19050,10 +19104,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..7f0b4f6 +index 0000000..796bfca --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,193 @@ +@@ -0,0 +1,197 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -19202,6 +19256,10 @@ index 0000000..7f0b4f6 + rpcbind_stream_connect(dirsrv_t) +') + ++optional_policy(` ++ uuidd_stream_connect_manager(dirsrv_t) ++') ++ +######################################## +# +# dirsrv-snmp local policy @@ -24579,10 +24637,10 @@ index 00a19e3..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..7c84b94 100644 +index f5afe78..4a90668 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,44 +1,1067 @@ +@@ -1,44 +1,1086 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -25001,6 +25059,25 @@ index f5afe78..7c84b94 100644 + +######################################## +## ++## Create generic cache home dir (.cache) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_create_generic_cache_dir',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ allow $1 cache_home_t:dir create_dir_perms; ++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") ++') ++ ++######################################## ++## +## Set attributes of cache home dir (.cache) +## +## @@ -25668,7 +25745,7 @@ index f5afe78..7c84b94 100644 ## ## ## -@@ -46,37 +1069,91 @@ interface(`gnome_role',` +@@ -46,37 +1088,91 @@ interface(`gnome_role',` ## ## # @@ -25771,7 +25848,7 @@ index f5afe78..7c84b94 100644 ## ## ## -@@ -84,37 +1161,107 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +1180,107 @@ template(`gnome_read_gconf_config',` ## ## # @@ -25890,7 +25967,7 @@ index f5afe78..7c84b94 100644 ## ## ## -@@ -122,17 +1269,36 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1288,36 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -25931,7 +26008,7 @@ index f5afe78..7c84b94 100644 ## ## ## -@@ -140,51 +1306,281 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1325,281 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -30318,14 +30395,15 @@ index 3525d24..8c702c9 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index 604f67b..138e1e2 100644 +index 604f67b..11e6268 100644 --- a/kerberos.if +++ b/kerberos.if -@@ -82,14 +82,11 @@ interface(`kerberos_use',` +@@ -82,14 +82,12 @@ interface(`kerberos_use',` #kerberos libraries are attempting to set the correct file context dontaudit $1 self:process setfscreate; selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) ++ seutil_read_file_contexts($1) - tunable_policy(`allow_kerberos',` + tunable_policy(`kerberos_enabled',` @@ -30337,7 +30415,7 @@ index 604f67b..138e1e2 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -103,11 +100,12 @@ interface(`kerberos_use',` +@@ -103,11 +101,12 @@ interface(`kerberos_use',` corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) @@ -30352,7 +30430,7 @@ index 604f67b..138e1e2 100644 pcscd_stream_connect($1) ') ') -@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',` +@@ -218,6 +217,30 @@ interface(`kerberos_rw_keytab',` ######################################## ## @@ -30383,7 +30461,7 @@ index 604f67b..138e1e2 100644 ## Create a derived type for kerberos keytab ## ## -@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',` +@@ -235,8 +258,13 @@ template(`kerberos_keytab_template',` type $1_keytab_t; files_type($1_keytab_t) @@ -30397,7 +30475,7 @@ index 604f67b..138e1e2 100644 kerberos_read_keytab($2) kerberos_use($2) ') -@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',` +@@ -282,42 +310,21 @@ interface(`kerberos_manage_host_rcache',` # does not work in conditionals domain_obj_id_change_exemption($1) @@ -30443,7 +30521,7 @@ index 604f67b..138e1e2 100644 ## All of the rules required to administrate ## an kerberos environment ## -@@ -338,18 +344,22 @@ interface(`kerberos_admin',` +@@ -338,18 +345,22 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; @@ -30471,7 +30549,7 @@ index 604f67b..138e1e2 100644 ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -@@ -378,3 +388,121 @@ interface(`kerberos_admin',` +@@ -378,3 +389,121 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -32366,7 +32444,7 @@ index ae29d9f..fb7869e 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 008f718..2a9d6c0 100644 +index 008f718..d125a61 100644 --- a/livecd.te +++ b/livecd.te @@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) @@ -32396,17 +32474,18 @@ index 008f718..2a9d6c0 100644 domain_ptrace_all_domains(livecd_t) -@@ -30,14 +31,5 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +@@ -30,14 +31,9 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) optional_policy(` - mount_run(livecd_t, livecd_roles) -+ unconfined_domain_noaudit(livecd_t) ++ rpm_transition_script(livecd_t) ') -- --optional_policy(` + + optional_policy(` - hal_dbus_chat(livecd_t) --') ++ unconfined_domain_noaudit(livecd_t) + ') - -optional_policy(` - unconfined_domain(livecd_t) @@ -35986,7 +36065,7 @@ index b397fde..aaf4cdf 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..0216e3f 100644 +index d4fcb75..af07b52 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -36159,7 +36238,7 @@ index d4fcb75..0216e3f 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,65 +318,105 @@ optional_policy(` +@@ -297,65 +318,106 @@ optional_policy(` # mozilla_plugin local policy # @@ -36258,6 +36337,7 @@ index d4fcb75..0216e3f 100644 +corenet_tcp_connect_commplex_port(mozilla_plugin_t) +corenet_tcp_connect_couchdb_port(mozilla_plugin_t) +corenet_tcp_connect_monopd_port(mozilla_plugin_t) ++corenet_tcp_connect_transproxy_port(mozilla_plugin_t) +corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) @@ -36280,7 +36360,7 @@ index d4fcb75..0216e3f 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,55 +424,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,55 +425,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -36364,7 +36444,7 @@ index d4fcb75..0216e3f 100644 ') optional_policy(` -@@ -420,26 +488,45 @@ optional_policy(` +@@ -420,26 +489,45 @@ optional_policy(` ') optional_policy(` @@ -36414,7 +36494,7 @@ index d4fcb75..0216e3f 100644 ') optional_policy(` -@@ -447,10 +534,122 @@ optional_policy(` +@@ -447,10 +535,122 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -39319,7 +39399,7 @@ index 1cf05a3..8855ea2 100644 userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/nagios.fc b/nagios.fc -index 1238f2e..d80b4db 100644 +index 1238f2e..9590368 100644 --- a/nagios.fc +++ b/nagios.fc @@ -6,7 +6,7 @@ @@ -39427,9 +39507,10 @@ index 1238f2e..d80b4db 100644 /usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - # unconfined plugins +-# unconfined plugins -/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) ++# label all nagios plugin as unconfined by default ++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + +# eventhandlers +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) @@ -41114,10 +41195,10 @@ index 0000000..7d11148 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..c961e48 +index 0000000..84b2cc6 --- /dev/null +++ b/nova.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,333 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -41173,6 +41254,7 @@ index 0000000..c961e48 +manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t) + +corenet_tcp_connect_amqp_port(nova_domain) ++corenet_tcp_connect_mysqld_port(nova_domain) + +corecmd_exec_bin(nova_domain) +corecmd_exec_shell(nova_domain) @@ -41299,6 +41381,10 @@ index 0000000..c961e48 + +auth_use_nsswitch(nova_console_t) + ++optional_policy(` ++ mysql_stream_connect(nova_console_t) ++') ++ +####################################### +# +# nova direct local policy @@ -46672,7 +46758,7 @@ index 1c2a091..2f1ff6a 100644 ## ## Connect to pcscd over an unix stream socket. diff --git a/pcscd.te b/pcscd.te -index ceafba6..47b690d 100644 +index ceafba6..e438490 100644 --- a/pcscd.te +++ b/pcscd.te @@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms; @@ -46700,7 +46786,7 @@ index ceafba6..47b690d 100644 sysnet_dns_name_resolve(pcscd_t) optional_policy(` -@@ -77,3 +75,7 @@ optional_policy(` +@@ -77,3 +75,11 @@ optional_policy(` optional_policy(` rpm_use_script_fds(pcscd_t) ') @@ -46708,6 +46794,10 @@ index ceafba6..47b690d 100644 +optional_policy(` + udev_read_db(pcscd_t) +') ++ ++optional_policy(` ++ virt_rw_svirt_dev(pcscd_t) ++') diff --git a/pegasus.if b/pegasus.if index 920b13f..22b745a 100644 --- a/pegasus.if @@ -55287,10 +55377,10 @@ index 0000000..010b2be +') diff --git a/quantum.te b/quantum.te new file mode 100644 -index 0000000..2b0a6a0 +index 0000000..f66e288 --- /dev/null +++ b/quantum.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,101 @@ +policy_module(quantum, 1.0.0) + +######################################## @@ -55346,6 +55436,7 @@ index 0000000..2b0a6a0 + +corenet_tcp_bind_generic_node(quantum_t) +corenet_tcp_bind_quantum_port(quantum_t) ++corenet_tcp_connect_keystone_port(quantum_t) +corenet_tcp_connect_mysqld_port(quantum_t) +corenet_tcp_connect_amqp_port(quantum_t) + @@ -56040,16 +56131,18 @@ index b1a85b5..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; +') diff --git a/raid.te b/raid.te -index a8a12b7..83609a4 100644 +index a8a12b7..8b27779 100644 --- a/raid.te +++ b/raid.te -@@ -10,11 +10,9 @@ type mdadm_exec_t; +@@ -10,11 +10,12 @@ type mdadm_exec_t; init_daemon_domain(mdadm_t, mdadm_exec_t) role system_r types mdadm_t; -type mdadm_map_t; -files_type(mdadm_map_t) -- ++type mdadm_tmp_t; ++files_tmpfs_file(mdadm_tmp_t) + -type mdadm_var_run_t; +type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) @@ -56057,7 +56150,7 @@ index a8a12b7..83609a4 100644 ######################################## # -@@ -22,21 +20,24 @@ files_pid_file(mdadm_var_run_t) +@@ -22,21 +23,28 @@ files_pid_file(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -56071,7 +56164,10 @@ index a8a12b7..83609a4 100644 -# create .mdadm files in /dev -allow mdadm_t mdadm_map_t:file manage_file_perms; -dev_filetrans(mdadm_t, mdadm_map_t, file) -- ++manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) ++manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) ++files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file) + +manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) @@ -56089,7 +56185,7 @@ index a8a12b7..83609a4 100644 # Helper program access corecmd_exec_bin(mdadm_t) -@@ -52,15 +53,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) +@@ -52,15 +60,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) @@ -56111,11 +56207,12 @@ index a8a12b7..83609a4 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -69,16 +73,17 @@ mls_file_write_all_levels(mdadm_t) +@@ -69,16 +80,18 @@ mls_file_write_all_levels(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_dev_filetrans_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) +storage_write_scsi_generic(mdadm_t) ++storage_raw_read_removable_device(mdadm_t) term_dontaudit_list_ptys(mdadm_t) term_dontaudit_use_unallocated_ttys(mdadm_t) @@ -56131,7 +56228,7 @@ index a8a12b7..83609a4 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) userdom_dontaudit_use_user_terminals(mdadm_t) -@@ -86,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) +@@ -86,6 +99,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) mta_send_mail(mdadm_t) optional_policy(` @@ -56684,13 +56781,15 @@ index b4ac57e..7b76aa2 100644 diff --git a/realmd.fc b/realmd.fc new file mode 100644 -index 0000000..02a1f34 +index 0000000..3b92679 --- /dev/null +++ b/realmd.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,5 @@ +/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) + +/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0) ++ ++/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) diff --git a/realmd.if b/realmd.if new file mode 100644 index 0000000..e38693b @@ -56741,10 +56840,10 @@ index 0000000..e38693b +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..7e4d536 +index 0000000..372da97 --- /dev/null +++ b/realmd.te -@@ -0,0 +1,138 @@ +@@ -0,0 +1,168 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -56765,13 +56864,18 @@ index 0000000..7e4d536 +files_tmp_file(realmd_tmp_t) + + ++type realmd_var_lib_t; ++files_type(realmd_var_lib_t) ++ +######################################## +# +# realmd local policy +# + -+allow realmd_t self:capability sys_nice; ++allow realmd_t self:capability { sys_nice }; ++allow realmd_t self:capability2 block_suspend; +allow realmd_t self:process setsched; ++allow realmd_t self:key manage_key_perms; + +manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) +manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) @@ -56780,7 +56884,12 @@ index 0000000..7e4d536 +manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) +manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) + ++manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) ++manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) ++files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir) ++ +kernel_read_system_state(realmd_t) ++kernel_read_network_state(realmd_t) + +corecmd_exec_bin(realmd_t) +corecmd_exec_shell(realmd_t) @@ -56794,12 +56903,20 @@ index 0000000..7e4d536 +dev_read_rand(realmd_t) +dev_read_urand(realmd_t) + ++files_manage_etc_files(realmd_t) ++ +fs_getattr_all_fs(realmd_t) + +auth_use_nsswitch(realmd_t) + ++logging_manage_generic_logs(realmd_t) +logging_send_syslog_msg(realmd_t) + ++miscfiles_manage_generic_cert_files(realmd_t) ++ ++seutil_domtrans_setfiles(realmd_t) ++seutil_read_file_contexts(realmd_t) ++ +sysnet_dns_name_resolve(realmd_t) +systemd_exec_systemctl(realmd_t) + @@ -56829,6 +56946,17 @@ index 0000000..7e4d536 +optional_policy(` + kerberos_use(realmd_t) + kerberos_rw_keytab(realmd_t) ++ kerberos_rw_config(realmd_t) ++ kerberos_filetrans_named_content(realmd_t) ++') ++ ++optional_policy(` ++ ntp_domtrans_ntpdate(realmd_t) ++') ++ ++optional_policy(` ++ ssh_domtrans(realmd_t) ++ ssh_systemctl(realmd_t) +') + +optional_policy(` @@ -56867,12 +56995,15 @@ index 0000000..7e4d536 + xserver_read_state_xdm(realmd_t) +') + ++optional_policy(` ++ unconfined_domain(realmd_t) ++') ++ +##################################### +# +# realmd consolehelper local policy +# + -+ +optional_policy(` + userhelper_console_role_template(realmd, system_r, realmd_t) + authconfig_manage_lib_files(realmd_consolehelper_t) @@ -56881,8 +57012,6 @@ index 0000000..7e4d536 + + unconfined_domain_noaudit(realmd_consolehelper_t) +') -+ -+ diff --git a/remotelogin.te b/remotelogin.te index 0a76027..18f59a7 100644 --- a/remotelogin.te @@ -62389,10 +62518,10 @@ index 0000000..7addd77 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..db440d4 +index 0000000..d611be9 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,63 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -62453,12 +62582,9 @@ index 0000000..db440d4 + +fs_dontaudit_getattr_all_fs(sandbox_domain) + -+ -+userdom_dontaudit_use_user_terminals(sandbox_domain) ++userdom_use_inherited_user_terminals(sandbox_domain) + +mta_dontaudit_read_spool_symlinks(sandbox_domain) -+ -+ diff --git a/sandboxX.fc b/sandboxX.fc new file mode 100644 index 0000000..6caef63 @@ -62866,7 +62992,7 @@ index 0000000..f00e5c5 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..479ece4 +index 0000000..97dca29 --- /dev/null +++ b/sandboxX.te @@ -0,0 +1,463 @@ @@ -63117,7 +63243,7 @@ index 0000000..479ece4 + udev_read_db(sandbox_x_domain) +') + -+userdom_dontaudit_use_user_terminals(sandbox_x_domain) ++userdom_use_inherited_user_terminals(sandbox_x_domain) +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) +userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain) @@ -70221,10 +70347,10 @@ index 0000000..c5e890b +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..641b262 +index 0000000..9a09574 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,141 @@ +@@ -0,0 +1,142 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -70350,6 +70476,7 @@ index 0000000..641b262 + gnome_manage_gstreamer_home_files(thumb_t) + gnome_manage_gstreamer_home_dirs(thumb_t) + gnome_exec_gstreamer_home_files(thumb_t) ++ gnome_create_generic_cache_dir(thumb_t) + gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") + gnome_cache_filetrans(thumb_t, thumb_home_t, file) +') @@ -72306,10 +72433,24 @@ index a7c9381..d810232 100644 /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) diff --git a/uuidd.if b/uuidd.if -index 5d43bd5..879a5cb 100644 +index 5d43bd5..fd90722 100644 --- a/uuidd.if +++ b/uuidd.if -@@ -176,6 +176,9 @@ interface(`uuidd_admin',` +@@ -144,11 +144,12 @@ interface(`uuidd_read_pid_files',` + # + interface(`uuidd_stream_connect_manager',` + gen_require(` +- type uuidd_t, uuidd_var_run_t; ++ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) ++ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t) + ') + + ######################################## +@@ -176,6 +177,9 @@ interface(`uuidd_admin',` allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) @@ -72824,7 +72965,7 @@ index 2124b6a..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..2f6a344 100644 +index 6f0736b..820fbb7 100644 --- a/virt.if +++ b/virt.if @@ -13,67 +13,30 @@ @@ -73331,11 +73472,11 @@ index 6f0736b..2f6a344 100644 +interface(`virt_ptrace',` + gen_require(` + attribute virt_domain; -+ ') + ') + + allow $1 virt_domain:process ptrace; -+') -+ + ') + +####################################### +## +## Connect to virt over a unix domain stream socket. @@ -73350,13 +73491,13 @@ index 6f0736b..2f6a344 100644 + gen_require(` + attribute svirt_lxc_domain; + type svirt_lxc_file_t; - ') ++ ') + + files_search_pids($1) + stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain) + ps_process_pattern(svirt_lxc_domain, $1) - ') - ++') ++ + ######################################## ## @@ -73383,7 +73524,7 @@ index 6f0736b..2f6a344 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -517,4 +769,324 @@ interface(`virt_admin',` +@@ -517,4 +769,342 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -73707,9 +73848,27 @@ index 6f0736b..2f6a344 100644 + allow $1 svirt_lxc_domain:unix_dgram_socket sendto; + + allow svirt_lxc_domain $1:process sigchld; ++') ++ ++######################################## ++## ++## Read and write to svirt_image devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_rw_svirt_dev',` ++ gen_require(` ++ type svirt_image_t; ++ ') ++ ++ allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 947bbc6..99ac9c3 100644 +index 947bbc6..8ec8313 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,97 @@ policy_module(virt, 1.5.0) @@ -73948,7 +74107,7 @@ index 947bbc6..99ac9c3 100644 corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) -@@ -131,67 +216,74 @@ corenet_udp_bind_all_ports(svirt_t) +@@ -131,45 +216,27 @@ corenet_udp_bind_all_ports(svirt_t) corenet_tcp_bind_all_ports(svirt_t) corenet_tcp_connect_all_ports(svirt_t) @@ -73967,14 +74126,12 @@ index 947bbc6..99ac9c3 100644 - fs_read_fusefs_files(svirt_t) - fs_read_fusefs_symlinks(svirt_t) -') -+miscfiles_read_generic_certs(svirt_t) - +- -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(svirt_t) - fs_manage_nfs_files(svirt_t) -+optional_policy(` -+ xen_rw_image_files(svirt_t) - ') +-') ++miscfiles_read_generic_certs(svirt_t) -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(svirt_t) @@ -74012,17 +74169,16 @@ index 947bbc6..99ac9c3 100644 ######################################## # - # virtd local policy +@@ -177,21 +244,42 @@ optional_policy(` # --allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; + allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; -+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:capability2 compromise_kernel; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code -+ dontaudit virtd_t self:capability { sys_module sys_ptrace }; ++ dontaudit virtd_t self:capability { sys_module }; +') -allow virtd_t self:fifo_file rw_fifo_file_perms; @@ -74062,7 +74218,7 @@ index 947bbc6..99ac9c3 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +294,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +290,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -74098,7 +74254,7 @@ index 947bbc6..99ac9c3 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +327,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +323,23 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -74123,7 +74279,7 @@ index 947bbc6..99ac9c3 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -74157,7 +74313,7 @@ index 947bbc6..99ac9c3 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -74176,7 +74332,7 @@ index 947bbc6..99ac9c3 100644 mcs_process_set_categories(virtd_t) -@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t) +@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -74186,7 +74342,7 @@ index 947bbc6..99ac9c3 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +420,36 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -74223,7 +74379,7 @@ index 947bbc6..99ac9c3 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +472,10 @@ optional_policy(` +@@ -322,6 +468,10 @@ optional_policy(` ') optional_policy(` @@ -74234,7 +74390,7 @@ index 947bbc6..99ac9c3 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +489,34 @@ optional_policy(` +@@ -335,19 +485,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -74270,7 +74426,7 @@ index 947bbc6..99ac9c3 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +531,12 @@ optional_policy(` +@@ -362,6 +527,12 @@ optional_policy(` ') optional_policy(` @@ -74283,7 +74439,7 @@ index 947bbc6..99ac9c3 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +544,11 @@ optional_policy(` +@@ -369,11 +540,11 @@ optional_policy(` ') optional_policy(` @@ -74300,7 +74456,7 @@ index 947bbc6..99ac9c3 100644 ') optional_policy(` -@@ -384,6 +559,7 @@ optional_policy(` +@@ -384,6 +555,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -74308,7 +74464,7 @@ index 947bbc6..99ac9c3 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -402,35 +578,87 @@ optional_policy(` +@@ -402,35 +574,87 @@ optional_policy(` # # virtual domains common policy # @@ -74405,7 +74561,7 @@ index 947bbc6..99ac9c3 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +666,648 @@ dev_write_sound(virt_domain) +@@ -438,34 +662,648 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -74422,7 +74578,8 @@ index 947bbc6..99ac9c3 100644 +fs_getattr_xattr_fs(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) - fs_rw_tmpfs_files(virt_domain) +-fs_rw_tmpfs_files(virt_domain) ++fs_rw_inherited_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) @@ -74464,7 +74621,7 @@ index 947bbc6..99ac9c3 100644 virt_read_content(virt_domain) virt_stream_connect(virt_domain) + virt_domtrans_bridgehelper(virt_domain) - ') ++') + +optional_policy(` + xserver_rw_shm(virt_domain) @@ -74650,7 +74807,7 @@ index 947bbc6..99ac9c3 100644 + optional_policy(` + hal_dbus_chat(virsh_t) + ') -+') + ') + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0d8b4ee..fa8630e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 90%{?dist} +Release: 91%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,31 @@ SELinux Reference policy mls base module. %endif %Changelog +* Thu Apr 18 2013 Miroslav Grepl 3.11.1-91 +- Allow domains to use kerberos to read file_context file +- Allow mozilla_plugin to connect to port 8081 +- Tighten security on virtual machines +- block_suspend is caps2 +- Allow realmd to run ipa, really needs to be an unconfined_domain +- Allow sandbox domains to use inherted terminals +- Allow pscd to use devices labeled svirt_image_t in order to use cat cards. +- Add label for new alsa pid +- Alsa now uses a pid file and needs to setsched +- Allow nova domains to connect to mysql port +- Allow quantum to connect to keystone port +- Allow nova-console to talk with mysql over unix stream socket +- Allow dirsrv to stream connect to uuidd +- Fix transition for cobbler lib files +- Label all nagios plugin as unconfined by default +- Add httpd_serve_cobbler_files() +- Allow mdadm to read /dev/sr0 and create tmp files +- Allow certwatch to send mails +- Allow livecd to transition to rpm_script_t +- Add cache dir support for cobbler +- label shared libraries in /opt/google/chrome as testrel_shlib_t +- Fix labeling for nagios plugins +- Disable support for .xsession-errors-:[digit] file name transition for now until policycoreutils fix + * Mon Apr 15 2013 Miroslav Grepl 3.11.1-90 - Allow git_system_t to read network state - Allow pegasas to execute mount command