diff --git a/policy-f18-base.patch b/policy-f18-base.patch index 33432fb..73b2728 100644 --- a/policy-f18-base.patch +++ b/policy-f18-base.patch @@ -113003,7 +113003,7 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..d6ec4a8 100644 +index 07126bd..4aecd37 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` @@ -113072,29 +113072,10 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to generic nodes. ## ## -@@ -855,6 +893,44 @@ interface(`corenet_udp_bind_generic_node',` +@@ -855,6 +893,25 @@ interface(`corenet_udp_bind_generic_node',` ######################################## ## -+## Dontaudit attempts to bind TCP sockets to generic nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+## -+# -+interface(`corenet_dontaudit_tcp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ dontaudit $1 node_t:tcp_socket node_bind; -+') -+ -+######################################## -+## +## Dontaudit attempts to bind UDP sockets to generic nodes. +## +## @@ -113117,7 +113098,7 @@ index 07126bd..d6ec4a8 100644 ## Bind raw sockets to genric nodes. ## ## -@@ -928,6 +1004,24 @@ interface(`corenet_inout_generic_node',` +@@ -928,6 +985,24 @@ interface(`corenet_inout_generic_node',` ######################################## ## @@ -113142,7 +113123,7 @@ index 07126bd..d6ec4a8 100644 ## Send and receive TCP network traffic on all nodes. ## ## -@@ -1102,6 +1196,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` +@@ -1102,6 +1177,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` ######################################## ## @@ -113167,7 +113148,7 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to all nodes. ## ## -@@ -1157,6 +1269,24 @@ interface(`corenet_raw_bind_all_nodes',` +@@ -1157,6 +1250,24 @@ interface(`corenet_raw_bind_all_nodes',` ######################################## ## @@ -113192,7 +113173,7 @@ index 07126bd..d6ec4a8 100644 ## Send and receive TCP network traffic on generic ports. ## ## -@@ -1167,10 +1297,30 @@ interface(`corenet_raw_bind_all_nodes',` +@@ -1167,10 +1278,30 @@ interface(`corenet_raw_bind_all_nodes',` # interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` @@ -113225,7 +113206,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -1185,10 +1335,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` +@@ -1185,10 +1316,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` # interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` gen_require(` @@ -113238,7 +113219,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -1203,10 +1353,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` +@@ -1203,10 +1334,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` # interface(`corenet_udp_send_generic_port',` gen_require(` @@ -113251,7 +113232,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -1221,10 +1371,10 @@ interface(`corenet_udp_send_generic_port',` +@@ -1221,10 +1352,10 @@ interface(`corenet_udp_send_generic_port',` # interface(`corenet_udp_receive_generic_port',` gen_require(` @@ -113264,7 +113245,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -1244,6 +1394,26 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1244,6 +1375,26 @@ interface(`corenet_udp_sendrecv_generic_port',` ######################################## ## @@ -113291,7 +113272,7 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to generic ports. ## ## -@@ -1254,16 +1424,35 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1254,16 +1405,35 @@ interface(`corenet_udp_sendrecv_generic_port',` # interface(`corenet_tcp_bind_generic_port',` gen_require(` @@ -113329,7 +113310,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit bind TCP sockets to generic ports. ## ## -@@ -1274,10 +1463,10 @@ interface(`corenet_tcp_bind_generic_port',` +@@ -1274,10 +1444,10 @@ interface(`corenet_tcp_bind_generic_port',` # interface(`corenet_dontaudit_tcp_bind_generic_port',` gen_require(` @@ -113342,7 +113323,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -1292,16 +1481,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` +@@ -1292,16 +1462,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` # interface(`corenet_udp_bind_generic_port',` gen_require(` @@ -113379,14 +113360,15 @@ index 07126bd..d6ec4a8 100644 ## Connect TCP sockets to generic ports. ## ## -@@ -1312,10 +1519,28 @@ interface(`corenet_udp_bind_generic_port',` +@@ -1312,10 +1500,28 @@ interface(`corenet_udp_bind_generic_port',` # interface(`corenet_tcp_connect_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; -+ ') -+ + ') + +- allow $1 port_t:tcp_socket name_connect; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect; +') + @@ -113403,14 +113385,13 @@ index 07126bd..d6ec4a8 100644 +interface(`corenet_dccp_sendrecv_all_ports',` + gen_require(` + attribute port_type; - ') - -- allow $1 port_t:tcp_socket name_connect; ++ ') ++ + allow $1 port_type:dccp_socket { send_msg recv_msg }; ') ######################################## -@@ -1439,6 +1664,25 @@ interface(`corenet_udp_sendrecv_all_ports',` +@@ -1439,6 +1645,25 @@ interface(`corenet_udp_sendrecv_all_ports',` ######################################## ## @@ -113436,7 +113417,7 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to all ports. ## ## -@@ -1458,6 +1702,24 @@ interface(`corenet_tcp_bind_all_ports',` +@@ -1458,6 +1683,24 @@ interface(`corenet_tcp_bind_all_ports',` ######################################## ## @@ -113461,7 +113442,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attepts to bind TCP sockets to any ports. ## ## -@@ -1513,6 +1775,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` +@@ -1513,6 +1756,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` ######################################## ## @@ -113486,7 +113467,7 @@ index 07126bd..d6ec4a8 100644 ## Connect TCP sockets to all ports. ## ## -@@ -1559,6 +1839,25 @@ interface(`corenet_tcp_connect_all_ports',` +@@ -1559,6 +1820,25 @@ interface(`corenet_tcp_connect_all_ports',` ######################################## ## @@ -113512,7 +113493,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to connect TCP sockets ## to all ports. ## -@@ -1578,6 +1877,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` +@@ -1578,6 +1858,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` ######################################## ## @@ -113537,7 +113518,7 @@ index 07126bd..d6ec4a8 100644 ## Send and receive TCP network traffic on generic reserved ports. ## ## -@@ -1647,6 +1964,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` +@@ -1647,6 +1945,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` ######################################## ## @@ -113563,7 +113544,7 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to generic reserved ports. ## ## -@@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',` +@@ -1685,6 +2002,24 @@ interface(`corenet_udp_bind_reserved_port',` ######################################## ## @@ -113588,7 +113569,7 @@ index 07126bd..d6ec4a8 100644 ## Connect TCP sockets to generic reserved ports. ## ## -@@ -1703,6 +2057,24 @@ interface(`corenet_tcp_connect_reserved_port',` +@@ -1703,6 +2038,24 @@ interface(`corenet_tcp_connect_reserved_port',` ######################################## ## @@ -113613,7 +113594,7 @@ index 07126bd..d6ec4a8 100644 ## Send and receive TCP network traffic on all reserved ports. ## ## -@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',` +@@ -1752,12 +2105,210 @@ interface(`corenet_udp_receive_all_reserved_ports',` attribute reserved_port_type; ') @@ -113826,7 +113807,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` +@@ -1765,14 +2316,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` ## ## # @@ -113848,7 +113829,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` +@@ -1780,36 +2334,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ## ## # @@ -113892,7 +113873,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` +@@ -1817,36 +2370,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ## ## # @@ -113943,7 +113924,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` +@@ -1854,17 +2406,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ## ## # @@ -113964,7 +113945,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` +@@ -1872,67 +2424,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` ## ## # @@ -114051,7 +114032,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` +@@ -1955,6 +2508,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` ######################################## ## @@ -114077,7 +114058,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to connect TCP sockets ## all rpc ports. ## -@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',` +@@ -1993,6 +2565,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## @@ -114102,7 +114083,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## -@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',` +@@ -2049,6 +2639,25 @@ interface(`corenet_rw_ppp_dev',` ######################################## ## @@ -114128,7 +114109,7 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to all RPC ports. ## ## -@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` +@@ -2068,6 +2677,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## ## @@ -114153,7 +114134,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## -@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',` +@@ -2194,6 +2821,25 @@ interface(`corenet_tcp_recv_netlabel',` ######################################## ## @@ -114179,7 +114160,7 @@ index 07126bd..d6ec4a8 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,7 +2859,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## @@ -114188,7 +114169,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2221,10 +2867,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## ## # @@ -114206,7 +114187,7 @@ index 07126bd..d6ec4a8 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2900,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -114233,7 +114214,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2940,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -114261,7 +114242,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,15 +3225,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` @@ -114281,7 +114262,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',` +@@ -2567,11 +3254,34 @@ interface(`corenet_all_recvfrom_unlabeled',` # interface(`corenet_all_recvfrom_netlabel',` gen_require(` @@ -114319,7 +114300,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3295,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -114327,7 +114308,7 @@ index 07126bd..d6ec4a8 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3324,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -114364,7 +114345,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3466,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -114372,7 +114353,7 @@ index 07126bd..d6ec4a8 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3874,53 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -114482,7 +114463,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..f59d0d0 100644 +index fe2ee5e..e180b33 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0) @@ -114777,7 +114758,7 @@ index fe2ee5e..f59d0d0 100644 network_port(tftp, udp,69,s0) -network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) +network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0) -+network_port(tor_socks, tcp,9050,s0) ++network_port(tor_socks, tcp,9050,s0, tcp,9150,s0) network_port(traceroute, udp,64000-64010,s0) +network_port(tram, tcp, 4567, s0) network_port(transproxy, tcp,8081,s0) @@ -114822,16 +114803,7 @@ index fe2ee5e..f59d0d0 100644 ######################################## # -@@ -285,6 +369,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) - - build_option(`enable_mls',` - network_interface(lo, lo, s0 - mls_systemhigh) -+allow netlabel_peer_t lo_netif_t:netif ingress; -+allow netlabel_peer_type lo_netif_t:netif egress; - ',` - typealias netif_t alias { lo_netif_t netif_lo_t }; - ') -@@ -297,9 +383,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -130182,7 +130154,7 @@ index 130ced9..f6c7a38 100644 + allow $1 xdm_t:lnk_file read_lnk_file_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..d195065 100644 +index d40f750..7e08b92 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -130713,7 +130685,7 @@ index d40f750..d195065 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +594,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +594,27 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -130738,11 +130710,10 @@ index d40f750..d195065 100644 +fs_manage_cgroup_files(xdm_t) + +mls_socket_write_to_clearance(xdm_t) -+mls_trusted_object(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +624,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +623,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -130788,7 +130759,7 @@ index d40f750..d195065 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +668,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +667,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -130838,7 +130809,7 @@ index d40f750..d195065 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +718,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +717,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -130865,7 +130836,7 @@ index d40f750..d195065 100644 ') optional_policy(` -@@ -514,12 +745,72 @@ optional_policy(` +@@ -514,12 +744,72 @@ optional_policy(` ') optional_policy(` @@ -130938,7 +130909,7 @@ index d40f750..d195065 100644 hostname_exec(xdm_t) ') -@@ -537,28 +828,78 @@ optional_policy(` +@@ -537,28 +827,78 @@ optional_policy(` ') optional_policy(` @@ -131026,7 +130997,7 @@ index d40f750..d195065 100644 ') optional_policy(` -@@ -570,6 +911,14 @@ optional_policy(` +@@ -570,6 +910,14 @@ optional_policy(` ') optional_policy(` @@ -131041,7 +131012,7 @@ index d40f750..d195065 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +943,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +942,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -131054,7 +131025,7 @@ index d40f750..d195065 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +960,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +959,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -131070,7 +131041,7 @@ index d40f750..d195065 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +976,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +975,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -131081,7 +131052,7 @@ index d40f750..d195065 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +991,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +990,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -131103,7 +131074,7 @@ index d40f750..d195065 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1011,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1010,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -131117,7 +131088,7 @@ index d40f750..d195065 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1037,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1036,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -131149,25 +131120,21 @@ index d40f750..d195065 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1069,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1068,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) -- +fs_rw_tmpfs_files(xserver_t) -+ + + mls_xwin_read_to_clearance(xserver_t) ++mls_process_write_to_clearance(xserver_t) +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) +mls_file_upgrade(xserver_t) -+mls_process_write_to_clearance(xserver_t) -+mls_socket_read_to_clearance(xserver_t) -+mls_sysvipc_read_to_clearance(xserver_t) -+mls_sysvipc_write_to_clearance(xserver_t) -+mls_trusted_object(xserver_t) - mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1092,18 @@ init_getpgid(xserver_t) + selinux_compute_access_vector(xserver_t) +@@ -708,20 +1087,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -131191,7 +131158,7 @@ index d40f750..d195065 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1157,40 @@ optional_policy(` +@@ -775,16 +1152,40 @@ optional_policy(` ') optional_policy(` @@ -131233,7 +131200,7 @@ index d40f750..d195065 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1199,10 @@ optional_policy(` +@@ -793,6 +1194,10 @@ optional_policy(` ') optional_policy(` @@ -131244,7 +131211,7 @@ index d40f750..d195065 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1218,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -131258,7 +131225,7 @@ index d40f750..d195065 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1229,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -131267,7 +131234,7 @@ index d40f750..d195065 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1242,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1237,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -131302,7 +131269,7 @@ index d40f750..d195065 100644 ') optional_policy(` -@@ -859,6 +1264,10 @@ optional_policy(` +@@ -859,6 +1259,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -131313,7 +131280,7 @@ index d40f750..d195065 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1311,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1306,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -131322,7 +131289,7 @@ index d40f750..d195065 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1365,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1360,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -131354,7 +131321,7 @@ index d40f750..d195065 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1411,44 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1406,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -134602,7 +134569,7 @@ index d26fe81..4f7db68 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..ffba6e8 100644 +index 4a88fa1..3e2d1a6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -134842,7 +134809,7 @@ index 4a88fa1..ffba6e8 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -183,29 +273,176 @@ ifdef(`distro_gentoo',` +@@ -183,29 +273,177 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -134952,6 +134919,7 @@ index 4a88fa1..ffba6e8 100644 +fs_mount_all_fs(init_t) +fs_unmount_all_fs(init_t) +fs_remount_all_fs(init_t) ++fs_list_all(init_t) +fs_list_auto_mountpoints(init_t) +fs_register_binary_executable_type(init_t) +fs_relabel_tmpfs_sock_file(init_t) @@ -135027,7 +134995,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -213,6 +450,27 @@ optional_policy(` +@@ -213,6 +451,27 @@ optional_policy(` ') optional_policy(` @@ -135055,7 +135023,7 @@ index 4a88fa1..ffba6e8 100644 unconfined_domain(init_t) ') -@@ -222,8 +480,9 @@ optional_policy(` +@@ -222,8 +481,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -135067,7 +135035,7 @@ index 4a88fa1..ffba6e8 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -251,12 +510,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -251,12 +511,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -135084,7 +135052,7 @@ index 4a88fa1..ffba6e8 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -272,23 +535,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -272,23 +536,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -135127,7 +135095,7 @@ index 4a88fa1..ffba6e8 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -296,9 +572,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -296,9 +573,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -135139,7 +135107,7 @@ index 4a88fa1..ffba6e8 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -306,8 +584,10 @@ dev_write_framebuffer(initrc_t) +@@ -306,8 +585,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -135150,7 +135118,7 @@ index 4a88fa1..ffba6e8 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -315,17 +595,16 @@ dev_manage_generic_files(initrc_t) +@@ -315,17 +596,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -135170,7 +135138,7 @@ index 4a88fa1..ffba6e8 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -333,6 +612,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -333,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -135178,7 +135146,7 @@ index 4a88fa1..ffba6e8 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -340,8 +620,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -340,8 +621,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -135190,7 +135158,7 @@ index 4a88fa1..ffba6e8 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -357,8 +639,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -357,8 +640,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -135204,7 +135172,7 @@ index 4a88fa1..ffba6e8 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -368,9 +654,13 @@ fs_mount_all_fs(initrc_t) +@@ -368,9 +655,13 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -135219,7 +135187,7 @@ index 4a88fa1..ffba6e8 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -380,6 +670,7 @@ mls_process_read_up(initrc_t) +@@ -380,6 +671,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -135227,7 +135195,7 @@ index 4a88fa1..ffba6e8 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,6 +682,7 @@ term_use_all_terms(initrc_t) +@@ -391,6 +683,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -135235,7 +135203,7 @@ index 4a88fa1..ffba6e8 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -409,20 +701,18 @@ logging_read_all_logs(initrc_t) +@@ -409,20 +702,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -135259,7 +135227,7 @@ index 4a88fa1..ffba6e8 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -476,6 +766,10 @@ ifdef(`distro_gentoo',` +@@ -476,6 +767,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -135270,7 +135238,7 @@ index 4a88fa1..ffba6e8 100644 alsa_read_lib(initrc_t) ') -@@ -496,7 +790,7 @@ ifdef(`distro_redhat',` +@@ -496,7 +791,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -135279,7 +135247,7 @@ index 4a88fa1..ffba6e8 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -511,6 +805,7 @@ ifdef(`distro_redhat',` +@@ -511,6 +806,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -135287,7 +135255,7 @@ index 4a88fa1..ffba6e8 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -531,6 +826,7 @@ ifdef(`distro_redhat',` +@@ -531,6 +827,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -135295,7 +135263,7 @@ index 4a88fa1..ffba6e8 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -540,8 +836,40 @@ ifdef(`distro_redhat',` +@@ -540,8 +837,40 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -135336,7 +135304,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -549,14 +877,31 @@ ifdef(`distro_redhat',` +@@ -549,14 +878,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -135368,7 +135336,7 @@ index 4a88fa1..ffba6e8 100644 ') ') -@@ -567,6 +912,39 @@ ifdef(`distro_suse',` +@@ -567,6 +913,39 @@ ifdef(`distro_suse',` ') ') @@ -135408,7 +135376,7 @@ index 4a88fa1..ffba6e8 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +957,8 @@ optional_policy(` +@@ -579,6 +958,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -135417,7 +135385,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -600,6 +980,7 @@ optional_policy(` +@@ -600,6 +981,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -135425,7 +135393,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -612,6 +993,17 @@ optional_policy(` +@@ -612,6 +994,17 @@ optional_policy(` ') optional_policy(` @@ -135443,7 +135411,7 @@ index 4a88fa1..ffba6e8 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -628,9 +1020,13 @@ optional_policy(` +@@ -628,9 +1021,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -135457,7 +135425,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -655,6 +1051,10 @@ optional_policy(` +@@ -655,6 +1052,10 @@ optional_policy(` ') optional_policy(` @@ -135468,7 +135436,7 @@ index 4a88fa1..ffba6e8 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -672,6 +1072,15 @@ optional_policy(` +@@ -672,6 +1073,15 @@ optional_policy(` ') optional_policy(` @@ -135484,7 +135452,7 @@ index 4a88fa1..ffba6e8 100644 inn_exec_config(initrc_t) ') -@@ -712,6 +1121,7 @@ optional_policy(` +@@ -712,6 +1122,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -135492,7 +135460,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -729,7 +1139,14 @@ optional_policy(` +@@ -729,7 +1140,14 @@ optional_policy(` ') optional_policy(` @@ -135507,7 +135475,7 @@ index 4a88fa1..ffba6e8 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -752,6 +1169,10 @@ optional_policy(` +@@ -752,6 +1170,10 @@ optional_policy(` ') optional_policy(` @@ -135518,7 +135486,7 @@ index 4a88fa1..ffba6e8 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -761,10 +1182,20 @@ optional_policy(` +@@ -761,10 +1183,20 @@ optional_policy(` ') optional_policy(` @@ -135539,7 +135507,7 @@ index 4a88fa1..ffba6e8 100644 quota_manage_flags(initrc_t) ') -@@ -773,6 +1204,10 @@ optional_policy(` +@@ -773,6 +1205,10 @@ optional_policy(` ') optional_policy(` @@ -135550,7 +135518,7 @@ index 4a88fa1..ffba6e8 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -794,8 +1229,6 @@ optional_policy(` +@@ -794,8 +1230,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -135559,7 +135527,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -804,6 +1237,10 @@ optional_policy(` +@@ -804,6 +1238,10 @@ optional_policy(` ') optional_policy(` @@ -135570,7 +135538,7 @@ index 4a88fa1..ffba6e8 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -813,10 +1250,12 @@ optional_policy(` +@@ -813,10 +1251,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -135583,7 +135551,7 @@ index 4a88fa1..ffba6e8 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -828,8 +1267,6 @@ optional_policy(` +@@ -828,8 +1268,6 @@ optional_policy(` ') optional_policy(` @@ -135592,7 +135560,7 @@ index 4a88fa1..ffba6e8 100644 udev_manage_pid_files(initrc_t) udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) -@@ -840,12 +1277,30 @@ optional_policy(` +@@ -840,12 +1278,30 @@ optional_policy(` ') optional_policy(` @@ -135625,7 +135593,7 @@ index 4a88fa1..ffba6e8 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -855,6 +1310,18 @@ optional_policy(` +@@ -855,6 +1311,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -135644,7 +135612,7 @@ index 4a88fa1..ffba6e8 100644 ') optional_policy(` -@@ -870,6 +1337,10 @@ optional_policy(` +@@ -870,6 +1338,10 @@ optional_policy(` ') optional_policy(` @@ -135655,7 +135623,7 @@ index 4a88fa1..ffba6e8 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1351,185 @@ optional_policy(` +@@ -880,3 +1352,185 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -139169,7 +139137,7 @@ index 72c746e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..300c3f7 100644 +index 4584457..0755e25 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -139268,7 +139236,7 @@ index 4584457..300c3f7 100644 + type mount_var_run_t; + ') + -+ allow $1 mount_var_run_t:file read_file_perms; ++ read_files_pattern($1, mount_var_run_t, mount_var_run_t) + files_search_pids($1) +') + @@ -139457,7 +139425,7 @@ index 4584457..300c3f7 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 63931f6..4dd812b 100644 +index 63931f6..275bf01 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.0) @@ -139658,7 +139626,7 @@ index 63931f6..4dd812b 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +191,19 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +191,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -139673,6 +139641,8 @@ index 63931f6..4dd812b 100644 seutil_read_config(mount_t) ++systemd_passwd_agent_domtrans(mount_t) ++ userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) @@ -139680,7 +139650,7 @@ index 63931f6..4dd812b 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +219,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +221,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -139720,7 +139690,7 @@ index 63931f6..4dd812b 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +253,8 @@ optional_policy(` +@@ -179,6 +255,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -139729,7 +139699,7 @@ index 63931f6..4dd812b 100644 ') optional_policy(` -@@ -186,6 +262,32 @@ optional_policy(` +@@ -186,6 +264,32 @@ optional_policy(` ') optional_policy(` @@ -139762,7 +139732,7 @@ index 63931f6..4dd812b 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -193,21 +295,121 @@ optional_policy(` +@@ -193,21 +297,121 @@ optional_policy(` ') ') @@ -139819,20 +139789,20 @@ index 63931f6..4dd812b 100644 +optional_policy(` + usbmuxd_stream_connect(mount_t) +') -+ -+optional_policy(` + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) + userhelper_exec_console(mount_t) -+') + ') + +optional_policy(` + virt_read_blk_images(mount_t) +') - - optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) ++ ++optional_policy(` + vmware_exec_host(mount_t) - ') ++') + +###################################### +# @@ -143146,7 +143116,7 @@ index 0000000..63dba69 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..362eee3 +index 0000000..e2e8ff9 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,665 @@ @@ -143185,6 +143155,7 @@ index 0000000..362eee3 + +type random_seed_t; +files_security_file(random_seed_t) ++files_mountpoint(random_seed_t) + +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components @@ -143487,6 +143458,7 @@ index 0000000..362eee3 +auth_manage_faillog(systemd_tmpfiles_t) +auth_relabel_faillog(systemd_tmpfiles_t) +auth_manage_var_auth(systemd_tmpfiles_t) ++auth_manage_login_records(systemd_tmpfiles_t) +auth_relabel_var_auth_dirs(systemd_tmpfiles_t) +auth_relabel_login_records(systemd_tmpfiles_t) +auth_setattr_login_records(systemd_tmpfiles_t) @@ -143642,15 +143614,13 @@ index 0000000..362eee3 + +userdom_dbus_send_all_users(systemd_localed_t) + ++xserver_manage_config(systemd_localed_t) ++ +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) + dbus_system_bus_client(systemd_localed_t) +') + -+optional_policy(` -+ unconfined_domain(systemd_localed_t) -+') -+ +####################################### +# +# Hostnamed policy diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index 45349f8..e51d3db 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -2358,7 +2358,7 @@ index fd9fa07..be8be7c 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 6480167..e3bed6a 100644 +index 6480167..7b2ad39 100644 --- a/apache.if +++ b/apache.if @@ -13,68 +13,55 @@ @@ -3067,7 +3067,7 @@ index 6480167..e3bed6a 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1393,129 @@ interface(`apache_admin',` +@@ -1205,14 +1393,106 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -3158,29 +3158,6 @@ index 6480167..e3bed6a 100644 + +######################################## +## -+## Execute a httpd_exec_t in the specified domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`apache_exec_domtrans',` -+ gen_require(` -+ type httpd_exec_t; -+ ') -+ -+ domtrans_pattern($1, httpd_exec_t, $2) -+') -+ -+######################################## -+## +## Transition to apache home content +## +## @@ -5429,10 +5406,10 @@ index d80a16b..ef740ef 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 39799db..6264256 100644 +index 39799db..df8f432 100644 --- a/automount.te +++ b/automount.te -@@ -22,6 +22,9 @@ type automount_tmp_t; +@@ -22,12 +22,16 @@ type automount_tmp_t; files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) @@ -5442,7 +5419,15 @@ index 39799db..6264256 100644 ######################################## # # Local policy -@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) + # + +-allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin }; ++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; ++allow automount_t self:capability2 block_suspend; + dontaudit automount_t self:capability sys_tty_config; + allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; + allow automount_t self:fifo_file rw_fifo_file_perms; +@@ -56,14 +60,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) kernel_read_kernel_sysctls(automount_t) @@ -5460,7 +5445,7 @@ index 39799db..6264256 100644 files_search_boot(automount_t) # Automount is slowly adding all mount functionality internally files_search_all(automount_t) -@@ -79,7 +85,6 @@ fs_search_all(automount_t) +@@ -79,7 +86,6 @@ fs_search_all(automount_t) corecmd_exec_bin(automount_t) corecmd_exec_shell(automount_t) @@ -5468,7 +5453,7 @@ index 39799db..6264256 100644 corenet_all_recvfrom_netlabel(automount_t) corenet_tcp_sendrecv_generic_if(automount_t) corenet_udp_sendrecv_generic_if(automount_t) -@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t) +@@ -113,7 +119,6 @@ files_dontaudit_write_var_dirs(automount_t) files_getattr_all_dirs(automount_t) files_list_mnt(automount_t) files_getattr_home_dir(automount_t) @@ -5476,7 +5461,7 @@ index 39799db..6264256 100644 files_read_etc_runtime_files(automount_t) # for if the mount point is not labelled files_getattr_isid_type_dirs(automount_t) -@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t) +@@ -140,13 +145,8 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -5490,7 +5475,7 @@ index 39799db..6264256 100644 userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_user_home_dirs(automount_t) -@@ -155,6 +154,13 @@ optional_policy(` +@@ -155,6 +155,13 @@ optional_policy(` ') optional_policy(` @@ -15188,7 +15173,7 @@ index 305ddf4..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index e5a8924..a1abbbb 100644 +index e5a8924..2baae57 100644 --- a/cups.te +++ b/cups.te @@ -1,22 +1,28 @@ @@ -15421,7 +15406,7 @@ index e5a8924..a1abbbb 100644 corenet_tcp_bind_ipp_port(cupsd_t) corenet_udp_bind_ipp_port(cupsd_t) corenet_udp_bind_howl_port(cupsd_t) -@@ -185,60 +211,62 @@ corenet_tcp_bind_reserved_port(cupsd_t) +@@ -185,60 +211,61 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -15512,11 +15497,10 @@ index e5a8924..a1abbbb 100644 +term_search_ptys(cupsd_t) +term_use_unallocated_ttys(cupsd_t) +term_use_ptmx(cupsd_t) -+term_use_usb_ttys(cupsd_t) selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -251,30 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -251,30 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -15552,7 +15536,7 @@ index e5a8924..a1abbbb 100644 optional_policy(` apm_domtrans_client(cupsd_t) -@@ -287,6 +306,8 @@ optional_policy(` +@@ -287,6 +305,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -15561,7 +15545,7 @@ index e5a8924..a1abbbb 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -297,8 +318,10 @@ optional_policy(` +@@ -297,8 +317,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -15572,7 +15556,7 @@ index e5a8924..a1abbbb 100644 ') ') -@@ -311,17 +334,28 @@ optional_policy(` +@@ -311,17 +333,28 @@ optional_policy(` ') optional_policy(` @@ -15602,7 +15586,7 @@ index e5a8924..a1abbbb 100644 ') optional_policy(` -@@ -336,18 +370,18 @@ optional_policy(` +@@ -336,18 +369,18 @@ optional_policy(` udev_read_db(cupsd_t) ') @@ -15627,7 +15611,7 @@ index e5a8924..a1abbbb 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -360,9 +394,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +@@ -360,9 +393,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) @@ -15638,7 +15622,7 @@ index e5a8924..a1abbbb 100644 manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) -@@ -371,70 +403,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,70 +402,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -15722,7 +15706,7 @@ index e5a8924..a1abbbb 100644 optional_policy(` term_use_generic_ptys(cupsd_config_t) -@@ -450,12 +461,19 @@ optional_policy(` +@@ -450,12 +460,19 @@ optional_policy(` optional_policy(` hal_dbus_chat(cupsd_config_t) ') @@ -15743,7 +15727,7 @@ index e5a8924..a1abbbb 100644 ') optional_policy(` -@@ -467,8 +485,7 @@ optional_policy(` +@@ -467,8 +484,7 @@ optional_policy(` ') optional_policy(` @@ -15753,7 +15737,7 @@ index e5a8924..a1abbbb 100644 ') optional_policy(` -@@ -489,231 +506,84 @@ optional_policy(` +@@ -489,231 +505,84 @@ optional_policy(` ######################################## # @@ -16006,7 +15990,7 @@ index e5a8924..a1abbbb 100644 ######################################## # -@@ -723,14 +593,12 @@ optional_policy(` +@@ -723,14 +592,12 @@ optional_policy(` allow ptal_t self:capability { chown sys_rawio }; dontaudit ptal_t self:capability sys_tty_config; allow ptal_t self:fifo_file rw_fifo_file_perms; @@ -16022,7 +16006,7 @@ index e5a8924..a1abbbb 100644 manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -@@ -743,29 +611,26 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -743,29 +610,26 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -16845,7 +16829,7 @@ index fb4bf82..0730306 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 625cb32..e244bde 100644 +index 625cb32..4dee5a0 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -16856,16 +16840,15 @@ index 625cb32..e244bde 100644 attribute session_bus_type; type dbusd_etc_t; -@@ -35,6 +36,8 @@ files_type(system_dbusd_var_lib_t) +@@ -35,6 +36,7 @@ files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) +init_sock_file(system_dbusd_var_run_t) -+mls_trusted_object(system_dbusd_var_run_t) ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,9 +54,9 @@ ifdef(`enable_mls',` +@@ -51,9 +53,9 @@ ifdef(`enable_mls',` # dac_override: /var/run/dbus is owned by messagebus on Debian # cjp: dac_override should probably go in a distro_debian @@ -16877,7 +16860,7 @@ index 625cb32..e244bde 100644 allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -73,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) +@@ -73,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -16889,7 +16872,7 @@ index 625cb32..e244bde 100644 kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) -@@ -83,11 +87,17 @@ kernel_read_kernel_sysctls(system_dbusd_t) +@@ -83,11 +86,16 @@ kernel_read_kernel_sysctls(system_dbusd_t) dev_read_urand(system_dbusd_t) dev_read_sysfs(system_dbusd_t) @@ -16903,11 +16886,10 @@ index 625cb32..e244bde 100644 +storage_rw_inherited_fixed_disk_dev(system_dbusd_t) +storage_rw_inherited_removable_device(system_dbusd_t) + -+mls_trusted_object(system_dbusd_t) mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -110,22 +120,25 @@ auth_read_pam_console_data(system_dbusd_t) +@@ -110,22 +118,25 @@ auth_read_pam_console_data(system_dbusd_t) corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -16935,7 +16917,7 @@ index 625cb32..e244bde 100644 miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) -@@ -135,11 +148,35 @@ seutil_sigchld_newrole(system_dbusd_t) +@@ -135,11 +146,35 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) @@ -16971,7 +16953,7 @@ index 625cb32..e244bde 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -150,12 +187,163 @@ optional_policy(` +@@ -150,12 +185,163 @@ optional_policy(` ') optional_policy(` @@ -22114,10 +22096,10 @@ index 0000000..c4c7510 +') diff --git a/firewalld.te b/firewalld.te new file mode 100644 -index 0000000..b13884b +index 0000000..b8b2a3c --- /dev/null +++ b/firewalld.te -@@ -0,0 +1,115 @@ +@@ -0,0 +1,111 @@ + +policy_module(firewalld,1.0.0) + @@ -22223,10 +22205,6 @@ index 0000000..b13884b +') + +optional_policy(` -+ gnome_read_generic_data_home_dirs(firewalld_t) -+') -+ -+optional_policy(` + iptables_domtrans(firewalld_t) +') + @@ -47551,15 +47529,17 @@ index 0000000..b1d27d7 +sysnet_read_config(piranha_domain) diff --git a/pkcsslotd.fc b/pkcsslotd.fc new file mode 100644 -index 0000000..dd1b8f2 +index 0000000..38fa01d --- /dev/null +++ b/pkcsslotd.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0) + +/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0) + +/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0) ++ ++/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0) diff --git a/pkcsslotd.if b/pkcsslotd.if new file mode 100644 index 0000000..848ddc9 @@ -47723,10 +47703,10 @@ index 0000000..848ddc9 +') diff --git a/pkcsslotd.te b/pkcsslotd.te new file mode 100644 -index 0000000..9ab2c4d +index 0000000..f788d35 --- /dev/null +++ b/pkcsslotd.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,66 @@ +policy_module(pkcsslotd, 1.0.0) + +######################################## @@ -47741,6 +47721,9 @@ index 0000000..9ab2c4d +type pkcsslotd_var_lib_t; +files_type(pkcsslotd_var_lib_t) + ++type pkcsslotd_lock_t; ++files_lock_file(pkcsslotd_lock_t) ++ +type pkcsslotd_unit_file_t; +systemd_unit_file(pkcsslotd_unit_file_t) + @@ -47758,14 +47741,16 @@ index 0000000..9ab2c4d +# pkcsslotd local policy +# + -+allow pkcsslotd_t self:capability { kill }; -+allow pkcsslotd_t self:process { fork }; ++allow pkcsslotd_t self:capability { chown kill }; + +allow pkcsslotd_t self:fifo_file rw_fifo_file_perms; +allow pkcsslotd_t self:sem create_sem_perms; +allow pkcsslotd_t self:shm create_shm_perms; +allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t) ++files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file) ++ +manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) +manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) +files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir }) @@ -47785,7 +47770,7 @@ index 0000000..9ab2c4d + +domain_use_interactive_fds(pkcsslotd_t) + -+files_read_etc_files(pkcsslotd_t) ++auth_read_passwd(pkcsslotd_t) + +logging_send_syslog_msg(pkcsslotd_t) diff --git a/pki.fc b/pki.fc @@ -64306,7 +64291,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..ff1b021 100644 +index 086cd5f..c09da74 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -64390,7 +64375,7 @@ index 086cd5f..ff1b021 100644 -miscfiles_read_localization(setroubleshootd_t) +libs_exec_ld_so(setroubleshootd_t) -+libs_exec_ldconfig(setroubleshootd_t) ++ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -65810,12 +65795,18 @@ index 0000000..4e822e5 + +sysnet_dns_name_resolve(smsd_t) diff --git a/snmp.fc b/snmp.fc -index 623c8fa..1ef62d0 100644 +index 623c8fa..50221ce 100644 --- a/snmp.fc +++ b/snmp.fc -@@ -16,9 +16,10 @@ - /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +@@ -13,12 +13,14 @@ + # + /var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +-/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +-/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) -/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) +/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) @@ -73308,7 +73299,7 @@ index 6f0736b..b83424b 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..3a32058 100644 +index 947bbc6..3708791 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,97 @@ policy_module(virt, 1.5.0) @@ -74004,7 +73995,7 @@ index 947bbc6..3a32058 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +666,648 @@ dev_write_sound(virt_domain) +@@ -438,34 +666,647 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -74063,7 +74054,7 @@ index 947bbc6..3a32058 100644 virt_read_content(virt_domain) virt_stream_connect(virt_domain) + virt_domtrans_bridgehelper(virt_domain) - ') ++') + +optional_policy(` + xserver_rw_shm(virt_domain) @@ -74195,7 +74186,6 @@ index 947bbc6..3a32058 100644 +storage_raw_read_fixed_disk(virsh_t) + +term_use_all_inherited_terms(virsh_t) -+term_dontaudit_use_generic_ptys(virsh_t) + +userdom_search_admin_dir(virsh_t) +userdom_read_home_certs(virsh_t) @@ -74394,26 +74384,24 @@ index 947bbc6..3a32058 100644 +# virt_lxc_domain local policy +# +allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock }; -+allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -+allow svirt_lxc_domain self:fifo_file manage_file_perms; -+allow svirt_lxc_domain self:sem create_sem_perms; -+allow svirt_lxc_domain self:shm create_shm_perms; -+allow svirt_lxc_domain self:msgq create_msgq_perms; -+allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -+ + +allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virtd_t svirt_lxc_domain:process { signal_perms getattr }; -+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms }; -+ ++allow virtd_t svirt_lxc_domain:process { signal_perms }; ++allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow svirt_lxc_domain virtd_lxc_t:process sigchld; +allow svirt_lxc_domain virtd_lxc_t:fd use; +allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms; +allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; + ++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; ++allow svirt_lxc_domain self:fifo_file manage_file_perms; ++allow svirt_lxc_domain self:sem create_sem_perms; ++allow svirt_lxc_domain self:shm create_shm_perms; ++allow svirt_lxc_domain self:msgq create_msgq_perms; ++allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; ++ +manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -74487,13 +74475,15 @@ index 947bbc6..3a32058 100644 + +optional_policy(` + udev_read_pid_files(svirt_lxc_domain) -+') + ') + +virt_lxc_domain_template(svirt_lxc_net) + +allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_lxc_net_t self:capability2 block_suspend; +allow svirt_lxc_net_t self:netlink_socket create_socket_perms; ++allow svirt_lxc_net_t self:process setrlimit; ++ +allow svirt_lxc_net_t self:udp_socket create_socket_perms; +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms; +allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 34d97c8..409c014 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 86%{?dist} +Release: 87%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Mar 21 2013 Miroslav Grepl 3.11.1-87 +- Allow commands that are going to read mount pid files to search mount_var_run_t +- Make localectl set-x11-keymap working at all +- Allow localectl to read /etc/X11/xorg.conf.d directory +- Allow mount to transition to systemd_passwd_agent +- Add tcp/9150 as tor_socks_port +- Allow systemd to list all file system directories +- Allow sytemd_tmpfiles to create wtmp file +- Allow automount to block suspend +- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 +- Add support for /run/lock/opencryptoki +- Allow pkcsslotd chown capability +- Allow pkcsslotd to read passwd + * Wed Mar 13 2013 Miroslav Grepl 3.11.1-86 - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops