diff --git a/policy-f18-base.patch b/policy-f18-base.patch index 389d7e7..7c2db27 100644 --- a/policy-f18-base.patch +++ b/policy-f18-base.patch @@ -110513,7 +110513,7 @@ index 7a6f06f..bf04b0a 100644 -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index a778bb1..5e914db 100644 +index a778bb1..18e2246 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -110565,7 +110565,34 @@ index a778bb1..5e914db 100644 ') ######################################## -@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',` +@@ -85,6 +113,26 @@ interface(`bootloader_rw_config',` + + ######################################## + ## ++## Manage the bootloader ++## configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`bootloader_manage_config',` ++ gen_require(` ++ type bootloader_etc_t; ++ ') ++ ++ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) ++') ++ ++######################################## ++## + ## Read and write the bootloader + ## temporary data in /tmp. + ## +@@ -100,7 +148,7 @@ interface(`bootloader_rw_tmp_files',` ') files_search_tmp($1) @@ -110574,7 +110601,7 @@ index a778bb1..5e914db 100644 ') ######################################## -@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',` +@@ -122,3 +170,22 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ') @@ -112431,7 +112458,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..c165d31 100644 +index db981df..8fe3bea 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -112482,11 +112509,12 @@ index db981df..c165d31 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,10 +138,11 @@ ifdef(`distro_debian',` +@@ -130,10 +138,12 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) ++/lib/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0) /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) @@ -112495,7 +112523,7 @@ index db981df..c165d31 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -147,7 +156,7 @@ ifdef(`distro_gentoo',` +@@ -147,7 +157,7 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -112504,7 +112532,7 @@ index db981df..c165d31 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -163,6 +172,7 @@ ifdef(`distro_gentoo',` +@@ -163,6 +173,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112512,7 +112540,7 @@ index db981df..c165d31 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',` +@@ -174,53 +185,80 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -112613,7 +112641,7 @@ index db981df..c165d31 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',` +@@ -235,10 +273,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -112629,7 +112657,7 @@ index db981df..c165d31 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',` +@@ -251,11 +294,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -112651,7 +112679,7 @@ index db981df..c165d31 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',` +@@ -271,10 +320,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -112667,7 +112695,7 @@ index db981df..c165d31 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -289,16 +342,22 @@ ifdef(`distro_gentoo',` +@@ -289,16 +343,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -112692,7 +112720,7 @@ index db981df..c165d31 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +373,12 @@ ifdef(`distro_redhat', ` +@@ -314,20 +374,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -112705,7 +112733,10 @@ index db981df..c165d31 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +388,12 @@ ifdef(`distro_redhat', ` + /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) +-/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) ++#/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112718,7 +112749,7 @@ index db981df..c165d31 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +442,15 @@ ifdef(`distro_suse', ` +@@ -376,11 +443,15 @@ ifdef(`distro_suse', ` # # /var # @@ -112735,7 +112766,7 @@ index db981df..c165d31 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +460,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +461,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -120382,7 +120413,7 @@ index cda5588..91d1e25 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..c6ddff0 100644 +index 7c6b791..6ceb348 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -120896,7 +120927,33 @@ index 7c6b791..c6ddff0 100644 ######################################## ## ## Mount a FUSE filesystem. -@@ -2025,6 +2404,87 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1984,6 +2363,25 @@ interface(`fs_manage_fusefs_files',` + manage_files_pattern($1, fusefs_t, fusefs_t) + ') + ++####################################### ++## ++## Do not audit attempts to append files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_append_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:file append; ++') ++ + ######################################## + ## + ## Do not audit attempts to create, +@@ -2025,6 +2423,87 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -120984,7 +121041,7 @@ index 7c6b791..c6ddff0 100644 ## Get the attributes of an hugetlbfs ## filesystem. ## -@@ -2080,6 +2540,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2080,6 +2559,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -121009,7 +121066,7 @@ index 7c6b791..c6ddff0 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',` +@@ -2148,11 +2645,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -121023,7 +121080,7 @@ index 7c6b791..c6ddff0 100644 ## ## ## -@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +2983,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -121031,7 +121088,7 @@ index 7c6b791..c6ddff0 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3022,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -121039,7 +121096,7 @@ index 7c6b791..c6ddff0 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,42 +3030,97 @@ interface(`fs_exec_nfs_files',` +@@ -2549,42 +3049,97 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -121148,7 +121205,7 @@ index 7c6b791..c6ddff0 100644 ') ######################################## -@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3158,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -121157,7 +121214,7 @@ index 7c6b791..c6ddff0 100644 ') ######################################## -@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3182,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -121166,7 +121223,7 @@ index 7c6b791..c6ddff0 100644 ## ## ## -@@ -2741,7 +3277,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3296,7 @@ interface(`fs_search_removable',` ## ## ## @@ -121175,7 +121232,7 @@ index 7c6b791..c6ddff0 100644 ## ## # -@@ -2777,7 +3313,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3332,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -121184,7 +121241,7 @@ index 7c6b791..c6ddff0 100644 ## ## # -@@ -2970,6 +3506,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3525,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -121192,7 +121249,7 @@ index 7c6b791..c6ddff0 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3547,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3566,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -121200,7 +121257,7 @@ index 7c6b791..c6ddff0 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3588,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3607,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -121208,7 +121265,7 @@ index 7c6b791..c6ddff0 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3802,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -121233,7 +121290,7 @@ index 7c6b791..c6ddff0 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3840,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -121258,7 +121315,7 @@ index 7c6b791..c6ddff0 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3967,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -121267,7 +121324,7 @@ index 7c6b791..c6ddff0 100644 ## ## ## -@@ -3429,7 +4004,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -121276,7 +121333,7 @@ index 7c6b791..c6ddff0 100644 ## ## ## -@@ -3447,7 +4022,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -121285,7 +121342,7 @@ index 7c6b791..c6ddff0 100644 ## ## ## -@@ -3815,6 +4390,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -121310,7 +121367,7 @@ index 7c6b791..c6ddff0 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3963,6 +4556,60 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3963,6 +4575,60 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -121371,7 +121428,7 @@ index 7c6b791..c6ddff0 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4069,7 +4716,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4069,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -121380,7 +121437,7 @@ index 7c6b791..c6ddff0 100644 ') ######################################## -@@ -4129,6 +4776,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4129,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -121405,7 +121462,7 @@ index 7c6b791..c6ddff0 100644 ## Read tmpfs link files. ## ## -@@ -4166,7 +4831,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4166,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -121414,7 +121471,7 @@ index 7c6b791..c6ddff0 100644 ## ## ## -@@ -4185,6 +4850,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4185,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -121475,7 +121532,7 @@ index 7c6b791..c6ddff0 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4242,6 +4961,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4242,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -121520,7 +121577,7 @@ index 7c6b791..c6ddff0 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4261,6 +5018,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4261,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -121546,7 +121603,7 @@ index 7c6b791..c6ddff0 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4467,6 +5243,8 @@ interface(`fs_mount_all_fs',` +@@ -4467,6 +5262,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -121555,7 +121612,7 @@ index 7c6b791..c6ddff0 100644 ') ######################################## -@@ -4513,7 +5291,7 @@ interface(`fs_unmount_all_fs',` +@@ -4513,7 +5310,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -121564,7 +121621,7 @@ index 7c6b791..c6ddff0 100644 ## Example attributes: ##

##
    -@@ -4560,6 +5338,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4560,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -121591,7 +121648,7 @@ index 7c6b791..c6ddff0 100644 ## Get the quotas of all filesystems. ## ## -@@ -4876,3 +5674,43 @@ interface(`fs_unconfined',` +@@ -4876,3 +5693,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -126692,10 +126749,10 @@ index a26f84f..947af6c 100644 -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index ecef19f..149e648 100644 +index ecef19f..5213ad7 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if -@@ -10,7 +10,7 @@ +@@ -10,90 +10,21 @@ ##
## ## @@ -126704,10 +126761,49 @@ index ecef19f..149e648 100644 ## The type of the user domain. ##
## -@@ -54,15 +54,6 @@ interface(`postgresql_role',` - # Client local policy - # + # + interface(`postgresql_role',` + gen_require(` +- class db_database all_db_database_perms; +- class db_schema all_db_schema_perms; +- class db_table all_db_table_perms; +- class db_sequence all_db_sequence_perms; +- class db_view all_db_view_perms; +- class db_procedure all_db_procedure_perms; +- class db_language all_db_language_perms; +- class db_column all_db_column_perms; +- class db_tuple all_db_tuple_perms; +- class db_blob all_db_blob_perms; +- +- attribute sepgsql_client_type, sepgsql_database_type; +- attribute sepgsql_schema_type, sepgsql_sysobj_table_type; +- +- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; +- type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; +- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; +- type user_sepgsql_schema_t, user_sepgsql_seq_t; +- type user_sepgsql_sysobj_t, user_sepgsql_table_t; +- type user_sepgsql_view_t; +- type sepgsql_temp_object_t; ++ attribute sepgsql_client_type; ++ type sepgsql_trusted_proc_t; ++ type sepgsql_ranged_proc_t; + ') +- ######################################## +- # +- # Declarations +- # +- + typeattribute $2 sepgsql_client_type; + role $1 types sepgsql_trusted_proc_t; + role $1 types sepgsql_ranged_proc_t; +- +- ############################## +- # +- # Client local policy +- # +- - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; @@ -126717,27 +126813,41 @@ index ecef19f..149e648 100644 - allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; - type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; -@@ -94,6 +85,16 @@ interface(`postgresql_role',` - - allow $2 sepgsql_trusted_proc_t:process transition; - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; -+ -+ tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; -+ allow $2 user_sepgsql_table_t:db_table { create drop setattr }; -+ allow $2 user_sepgsql_table_t:db_column { create drop setattr }; -+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; -+ allow $2 user_sepgsql_view_t:db_view { create drop setattr }; -+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; -+ ') +- +- allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; +- type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; +- type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; +- +- allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; +- allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; +- allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; +- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; +- +- allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; +- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; +- +- allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; +- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; +- +- allow $2 user_sepgsql_view_t:db_view { getattr expand }; +- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; +- +- allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; +- +- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; +- +- allow $2 sepgsql_ranged_proc_t:process transition; +- type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +- allow sepgsql_ranged_proc_t $2:process dyntransition; +- +- allow $2 sepgsql_trusted_proc_t:process transition; +- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ') ######################################## -@@ -312,7 +313,7 @@ interface(`postgresql_search_db',` +@@ -312,7 +243,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') @@ -126746,7 +126856,7 @@ index ecef19f..149e648 100644 ') ######################################## -@@ -324,14 +325,16 @@ interface(`postgresql_search_db',` +@@ -324,14 +255,16 @@ interface(`postgresql_search_db',` ## Domain allowed access. ##
## @@ -126766,7 +126876,7 @@ index ecef19f..149e648 100644 ') ######################################## -@@ -354,6 +357,24 @@ interface(`postgresql_domtrans',` +@@ -354,6 +287,24 @@ interface(`postgresql_domtrans',` ###################################### ## @@ -126791,7 +126901,7 @@ index ecef19f..149e648 100644 ## Allow domain to signal postgresql ## ## -@@ -421,7 +442,6 @@ interface(`postgresql_tcp_connect',` +@@ -421,7 +372,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ##
## @@ -126799,7 +126909,7 @@ index ecef19f..149e648 100644 # interface(`postgresql_stream_connect',` gen_require(` -@@ -429,10 +449,8 @@ interface(`postgresql_stream_connect',` +@@ -429,10 +379,8 @@ interface(`postgresql_stream_connect',` ') files_search_pids($1) @@ -126812,15 +126922,91 @@ index ecef19f..149e648 100644 ') ######################################## -@@ -515,7 +533,6 @@ interface(`postgresql_unpriv_client',` - allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; - type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; +@@ -448,83 +396,10 @@ interface(`postgresql_stream_connect',` + # + interface(`postgresql_unpriv_client',` + gen_require(` +- class db_database all_db_database_perms; +- class db_schema all_db_schema_perms; +- class db_table all_db_table_perms; +- class db_sequence all_db_sequence_perms; +- class db_view all_db_view_perms; +- class db_procedure all_db_procedure_perms; +- class db_language all_db_language_perms; +- class db_column all_db_column_perms; +- class db_tuple all_db_tuple_perms; +- class db_blob all_db_blob_perms; +- + attribute sepgsql_client_type; +- attribute sepgsql_database_type, sepgsql_schema_type; +- attribute sepgsql_sysobj_table_type; +- +- type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; +- type sepgsql_temp_object_t; +- type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; +- type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; +- type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; +- type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; +- type unpriv_sepgsql_view_t; + ') +- ######################################## +- # +- # Declarations +- # +- + typeattribute $1 sepgsql_client_type; +- +- ######################################## +- # +- # Client local policy +- # +- +- type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; +- allow $1 sepgsql_ranged_proc_t:process transition; +- allow sepgsql_ranged_proc_t $1:process dyntransition; +- +- type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; +- allow $1 sepgsql_trusted_proc_t:process transition; +- +- allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; +- type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; -@@ -548,6 +565,29 @@ interface(`postgresql_unconfined',` +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; +- +- allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; +- type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; +- type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; +- +- allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; +- allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; +- allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; +- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; +- +- allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; +- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; +- +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; +- type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; +- +- allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; +- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; +- +- +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; +- allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') + ') + + ######################################## +@@ -548,6 +423,29 @@ interface(`postgresql_unconfined',` ######################################## ## @@ -126850,7 +127036,7 @@ index ecef19f..149e648 100644 ## All of the rules required to administrate an postgresql environment ## ## -@@ -564,35 +604,41 @@ interface(`postgresql_unconfined',` +@@ -564,35 +462,41 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -126901,7 +127087,7 @@ index ecef19f..149e648 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 4318f73..a626a63 100644 +index 4318f73..612e37c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -126914,15 +127100,15 @@ index 4318f73..a626a63 100644 +##

+## Allow postgresql to use ssh and rsync for point-in-time recovery +##

-+## + ## +-gen_tunable(sepgsql_enable_users_ddl, true) +gen_tunable(postgresql_can_rsync, false) + +## +##

+## Allow unprivileged users to execute DDL statement +##

- ##
--gen_tunable(sepgsql_enable_users_ddl, true) ++## +gen_tunable(postgresql_selinux_users_ddl, true) ## @@ -127013,16 +127199,64 @@ index 4318f73..a626a63 100644 allow postgresql_t self:process execmem; ') -@@ -487,7 +493,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db - # Note that permission of creation/deletion are eventually controlled by - # create or drop permission of individual objects within shared schemas. - # So, it just allows to create/drop user specific types. +@@ -484,10 +490,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin + # It is always allowed to operate temporary objects for any database client. + allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; + +-# Note that permission of creation/deletion are eventually controlled by +-# create or drop permission of individual objects within shared schemas. +-# So, it just allows to create/drop user specific types. -tunable_policy(`sepgsql_enable_users_ddl',` ++############################## ++# ++# Client local policy ++# ++allow sepgsql_client_type user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; ++type_transition sepgsql_client_type sepgsql_database_type:db_schema user_sepgsql_schema_t; ++type_transition sepgsql_client_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; ++ ++allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock }; ++allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert }; ++allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_table user_sepgsql_table_t; ++ ++allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { use select }; ++type_transition sepgsql_client_type sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; ++ ++allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_sequence user_sepgsql_seq_t; ++ ++allow sepgsql_client_type user_sepgsql_view_t:db_view { getattr expand }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_view user_sepgsql_view_t; ++ ++allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute }; ++type_transition sepgsql_client_type sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; ++ ++allow sepgsql_client_type user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; ++type_transition sepgsql_client_type sepgsql_database_type:db_blob user_sepgsql_blob_t; ++ ++allow sepgsql_client_type sepgsql_ranged_proc_t:process transition; ++type_transition sepgsql_client_type sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; ++allow sepgsql_ranged_proc_t sepgsql_client_type:process dyntransition; ++ ++allow sepgsql_client_type sepgsql_trusted_proc_t:process transition; ++type_transition sepgsql_client_type sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ +tunable_policy(`postgresql_selinux_users_ddl',` ++ allow sepgsql_client_type user_sepgsql_schema_t:db_schema { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow sepgsql_client_type user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; ++ allow sepgsql_client_type user_sepgsql_view_t:db_view { create drop setattr }; ++ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ++ # Note that permission of creation/deletion are eventually controlled by ++ # create or drop permission of individual objects within shared schemas. ++ # So, it just allows to create/drop user specific types. allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -535,7 +541,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -535,7 +583,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -127031,7 +127265,7 @@ index 4318f73..a626a63 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -588,3 +594,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -588,3 +636,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -138194,7 +138428,7 @@ index fe3427d..2410a4e 100644 /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 926ba65..9cac7b3 100644 +index 926ba65..e968a36 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -138246,7 +138480,7 @@ index 926ba65..9cac7b3 100644 allow $1 locale_t:file execute; ') -@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',` +@@ -531,6 +550,31 @@ interface(`miscfiles_read_man_pages',` allow $1 man_t:dir list_dir_perms; read_files_pattern($1, man_t, man_t) read_lnk_files_pattern($1, man_t, man_t) @@ -138254,10 +138488,31 @@ index 926ba65..9cac7b3 100644 + optional_policy(` + mandb_read_cache_files($1) + ') ++') ++ ++######################################## ++## ++## Setattr man pages ++## ++## ++## ++## Domain allowed access. ++## ++## ++# cjp: added for tmpreaper ++# ++interface(`miscfiles_setattr_man_pages',` ++ gen_require(` ++ type man_t; ++ ') ++ ++ files_search_usr($1) ++ ++ allow $1 man_t:dir setattr; ') ######################################## -@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',` +@@ -557,6 +601,11 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, man_t, man_t) delete_files_pattern($1, man_t, man_t) delete_lnk_files_pattern($1, man_t, man_t) @@ -138269,7 +138524,7 @@ index 926ba65..9cac7b3 100644 ') ######################################## -@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',` +@@ -582,6 +631,30 @@ interface(`miscfiles_manage_man_pages',` ######################################## ## @@ -138300,7 +138555,7 @@ index 926ba65..9cac7b3 100644 ## Read public files used for file ## transfer services. ## -@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -744,8 +817,10 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -138313,7 +138568,7 @@ index 926ba65..9cac7b3 100644 ') ######################################## -@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',` +@@ -769,3 +844,43 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -141719,10 +141974,10 @@ index 0000000..7917796 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..8fbbd45 +index 0000000..a32bdce --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1007 @@ +@@ -0,0 +1,1006 @@ +## SELinux policy for systemd components + +####################################### @@ -142729,13 +142984,12 @@ index 0000000..8fbbd45 + allow systemd_hostnamed_t $1:dbus send_msg; + ps_process_pattern(systemd_hostnamed_t, $1) +') -+ diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..52f0a12 +index 0000000..4c332d5 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,612 @@ +@@ -0,0 +1,616 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -143228,10 +143482,13 @@ index 0000000..52f0a12 +seutil_read_file_contexts(systemd_localed_t) + +logging_stream_connect_syslog(systemd_localed_t) ++logging_send_syslog_msg(systemd_localed_t) + +miscfiles_manage_localization(systemd_localed_t) +miscfiles_etc_filetrans_localization(systemd_localed_t) + ++userdom_dbus_send_all_users(systemd_localed_t) ++ +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) + dbus_system_bus_client(systemd_localed_t) @@ -143258,6 +143515,7 @@ index 0000000..52f0a12 +init_stream_connect(systemd_hostnamed_t) + +logging_stream_connect_syslog(systemd_hostnamed_t) ++logging_send_syslog_msg(systemd_hostnamed_t) + +optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) @@ -144703,7 +144961,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..2a4e6ef 100644 +index e720dcd..ef5c047 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -145341,7 +145599,7 @@ index e720dcd..2a4e6ef 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,100 +689,140 @@ template(`userdom_common_user_template',` +@@ -546,100 +689,146 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -145490,17 +145748,22 @@ index e720dcd..2a4e6ef 100644 + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) - ') - - optional_policy(` -- locate_read_lib_files($1_t) -+ lircd_stream_connect($1_usertype) + ') + + optional_policy(` -+ locate_read_lib_files($1_usertype) ++ lircd_stream_connect($1_usertype) + ') + + optional_policy(` + locate_read_lib_files($1_t) ') ++ optional_policy(` ++ mpd_manage_user_data_content($1_t) ++ mpd_relabel_user_data_content($1_t) ++ mpd_stream_connect($1_t) ++ ') ++ # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) @@ -145520,7 +145783,7 @@ index e720dcd..2a4e6ef 100644 mysql_stream_connect($1_t) ') ') -@@ -651,40 +834,52 @@ template(`userdom_common_user_template',` +@@ -651,40 +840,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -145557,35 +145820,35 @@ index e720dcd..2a4e6ef 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t, $1_r) ++ slrnpull_search_spool($1_usertype) ++ ') ++ ++ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -709,17 +904,33 @@ template(`userdom_common_user_template',` +@@ -709,17 +910,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -145596,14 +145859,16 @@ index e720dcd..2a4e6ef 100644 - userdom_manage_home_role($1_r, $1_t) + typeattribute $1_t login_userdomain; ++ ++ userdom_manage_home_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) -+ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) + @@ -145614,9 +145879,7 @@ index e720dcd..2a4e6ef 100644 + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -145624,7 +145887,7 @@ index e720dcd..2a4e6ef 100644 userdom_change_password_template($1) -@@ -727,82 +938,100 @@ template(`userdom_login_user_template', ` +@@ -727,82 +944,100 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -145717,14 +145980,14 @@ index e720dcd..2a4e6ef 100644 + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) -+ + +- seutil_read_config($1_t) + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) + ') - -- seutil_read_config($1_t) ++ + optional_policy(` + kerberos_use($1_usertype) + kerberos_filetrans_home_content($1_usertype) @@ -145761,7 +146024,7 @@ index e720dcd..2a4e6ef 100644 ') ') -@@ -834,6 +1063,12 @@ template(`userdom_restricted_user_template',` +@@ -834,6 +1069,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -145774,7 +146037,7 @@ index e720dcd..2a4e6ef 100644 ############################## # # Local policy -@@ -874,46 +1109,128 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,46 +1115,128 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -145861,23 +146124,23 @@ index e720dcd..2a4e6ef 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` + + optional_policy(` +- consolekit_dbus_chat($1_t) + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) -+ ') + ') optional_policy(` -- consolekit_dbus_chat($1_t) +- cups_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ') - - optional_policy(` -- cups_dbus_chat($1_t) ++ ++ optional_policy(` + fprintd_dbus_chat($1_t) - ') ++ ') + + optional_policy(` + realmd_dbus_chat($1_t) @@ -145916,7 +146179,7 @@ index e720dcd..2a4e6ef 100644 ') ') -@@ -948,27 +1265,33 @@ template(`userdom_unpriv_user_template', ` +@@ -948,27 +1271,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -145954,7 +146217,7 @@ index e720dcd..2a4e6ef 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -979,47 +1302,82 @@ template(`userdom_unpriv_user_template', ` +@@ -979,44 +1308,79 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -146007,9 +146270,6 @@ index e720dcd..2a4e6ef 100644 -## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. --##

--##

--## The privileges given to administrative users are: + optional_policy(` + gpg_role($1_r, $1_usertype) + ') @@ -146057,13 +146317,10 @@ index e720dcd..2a4e6ef 100644 +## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. -+##

-+##

-+## The privileges given to administrative users are: - ##

    - ##
  • Raw disk access
  • - ##
  • Set all sysctls
  • -@@ -1040,7 +1398,7 @@ template(`userdom_unpriv_user_template', ` + ##

    + ##

    + ## The privileges given to administrative users are: +@@ -1040,7 +1404,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -146072,7 +146329,7 @@ index e720dcd..2a4e6ef 100644 ') ############################## -@@ -1067,6 +1425,7 @@ template(`userdom_admin_user_template',` +@@ -1067,6 +1431,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -146080,7 +146337,7 @@ index e720dcd..2a4e6ef 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1075,6 +1434,9 @@ template(`userdom_admin_user_template',` +@@ -1075,6 +1440,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -146090,7 +146347,7 @@ index e720dcd..2a4e6ef 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1451,7 @@ template(`userdom_admin_user_template',` +@@ -1089,6 +1457,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -146098,7 +146355,7 @@ index e720dcd..2a4e6ef 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,10 +1469,14 @@ template(`userdom_admin_user_template',` +@@ -1106,10 +1475,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -146113,7 +146370,7 @@ index e720dcd..2a4e6ef 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1120,29 +1487,38 @@ template(`userdom_admin_user_template',` +@@ -1120,29 +1493,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -146156,7 +146413,7 @@ index e720dcd..2a4e6ef 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1152,6 +1528,8 @@ template(`userdom_admin_user_template',` +@@ -1152,6 +1534,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -146165,7 +146422,7 @@ index e720dcd..2a4e6ef 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1159,13 +1537,17 @@ template(`userdom_admin_user_template',` +@@ -1159,13 +1543,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -146184,7 +146441,7 @@ index e720dcd..2a4e6ef 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1593,8 @@ template(`userdom_security_admin_template',` +@@ -1211,6 +1599,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -146193,7 +146450,7 @@ index e720dcd..2a4e6ef 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1223,8 +1607,10 @@ template(`userdom_security_admin_template',` +@@ -1223,8 +1613,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -146205,7 +146462,7 @@ index e720dcd..2a4e6ef 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1235,29 +1621,31 @@ template(`userdom_security_admin_template',` +@@ -1235,29 +1627,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -146248,7 +146505,7 @@ index e720dcd..2a4e6ef 100644 ') optional_policy(` -@@ -1317,12 +1705,15 @@ interface(`userdom_user_application_domain',` +@@ -1317,12 +1711,15 @@ interface(`userdom_user_application_domain',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -146265,7 +146522,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -1363,6 +1754,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1363,6 +1760,51 @@ interface(`userdom_user_tmpfs_file',` ##

    ## Allow domain to attach to TUN devices created by administrative users. ## @@ -146317,7 +146574,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## Domain allowed access. -@@ -1467,11 +1903,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1467,11 +1909,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -146349,7 +146606,7 @@ index e720dcd..2a4e6ef 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1513,6 +1969,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1513,6 +1975,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -146364,7 +146621,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -1528,9 +1992,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1528,9 +1998,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -146376,7 +146633,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -1587,6 +2053,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1587,6 +2059,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -146419,7 +146676,7 @@ index e720dcd..2a4e6ef 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1666,6 +2168,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1666,6 +2174,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -146428,7 +146685,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -1680,10 +2184,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1680,10 +2190,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -146443,7 +146700,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -1726,6 +2232,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1726,6 +2238,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -146487,7 +146744,7 @@ index e720dcd..2a4e6ef 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1745,6 +2288,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1745,6 +2294,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -146513,7 +146770,7 @@ index e720dcd..2a4e6ef 100644 ## Mmap user home files. ## ## -@@ -1775,14 +2337,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1775,14 +2343,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -146551,7 +146808,7 @@ index e720dcd..2a4e6ef 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1793,11 +2377,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1793,11 +2383,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -146569,7 +146826,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -1856,25 +2443,25 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1856,25 +2449,25 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -146601,7 +146858,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## -@@ -1882,46 +2469,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` +@@ -1882,104 +2475,169 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` ## ## # @@ -146633,86 +146890,97 @@ index e720dcd..2a4e6ef 100644 +interface(`userdom_delete_all_user_home_content_sock_files',` gen_require(` - type user_home_dir_t, user_home_t; -+ attribute user_home_type; - ') - +- ') +- - files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ allow $1 user_home_type:sock_file delete_file_perms; -+') - +- - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -+######################################## -+## -+## Delete all files in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_all_user_home_content',` -+ gen_require(` + attribute user_home_type; ') - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) - ') -+ allow $1 user_home_type:dir_file_class_set delete_file_perms; ++ allow $1 user_home_type:sock_file delete_file_perms; ') ######################################## ## -## Do not audit attempts to execute user home files. -+## Do not audit attempts to write user home files. ++## Delete all files in a user home subdirectory. ## ## ## -@@ -1929,18 +2523,17 @@ interface(`userdom_exec_user_home_content_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`userdom_dontaudit_exec_user_home_content_files',` -+interface(`userdom_dontaudit_relabel_user_home_content_files',` ++interface(`userdom_delete_all_user_home_content',` gen_require(` - type user_home_t; +- type user_home_t; ++ attribute user_home_type; ') - dontaudit $1 user_home_t:file exec_file_perms; -+ dontaudit $1 user_home_t:file relabel_file_perms; ++ allow $1 user_home_type:dir_file_class_set delete_file_perms; ') ######################################## ## -## Create, read, write, and delete files -## in a user home subdirectory. -+## Read user home subdirectory symbolic links. ++## Do not audit attempts to write user home files. ## ## ## -@@ -1948,20 +2541,79 @@ interface(`userdom_dontaudit_exec_user_home_content_files',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`userdom_manage_user_home_content_files',` -+interface(`userdom_read_user_home_content_symlinks',` ++interface(`userdom_dontaudit_relabel_user_home_content_files',` gen_require(` - type user_home_dir_t, user_home_t; +- type user_home_dir_t, user_home_t; ++ type user_home_t; ') - manage_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; ++ dontaudit $1 user_home_t:file relabel_file_perms; ') ######################################## ## -## Do not audit attempts to create, read, write, and delete directories -## in a user home subdirectory. ++## Read user home subdirectory symbolic links. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`userdom_dontaudit_manage_user_home_content_dirs',` ++interface(`userdom_read_user_home_content_symlinks',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + +- dontaudit $1 user_home_t:dir manage_dir_perms; ++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic links +## Execute user home files. +## +## @@ -146776,10 +147044,28 @@ index e720dcd..2a4e6ef 100644 +## +## Do not audit attempts to create, read, write, and delete directories +## in a user home subdirectory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_manage_user_home_content_dirs',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ ') ++ ++ dontaudit $1 user_home_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete symbolic links + ## in a user home subdirectory. ## ## - ## -@@ -2018,6 +2670,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -2018,6 +2676,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -146804,7 +147090,7 @@ index e720dcd..2a4e6ef 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2250,11 +2920,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2250,11 +2926,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -146819,7 +147105,7 @@ index e720dcd..2a4e6ef 100644 files_search_tmp($1) ') -@@ -2274,7 +2944,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2274,7 +2950,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -146828,7 +147114,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -2521,6 +3191,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2521,6 +3197,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -146854,7 +147140,7 @@ index e720dcd..2a4e6ef 100644 ######################################## ## ## Read user tmpfs files. -@@ -2537,13 +3226,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2537,13 +3232,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -146870,7 +147156,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## -@@ -2564,7 +3254,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2564,7 +3260,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -146879,7 +147165,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## -@@ -2572,14 +3262,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2572,14 +3268,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -146914,7 +147200,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -2674,6 +3380,24 @@ interface(`userdom_use_user_ttys',` +@@ -2674,6 +3386,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -146939,7 +147225,7 @@ index e720dcd..2a4e6ef 100644 ## Read and write a user domain pty. ## ## -@@ -2692,22 +3416,34 @@ interface(`userdom_use_user_ptys',` +@@ -2692,22 +3422,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -146982,7 +147268,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## -@@ -2716,14 +3452,33 @@ interface(`userdom_use_user_ptys',` +@@ -2716,14 +3458,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -147020,7 +147306,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -2742,8 +3497,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2742,8 +3503,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -147050,7 +147336,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -2815,69 +3589,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2815,69 +3595,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -147151,7 +147437,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## -@@ -2885,12 +3658,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2885,12 +3664,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -147166,7 +147452,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -2954,7 +3727,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2954,7 +3733,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -147175,7 +147461,7 @@ index e720dcd..2a4e6ef 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,29 +3743,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2970,29 +3749,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -147209,7 +147495,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -3074,7 +3831,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3074,7 +3837,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -147218,7 +147504,7 @@ index e720dcd..2a4e6ef 100644 ') ######################################## -@@ -3129,12 +3886,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3129,12 +3892,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -147234,7 +147520,7 @@ index e720dcd..2a4e6ef 100644 ## ## ## -@@ -3142,36 +3900,37 @@ interface(`userdom_write_user_tmp_files',` +@@ -3142,21 +3906,77 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -147259,90 +147545,21 @@ index e720dcd..2a4e6ef 100644 ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; - ') - -- read_files_pattern($1, userdomain, userdomain) -- kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Allow domain to read/write inherited users -+## fifo files. - ## - ## - ## -@@ -3179,35 +3938,91 @@ interface(`userdom_read_all_users_state',` - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_rw_inherited_user_pipes',` - gen_require(` - attribute userdomain; - ') - -- allow $1 userdomain:process getattr; -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains -+## Do not audit attempts to use user ttys. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_use_all_users_fds',` -+interface(`userdom_dontaudit_use_user_ttys',` - gen_require(` -- attribute userdomain; -+ type user_tty_device_t; - ') - -- allow $1 userdomain:fd use; -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to inherit the file -+## Read the process state of all user domains. -+## -+## -+## -+## Domain allowed access. +## +## +# -+interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) -+ kernel_search_proc($1) ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Get the attributes of all user domains. ++## Allow domain to read/write inherited users ++## fifo files. +## +## +## @@ -147350,39 +147567,51 @@ index e720dcd..2a4e6ef 100644 +## +## +# -+interface(`userdom_getattr_all_users',` ++interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; + ') + -+ allow $1 userdomain:process getattr; ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Inherit the file descriptors from all user domains ++## Do not audit attempts to use user ttys. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_use_all_users_fds',` ++interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` -+ attribute userdomain; ++ type user_tty_device_t; + ') + -+ allow $1 userdomain:fd use; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to inherit the file - ## descriptors from any user domains. - ## - ## -@@ -3242,6 +4057,42 @@ interface(`userdom_signal_all_users',` ++## Read the process state of all user domains. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +@@ -3166,6 +3986,7 @@ interface(`userdom_read_all_users_state',` + ') + + read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) + ') + +@@ -3242,6 +4063,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -147425,7 +147654,7 @@ index e720dcd..2a4e6ef 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4113,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4119,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -147450,7 +147679,7 @@ index e720dcd..2a4e6ef 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4165,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4171,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index c160a11..57e3993 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -5137,11 +5137,11 @@ index 159610b..164b672 100644 diff --git a/authconfig.fc b/authconfig.fc new file mode 100644 -index 0000000..86bbf21 +index 0000000..4579cfe --- /dev/null +++ b/authconfig.fc @@ -0,0 +1,3 @@ -+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) ++/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) + +/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0) diff --git a/authconfig.if b/authconfig.if @@ -8962,10 +8962,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..3ac7547 +index 0000000..d1bd04c --- /dev/null +++ b/chrome.te -@@ -0,0 +1,203 @@ +@@ -0,0 +1,201 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -9155,8 +9155,6 @@ index 0000000..3ac7547 +dev_read_sysfs(chrome_sandbox_nacl_t) +dev_rwx_zero(chrome_sandbox_nacl_t) + -+files_read_etc_files(chrome_sandbox_nacl_t) -+ +init_read_state(chrome_sandbox_nacl_t) + +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) @@ -11040,10 +11038,10 @@ index 0000000..40415f8 + diff --git a/collectd.te b/collectd.te new file mode 100644 -index 0000000..cb6dbe6 +index 0000000..e3f985b --- /dev/null +++ b/collectd.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,93 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -11111,6 +11109,8 @@ index 0000000..cb6dbe6 + +fs_getattr_all_fs(collectd_t) + ++init_read_utmp(collectd_t) ++ +logging_send_syslog_msg(collectd_t) + +sysnet_dns_name_resolve(collectd_t) @@ -11128,6 +11128,8 @@ index 0000000..cb6dbe6 + read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) + list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) + miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) ++ ++ auth_read_passwd(httpd_collectd_script_t) +') + +optional_policy(` @@ -14813,40 +14815,78 @@ index 0000000..33656de + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/cups.fc b/cups.fc -index 848bb92..600efa5 100644 +index 848bb92..85b210b 100644 --- a/cups.fc +++ b/cups.fc -@@ -19,7 +19,10 @@ +@@ -15,28 +15,30 @@ + + /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) + +-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) ++/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) + - /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -52,18 +55,32 @@ + /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0) + + /usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) + /usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) + + /usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +@@ -44,7 +46,7 @@ + + /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) + /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0) + + /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +@@ -52,18 +54,32 @@ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) +-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) ++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) +/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0) ++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) + /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) ++/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) @@ -14862,11 +14902,28 @@ index 848bb92..600efa5 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 305ddf4..a682e21 100644 +index 305ddf4..ca832e1 100644 --- a/cups.if +++ b/cups.if -@@ -9,6 +9,11 @@ - ## Domain allowed access. +@@ -1,14 +1,25 @@ +-## Common UNIX printing system ++## Common UNIX printing system. + + ######################################## + ## +-## Setup cups to transtion to the cups backend domain ++## Create a domain which can be ++## started by cupsd. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ## ## +## @@ -14877,7 +14934,41 @@ index 305ddf4..a682e21 100644 # interface(`cups_backend',` gen_require(` -@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',` +@@ -42,12 +53,14 @@ interface(`cups_domtrans',` + type cupsd_t, cupsd_exec_t; + ') + ++ corecmd_search_bin($1) + domtrans_pattern($1, cupsd_exec_t, cupsd_t) + ') + + ######################################## + ## +-## Connect to cupsd over an unix domain stream socket. ++## Connect to cupsd over an unix ++## domain stream socket. + ## + ## + ## +@@ -120,7 +133,8 @@ interface(`cups_read_pid_files',` + + ######################################## + ## +-## Execute cups_config in the cups_config domain. ++## Execute cups_config in the ++## cups config domain. + ## + ## + ## +@@ -133,6 +147,7 @@ interface(`cups_domtrans_config',` + type cupsd_config_t, cupsd_config_exec_t; + ') + ++ corecmd_search_bin($1) + domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) + ') + +@@ -190,10 +205,12 @@ interface(`cups_dbus_chat_config',` interface(`cups_read_config',` gen_require(` type cupsd_etc_t, cupsd_rw_etc_t; @@ -14890,10 +14981,22 @@ index 305ddf4..a682e21 100644 read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) ') -@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',` +@@ -277,7 +294,8 @@ interface(`cups_write_log',` ######################################## ## +-## Connect to ptal over an unix domain stream socket. ++## Connect to ptal over an unix ++## domain stream socket. + ## + ## + ## +@@ -296,8 +314,31 @@ interface(`cups_stream_connect_ptal',` + + ######################################## + ## +-## All of the rules required to administrate +-## an cups environment +## Execute cupsd server in the cupsd domain. +## +## @@ -14917,62 +15020,82 @@ index 305ddf4..a682e21 100644 + +######################################## +## - ## All of the rules required to administrate - ## an cups environment ++## All of the rules required to ++## administrate an cups environment. ## -@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',` - interface(`cups_admin',` - gen_require(` + ## + ## +@@ -306,7 +347,7 @@ interface(`cups_stream_connect_ptal',` + ## + ## + ## +-## The role to be allowed to manage the cups domain. ++## Role allowed access. + ## + ## + ## +@@ -316,43 +357,93 @@ interface(`cups_admin',` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; -- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -- type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t; - type ptal_var_run_t, hplip_var_run_t; - type cupsd_initrc_exec_t; -+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t; -+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t; -+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t; -+ type ptal_var_run_t; ++ type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; ++ type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; ++ type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; ++ type ptal_t; + type cupsd_unit_file_t; ') - allow $1 cupsd_t:process { ptrace signal_perms }; -+ allow $1 cupsd_t:process signal_perms; - ps_process_pattern($1, cupsd_t) - +- ps_process_pattern($1, cupsd_t) ++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; ++ allow $1 { cups_pdf_t ptal_t }:process { signal_perms }; ++ ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) ++ ps_process_pattern($1, { cups_pdf_t ptal_t }) ++ + tunable_policy(`deny_ptrace',`',` -+ allow $1 cupsd_t:process ptrace; ++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; + ') -+ + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cupsd_initrc_exec_t system_r; -@@ -341,18 +375,72 @@ interface(`cups_admin',` + allow $2 system_r; - admin_pattern($1, cupsd_lpd_var_run_t) +- admin_pattern($1, cupsd_etc_t) + files_list_etc($1) ++ admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) -- admin_pattern($1, cupsd_spool_t) -- files_list_spool($1) +- admin_pattern($1, cupsd_config_var_run_t) - - admin_pattern($1, cupsd_tmp_t) - files_list_tmp($1) - - admin_pattern($1, cupsd_var_run_t) - files_list_pids($1) +- admin_pattern($1, cupsd_log_t) + logging_list_logs($1) ++ admin_pattern($1, cupsd_log_t) -+ admin_pattern($1, hplip_etc_t) -+ - admin_pattern($1, hplip_var_run_t) +- admin_pattern($1, cupsd_lpd_tmp_t) +- +- admin_pattern($1, cupsd_lpd_var_run_t) +- +- admin_pattern($1, cupsd_spool_t) + files_list_spool($1) ++ admin_pattern($1, cupsd_spool_t) - admin_pattern($1, ptal_etc_t) +- admin_pattern($1, cupsd_tmp_t) + files_list_tmp($1) ++ admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) ++ admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) ++ admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) - admin_pattern($1, ptal_var_run_t) -+ +- admin_pattern($1, cupsd_var_run_t) +- files_list_pids($1) + cupsd_systemctl($1) + admin_pattern($1, cupsd_unit_file_t) + allow $1 cupsd_unit_file_t:service all_service_perms; +') -+ + +- admin_pattern($1, hplip_var_run_t) +######################################## +## +## Transition to cups named content @@ -14988,7 +15111,8 @@ index 305ddf4..a682e21 100644 + type cupsd_rw_etc_t; + type cupsd_etc_t; + ') -+ + +- admin_pattern($1, ptal_etc_t) + filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf") + filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf") + filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O") @@ -15004,7 +15128,8 @@ index 305ddf4..a682e21 100644 + files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") +') -+ + +- admin_pattern($1, ptal_var_run_t) +######################################## +## +## Allow the domain to read cups state files in /proc. @@ -15024,64 +15149,197 @@ index 305ddf4..a682e21 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index e5a8924..ac29949 100644 +index e5a8924..2baae57 100644 --- a/cups.te +++ b/cups.te -@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) - type cupsd_t; +@@ -1,22 +1,28 @@ +-policy_module(cups, 1.15.0) ++policy_module(cups, 1.15.9) + + ######################################## + # + # Declarations + # + +-type cupsd_config_t; ++attribute cups_domain; ++ ++type cupsd_config_t, cups_domain; + type cupsd_config_exec_t; + init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) + + type cupsd_config_var_run_t; + files_pid_file(cupsd_config_var_run_t) + +-type cupsd_t; ++type cupsd_t, cups_domain; type cupsd_exec_t; ++typealias cupsd_t alias hplip_t; ++typealias cupsd_exec_t alias hplip_exec_t; init_daemon_domain(cupsd_t, cupsd_exec_t) +mls_trusted_object(cupsd_t) type cupsd_etc_t; ++typealias cupsd_etc_t alias hplip_etc_t; files_config_file(cupsd_etc_t) -@@ -60,6 +61,9 @@ type cupsd_var_run_t; + + type cupsd_initrc_exec_t; +@@ -32,9 +38,13 @@ type cupsd_lock_t; + files_lock_file(cupsd_lock_t) + + type cupsd_log_t; ++typealias cupsd_log_t alias hplip_var_log_t; + logging_log_file(cupsd_log_t) + +-type cupsd_lpd_t; ++type cupsd_var_lib_t alias hplip_var_lib_t; ++files_type(cupsd_var_lib_t) ++ ++type cupsd_lpd_t, cups_domain; + type cupsd_lpd_exec_t; + domain_type(cupsd_lpd_t) + domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) +@@ -46,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t) + type cupsd_lpd_var_run_t; + files_pid_file(cupsd_lpd_var_run_t) + +-type cups_pdf_t; ++type cups_pdf_t, cups_domain; + type cups_pdf_exec_t; + cups_backend(cups_pdf_t, cups_pdf_exec_t) + +@@ -54,29 +64,16 @@ type cups_pdf_tmp_t; + files_tmp_file(cups_pdf_tmp_t) + + type cupsd_tmp_t; ++typealias cupsd_tmp_t alias hplip_tmp_t; + files_tmp_file(cupsd_tmp_t) + + type cupsd_var_run_t; ++typealias cupsd_var_run_t alias hplip_var_run_t; files_pid_file(cupsd_var_run_t) mls_trusted_object(cupsd_var_run_t) +-type hplip_t; +-type hplip_exec_t; +-init_daemon_domain(hplip_t, hplip_exec_t) +-# For CUPS to run as a backend +-cups_backend(hplip_t, hplip_exec_t) +- +-type hplip_etc_t; +-files_config_file(hplip_etc_t) +- +-type hplip_tmp_t; +-files_tmp_file(hplip_tmp_t) +- +-type hplip_var_lib_t; +-files_type(hplip_var_lib_t) +- +-type hplip_var_run_t; +-files_pid_file(hplip_var_run_t) +type cupsd_unit_file_t; +systemd_unit_file(cupsd_unit_file_t) -+ - type hplip_t; - type hplip_exec_t; - init_daemon_domain(hplip_t, hplip_exec_t) -@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t) - type hplip_var_lib_t; - files_type(hplip_var_lib_t) -+type hplip_var_log_t; -+logging_log_file(hplip_var_log_t) + type ptal_t; + type ptal_exec_t; +@@ -96,77 +93,103 @@ ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) + ') + ++####################################### ++# ++# Cups general local policy ++# ++ ++allow cups_domain self:capability { setuid setgid }; ++allow cups_domain self:process signal_perms; ++allow cups_domain self:fifo_file rw_fifo_file_perms; ++allow cups_domain self:tcp_socket { accept listen }; ++ ++kernel_read_kernel_sysctls(cups_domain) ++kernel_read_network_state(cups_domain) ++ ++corecmd_exec_bin(cups_domain) ++corecmd_exec_shell(cups_domain) + - type hplip_var_run_t; - files_pid_file(hplip_var_run_t) ++dev_read_urand(cups_domain) ++dev_read_rand(cups_domain) ++dev_read_sysfs(cups_domain) ++ ++fs_getattr_all_fs(cups_domain) ++ ++miscfiles_read_fonts(cups_domain) ++miscfiles_setattr_fonts_cache_dirs(cups_domain) ++ ++optional_policy(` ++ lpd_manage_spool(cups_domain) ++') ++ + ######################################## + # + # Cups local policy + # -@@ -104,6 +111,7 @@ ifdef(`enable_mls',` - # /usr/lib/cups/backend/serial needs sys_admin(?!) - allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; +-# /usr/lib/cups/backend/serial needs sys_admin(?!) +-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; ++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -+allow cupsd_t self:capability2 { block_suspend }; - allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; - allow cupsd_t self:fifo_file rw_fifo_file_perms; - allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - files_search_etc(cupsd_t) +-allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +-allow cupsd_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow cupsd_t self:unix_dgram_socket create_socket_perms; ++allow cupsd_t self:capability2 block_suspend; ++allow cupsd_t self:process { getpgid setpgid setsched }; ++allow cupsd_t self:unix_stream_socket { accept connectto listen }; + allow cupsd_t self:netlink_selinux_socket create_socket_perms; + allow cupsd_t self:shm create_shm_perms; + allow cupsd_t self:sem create_sem_perms; +-allow cupsd_t self:tcp_socket create_stream_socket_perms; +-allow cupsd_t self:udp_socket create_socket_perms; + allow cupsd_t self:appletalk_socket create_socket_perms; +-# generic socket here until appletalk socket is available in kernels +-allow cupsd_t self:socket create_socket_perms; + +-allow cupsd_t cupsd_etc_t:{ dir file } setattr; ++allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; ++allow cupsd_t cupsd_etc_t:file setattr_file_perms; + read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +-files_search_etc(cupsd_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) +can_exec(cupsd_t, cupsd_interface_t) manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) + files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) + +-# allow cups to execute its backend scripts +-can_exec(cupsd_t, cupsd_exec_t) + allow cupsd_t cupsd_exec_t:dir search_dir_perms; + allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + allow cupsd_t cupsd_lock_t:file manage_file_perms; files_lock_filetrans(cupsd_t, cupsd_lock_t, file) +-manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-allow cupsd_t cupsd_log_t:dir setattr; +manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - allow cupsd_t cupsd_log_t:dir setattr; ++append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) ++create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) ++read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) ++setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) -@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + ++manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) ++manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) ++ + manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) +-files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) ++files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) -allow cupsd_t cupsd_var_run_t:dir setattr; +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; @@ -15090,19 +15348,23 @@ index e5a8924..ac29949 100644 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) -+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file }) +- +-allow cupsd_t hplip_t:process { signal sigkill }; ++files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) - allow cupsd_t hplip_t:process { signal sigkill }; +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++allow cupsd_t cupsd_unit_file_t:file read_file_perms; -@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - allow cupsd_t hplip_var_run_t:file read_file_perms; +-allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t : sock_file setattr; +allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; ++ ++can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) - kernel_read_network_state(cupsd_t) +-kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) kernel_request_load_module(cupsd_t) @@ -15110,38 +15372,135 @@ index e5a8924..ac29949 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t) - mls_socket_write_all_levels(cupsd_t) - mls_fd_use_all_levels(cupsd_t) - -+term_use_usb_ttys(cupsd_t) - term_use_unallocated_ttys(cupsd_t) - term_search_ptys(cupsd_t) - -@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t) - +@@ -178,6 +201,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_t) + corenet_udp_sendrecv_all_ports(cupsd_t) + corenet_tcp_bind_generic_node(cupsd_t) + corenet_udp_bind_generic_node(cupsd_t) ++ ++corenet_sendrecv_all_server_packets(cupsd_t) ++corenet_sendrecv_all_client_packets(cupsd_t) + corenet_tcp_bind_ipp_port(cupsd_t) + corenet_udp_bind_ipp_port(cupsd_t) + corenet_udp_bind_howl_port(cupsd_t) +@@ -185,60 +211,61 @@ corenet_tcp_bind_reserved_port(cupsd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) + corenet_tcp_bind_all_rpc_ports(cupsd_t) + corenet_tcp_connect_all_ports(cupsd_t) ++ + corenet_sendrecv_hplip_client_packets(cupsd_t) ++corenet_receive_hplip_server_packets(cupsd_t) ++corenet_tcp_bind_hplip_port(cupsd_t) ++corenet_tcp_connect_hplip_port(cupsd_t) ++corenet_tcp_bind_glance_port(cupsd_t) ++corenet_tcp_connect_glance_port(cupsd_t) ++ + corenet_sendrecv_ipp_client_packets(cupsd_t) +-corenet_sendrecv_ipp_server_packets(cupsd_t) ++corenet_tcp_connect_ipp_port(cupsd_t) ++ ++corenet_sendrecv_howl_server_packets(cupsd_t) ++corenet_udp_bind_howl_port(cupsd_t) + + dev_rw_printer(cupsd_t) +-dev_read_urand(cupsd_t) +-dev_read_sysfs(cupsd_t) +-dev_rw_input_dev(cupsd_t) #447878 ++dev_rw_input_dev(cupsd_t) + dev_rw_generic_usb_dev(cupsd_t) + dev_rw_usbfs(cupsd_t) + dev_getattr_printer_dev(cupsd_t) + + domain_read_all_domains_state(cupsd_t) +- +-fs_getattr_all_fs(cupsd_t) +-fs_search_auto_mountpoints(cupsd_t) +-fs_search_fusefs(cupsd_t) +-fs_read_anon_inodefs_files(cupsd_t) +- +-mls_file_downgrade(cupsd_t) +-mls_file_write_all_levels(cupsd_t) +-mls_file_read_all_levels(cupsd_t) +-mls_rangetrans_target(cupsd_t) +-mls_socket_write_all_levels(cupsd_t) +-mls_fd_use_all_levels(cupsd_t) +- +-term_use_unallocated_ttys(cupsd_t) +-term_search_ptys(cupsd_t) +- +-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +-corecmd_exec_shell(cupsd_t) +-corecmd_exec_bin(cupsd_t) +- domain_use_interactive_fds(cupsd_t) +files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) -files_read_etc_files(cupsd_t) files_read_etc_runtime_files(cupsd_t) - # read python modules - files_read_usr_files(cupsd_t) +-# read python modules +-files_read_usr_files(cupsd_t) +files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) -@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t) + files_read_world_readable_files(cupsd_t) + files_read_world_readable_symlinks(cupsd_t) +-# Satisfy readahead + files_read_var_files(cupsd_t) + files_read_var_symlinks(cupsd_t) ++files_dontaudit_getattr_all_tmp_files(cupsd_t) ++files_dontaudit_list_home(cupsd_t) + # for /etc/printcap + files_dontaudit_write_etc_files(cupsd_t) +-# smbspool seems to be iterating through all existing tmp files. +-# redhat bug #214953 +-# cjp: this might be a broken behavior +-files_dontaudit_getattr_all_tmp_files(cupsd_t) ++files_dontaudit_write_usr_dirs(cupsd_t) ++ ++fs_search_auto_mountpoints(cupsd_t) ++fs_search_fusefs(cupsd_t) ++fs_read_anon_inodefs_files(cupsd_t) ++fs_rw_anon_inodefs_files(cupsd_t) ++ ++mls_fd_use_all_levels(cupsd_t) ++mls_file_downgrade(cupsd_t) ++mls_file_write_all_levels(cupsd_t) ++mls_file_read_all_levels(cupsd_t) ++mls_rangetrans_target(cupsd_t) ++mls_socket_write_all_levels(cupsd_t) ++ ++term_search_ptys(cupsd_t) ++term_use_unallocated_ttys(cupsd_t) ++term_use_ptmx(cupsd_t) + + selinux_compute_access_vector(cupsd_t) + selinux_validate_context(cupsd_t) +@@ -251,30 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) + auth_rw_faillog(cupsd_t) + auth_use_nsswitch(cupsd_t) + +-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +-libs_read_lib_files(cupsd_t) + libs_exec_lib_files(cupsd_t) + logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) -miscfiles_read_localization(cupsd_t) - # invoking ghostscript needs to read fonts - miscfiles_read_fonts(cupsd_t) - miscfiles_setattr_fonts_cache_dirs(cupsd_t) -@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t) - files_dontaudit_list_home(cupsd_t) +-# invoking ghostscript needs to read fonts +-miscfiles_read_fonts(cupsd_t) +-miscfiles_setattr_fonts_cache_dirs(cupsd_t) +- + seutil_read_config(cupsd_t) ++ + sysnet_exec_ifconfig(cupsd_t) ++sysnet_dns_name_resolve(cupsd_t) + +-files_dontaudit_list_home(cupsd_t) ++userdom_dontaudit_use_unpriv_user_fds(cupsd_t) ++userdom_dontaudit_search_user_home_dirs(cupsd_t) ++userdom_dontaudit_search_user_home_content(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) - @@ -15150,11 +15509,10 @@ index e5a8924..ac29949 100644 -lpd_read_config(cupsd_t) -lpd_exec_lpr(cupsd_t) -lpd_relabel_spool(cupsd_t) -+userdom_search_admin_dir(cupsd_t) optional_policy(` apm_domtrans_client(cupsd_t) -@@ -287,6 +293,8 @@ optional_policy(` +@@ -287,6 +305,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -15163,7 +15521,7 @@ index e5a8924..ac29949 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -297,8 +305,10 @@ optional_policy(` +@@ -297,8 +317,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -15174,7 +15532,7 @@ index e5a8924..ac29949 100644 ') ') -@@ -311,10 +321,23 @@ optional_policy(` +@@ -311,17 +333,28 @@ optional_policy(` ') optional_policy(` @@ -15187,10 +15545,8 @@ index e5a8924..ac29949 100644 ') optional_policy(` -+ # Write to /var/spool/cups. -+ lpd_manage_spool(cupsd_t) -+ lpd_read_config(cupsd_t) + lpd_exec_lpr(cupsd_t) ++ lpd_read_config(cupsd_t) + lpd_relabel_spool(cupsd_t) +') + @@ -15198,16 +15554,15 @@ index e5a8924..ac29949 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +345,8 @@ optional_policy(` - # cups execs smbtool which reads samba_etc_t files + optional_policy(` +- # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -+ # needed by smbspool + samba_stream_connect_nmbd(cupsd_t) ') optional_policy(` -@@ -336,12 +361,16 @@ optional_policy(` +@@ -336,18 +369,18 @@ optional_policy(` udev_read_db(cupsd_t) ') @@ -15217,15 +15572,33 @@ index e5a8924..ac29949 100644 + ######################################## # - # Cups configuration daemon local policy +-# Cups configuration daemon local policy ++# Configuration daemon local policy # --allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; -+allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config }; + allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; - allow cupsd_config_t self:process { getsched signal_perms }; - allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +-allow cupsd_config_t self:process { getsched signal_perms }; +-allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_config_t self:unix_stream_socket create_socket_perms; +-allow cupsd_config_t self:unix_dgram_socket create_socket_perms; +-allow cupsd_config_t self:tcp_socket create_stream_socket_perms; ++allow cupsd_config_t self:process { getsched }; + + allow cupsd_config_t cupsd_t:process signal; + ps_process_pattern(cupsd_config_t, cupsd_t) +@@ -360,9 +393,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) + manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t) + files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file) + +-can_exec(cupsd_config_t, cupsd_config_exec_t) +- +-allow cupsd_config_t cupsd_log_t:file rw_file_perms; ++allow cupsd_config_t cupsd_log_t:file { append_file_perms read_file_perms }; + + manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) + manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -371,70 +402,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -15234,9 +15607,14 @@ index e5a8924..ac29949 100644 -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) +files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) - domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) +-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) ++read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) + +-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) ++stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) ++ ++can_exec(cupsd_config_t, cupsd_config_exec_t) -@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) kernel_read_system_state(cupsd_config_t) kernel_read_all_sysctls(cupsd_config_t) @@ -15244,177 +15622,304 @@ index e5a8924..ac29949 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t) + corenet_tcp_sendrecv_all_ports(cupsd_config_t) +-corenet_tcp_connect_all_ports(cupsd_config_t) ++ + corenet_sendrecv_all_client_packets(cupsd_config_t) ++corenet_tcp_connect_all_ports(cupsd_config_t) + +-dev_read_sysfs(cupsd_config_t) +-dev_read_urand(cupsd_config_t) +-dev_read_rand(cupsd_config_t) + dev_rw_generic_usb_dev(cupsd_config_t) + ++files_read_etc_runtime_files(cupsd_config_t) ++files_read_var_symlinks(cupsd_config_t) + files_search_all_mountpoints(cupsd_config_t) + +-fs_getattr_all_fs(cupsd_config_t) + fs_search_auto_mountpoints(cupsd_config_t) + +-corecmd_exec_bin(cupsd_config_t) +-corecmd_exec_shell(cupsd_config_t) +- + domain_use_interactive_fds(cupsd_config_t) +-# killall causes the following domain_dontaudit_search_all_domains_state(cupsd_config_t) - files_read_usr_files(cupsd_config_t) +-files_read_usr_files(cupsd_config_t) -files_read_etc_files(cupsd_config_t) - files_read_etc_runtime_files(cupsd_config_t) - files_read_var_symlinks(cupsd_config_t) +-files_read_etc_runtime_files(cupsd_config_t) +-files_read_var_symlinks(cupsd_config_t) +- +-# Alternatives asks for this + init_getattr_all_script_files(cupsd_config_t) -@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t) + auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) -miscfiles_read_localization(cupsd_config_t) - miscfiles_read_hwdata(cupsd_config_t) - +-miscfiles_read_hwdata(cupsd_config_t) +- -seutil_dontaudit_search_config(cupsd_config_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) -+userdom_rw_user_tmp_files(cupsd_config_t) -+userdom_read_user_tmp_symlinks(cupsd_config_t) - - cups_stream_connect(cupsd_config_t) - +- +-cups_stream_connect(cupsd_config_t) +- -lpd_read_config(cupsd_config_t) - - ifdef(`distro_redhat',` - optional_policy(` - rpm_read_db(cupsd_config_t) -@@ -453,6 +478,10 @@ optional_policy(` - ') +-ifdef(`distro_redhat',` +- optional_policy(` +- rpm_read_db(cupsd_config_t) +- ') +-') ++userdom_read_all_users_state(cupsd_config_t) ++userdom_read_user_tmp_symlinks(cupsd_config_t) ++userdom_rw_user_tmp_files(cupsd_config_t) optional_policy(` -+ gnome_dontaudit_search_config(cupsd_config_t) + term_use_generic_ptys(cupsd_config_t) +@@ -450,12 +460,19 @@ optional_policy(` + optional_policy(` + hal_dbus_chat(cupsd_config_t) + ') ++ ++ optional_policy(` ++ policykit_dbus_chat(cupsd_config_t) ++ ') +') + +optional_policy(` ++ gnome_dontaudit_search_config(cupsd_config_t) + ') + + optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +496,10 @@ optional_policy(` +- hal_dontaudit_use_fds(hplip_t) ') optional_policy(` +@@ -467,8 +484,7 @@ optional_policy(` + ') + + optional_policy(` +- policykit_dbus_chat(cupsd_config_t) +- userdom_read_all_users_state(cupsd_config_t) + lpd_read_config(cupsd_config_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(cupsd_config_t) - userdom_read_all_users_state(cupsd_config_t) ') -@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) + + optional_policy(` +@@ -489,231 +505,84 @@ optional_policy(` + + ######################################## + # +-# Cups lpd support ++# Lpd local policy + # + +-allow cupsd_lpd_t self:process signal_perms; +-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; +-allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; +-allow cupsd_lpd_t self:udp_socket create_socket_perms; +- +-# for identd +-# cjp: this should probably only be inetd_child rules? + allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow cupsd_lpd_t self:capability { setuid setgid }; +-files_search_home(cupsd_lpd_t) +-optional_policy(` +- kerberos_use(cupsd_lpd_t) +-') +-#end for identd + +-allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms; +-read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) +-read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t) +- +-allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; +-read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) +-read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t) ++allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; ++allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:file read_file_perms; ++allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) + manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) +-files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) ++files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { dir file }) + + manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) + files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) + ++stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) ++ + kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) - kernel_read_network_state(cupsd_lpd_t) +-kernel_read_network_state(cupsd_lpd_t) -corenet_all_recvfrom_unlabeled(cupsd_lpd_t) corenet_all_recvfrom_netlabel(cupsd_lpd_t) corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) - corenet_udp_sendrecv_generic_if(cupsd_lpd_t) -@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) - corenet_tcp_bind_generic_node(cupsd_lpd_t) - corenet_udp_bind_generic_node(cupsd_lpd_t) - corenet_tcp_connect_ipp_port(cupsd_lpd_t) +-corenet_udp_sendrecv_generic_if(cupsd_lpd_t) + corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) +-corenet_udp_sendrecv_generic_node(cupsd_lpd_t) +-corenet_tcp_sendrecv_all_ports(cupsd_lpd_t) +-corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +-corenet_tcp_bind_generic_node(cupsd_lpd_t) +-corenet_udp_bind_generic_node(cupsd_lpd_t) +-corenet_tcp_connect_ipp_port(cupsd_lpd_t) +- +-dev_read_urand(cupsd_lpd_t) +-dev_read_rand(cupsd_lpd_t) + +-fs_getattr_xattr_fs(cupsd_lpd_t) ++corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) ++corenet_tcp_connect_ipp_port(cupsd_lpd_t) +corenet_tcp_connect_printer_port(cupsd_lpd_t) - - dev_read_urand(cupsd_lpd_t) - dev_read_rand(cupsd_lpd_t) - - fs_getattr_xattr_fs(cupsd_lpd_t) ++corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) -files_read_etc_files(cupsd_lpd_t) ++files_search_home(cupsd_lpd_t) auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) -miscfiles_read_localization(cupsd_lpd_t) - miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) +-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) +- +-cups_stream_connect(cupsd_lpd_t) +- + optional_policy(` + inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) + ') - cups_stream_connect(cupsd_lpd_t) -@@ -577,33 +608,32 @@ fs_rw_anon_inodefs_files(cups_pdf_t) + ######################################## + # +-# cups_pdf local policy ++# Pdf local policy + # - kernel_read_system_state(cups_pdf_t) + allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; +-allow cups_pdf_t self:fifo_file rw_file_perms; + allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; --files_read_etc_files(cups_pdf_t) - files_read_usr_files(cups_pdf_t) +-manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) ++append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) ++create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) ++setattr_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -+fs_getattr_xattr_fs(cups_pdf_t) -+ - corecmd_exec_shell(cups_pdf_t) - corecmd_exec_bin(cups_pdf_t) + manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) + manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) +-files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) ++files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file }) + fs_rw_anon_inodefs_files(cups_pdf_t) ++fs_search_auto_mountpoints(cups_pdf_t) + + kernel_read_system_state(cups_pdf_t) + +-files_read_etc_files(cups_pdf_t) +-files_read_usr_files(cups_pdf_t) +- +-corecmd_exec_shell(cups_pdf_t) +-corecmd_exec_bin(cups_pdf_t) +- auth_use_nsswitch(cups_pdf_t) -miscfiles_read_localization(cups_pdf_t) - miscfiles_read_fonts(cups_pdf_t) -+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) - - userdom_home_filetrans_user_home_dir(cups_pdf_t) -+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) +-miscfiles_read_fonts(cups_pdf_t) +- +-userdom_home_filetrans_user_home_dir(cups_pdf_t) userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) -+userdom_dontaudit_search_admin_dir(cups_pdf_t) - --lpd_manage_spool(cups_pdf_t) - +-lpd_manage_spool(cups_pdf_t) - --tunable_policy(`use_nfs_home_dirs',` ++userdom_home_filetrans_user_home_dir(cups_pdf_t) + + tunable_policy(`use_nfs_home_dirs',` - fs_search_auto_mountpoints(cups_pdf_t) -- fs_manage_nfs_dirs(cups_pdf_t) -- fs_manage_nfs_files(cups_pdf_t) -+optional_policy(` -+ lpd_manage_spool(cups_pdf_t) + fs_manage_nfs_dirs(cups_pdf_t) + fs_manage_nfs_files(cups_pdf_t) ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -+userdom_home_manager(cups_pdf_t) -+ -+optional_policy(` -+ gnome_read_config(cups_pdf_t) - ') - - ######################################## -@@ -635,9 +665,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - files_search_etc(hplip_t) - -+allow hplip_t cupsd_unit_file_t:file read_file_perms; -+ - manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - -+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file }) -+ - manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) - files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) - -@@ -647,7 +684,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) - kernel_read_system_state(hplip_t) - kernel_read_kernel_sysctls(hplip_t) - +-') +- +-######################################## +-# +-# HPLIP local policy +-# +- +-# Needed for USB Scanneer and xsane +-allow hplip_t self:capability { dac_override dac_read_search net_raw }; +-dontaudit hplip_t self:capability sys_tty_config; +-allow hplip_t self:fifo_file rw_fifo_file_perms; +-allow hplip_t self:process signal_perms; +-allow hplip_t self:unix_dgram_socket create_socket_perms; +-allow hplip_t self:unix_stream_socket create_socket_perms; +-allow hplip_t self:netlink_route_socket r_netlink_socket_perms; +-allow hplip_t self:tcp_socket create_stream_socket_perms; +-allow hplip_t self:udp_socket create_socket_perms; +-allow hplip_t self:rawip_socket create_socket_perms; +- +-allow hplip_t cupsd_etc_t:dir search_dir_perms; +-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) +- +-cups_stream_connect(hplip_t) +- +-allow hplip_t hplip_etc_t:dir list_dir_perms; +-read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) +-read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) +-files_search_etc(hplip_t) +- +-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +- +-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) +- +-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) +-files_pid_filetrans(hplip_t, hplip_var_run_t, file) +- +-kernel_read_system_state(hplip_t) +-kernel_read_kernel_sysctls(hplip_t) +- -corenet_all_recvfrom_unlabeled(hplip_t) -+# for python -+corecmd_exec_bin(hplip_t) -+ - corenet_all_recvfrom_netlabel(hplip_t) - corenet_tcp_sendrecv_generic_if(hplip_t) - corenet_udp_sendrecv_generic_if(hplip_t) -@@ -661,10 +700,10 @@ corenet_tcp_bind_generic_node(hplip_t) - corenet_udp_bind_generic_node(hplip_t) - corenet_tcp_bind_hplip_port(hplip_t) - corenet_tcp_connect_hplip_port(hplip_t) +-corenet_all_recvfrom_netlabel(hplip_t) +-corenet_tcp_sendrecv_generic_if(hplip_t) +-corenet_udp_sendrecv_generic_if(hplip_t) +-corenet_raw_sendrecv_generic_if(hplip_t) +-corenet_tcp_sendrecv_generic_node(hplip_t) +-corenet_udp_sendrecv_generic_node(hplip_t) +-corenet_raw_sendrecv_generic_node(hplip_t) +-corenet_tcp_sendrecv_all_ports(hplip_t) +-corenet_udp_sendrecv_all_ports(hplip_t) +-corenet_tcp_bind_generic_node(hplip_t) +-corenet_udp_bind_generic_node(hplip_t) +-corenet_tcp_bind_hplip_port(hplip_t) +-corenet_tcp_connect_hplip_port(hplip_t) -corenet_tcp_connect_ipp_port(hplip_t) -corenet_sendrecv_hplip_client_packets(hplip_t) -corenet_receive_hplip_server_packets(hplip_t) -+corenet_tcp_bind_glance_port(hplip_t) -+corenet_tcp_connect_glance_port(hplip_t) - corenet_udp_bind_howl_port(hplip_t) -+corenet_tcp_connect_ipp_port(hplip_t) - - dev_read_sysfs(hplip_t) - dev_rw_printer(hplip_t) -@@ -673,31 +712,34 @@ dev_read_rand(hplip_t) - dev_rw_generic_usb_dev(hplip_t) - dev_rw_usbfs(hplip_t) - +-corenet_udp_bind_howl_port(hplip_t) +- +-dev_read_sysfs(hplip_t) +-dev_rw_printer(hplip_t) +-dev_read_urand(hplip_t) +-dev_read_rand(hplip_t) +-dev_rw_generic_usb_dev(hplip_t) +-dev_rw_usbfs(hplip_t) +- -fs_getattr_all_fs(hplip_t) -fs_search_auto_mountpoints(hplip_t) -fs_rw_anon_inodefs_files(hplip_t) @@ -15422,42 +15927,62 @@ index e5a8924..ac29949 100644 -# for python -corecmd_exec_bin(hplip_t) - - domain_use_interactive_fds(hplip_t) - - files_read_etc_files(hplip_t) - files_read_etc_runtime_files(hplip_t) - files_read_usr_files(hplip_t) -+files_dontaudit_write_usr_dirs(hplip_t) - +-domain_use_interactive_fds(hplip_t) +- +-files_read_etc_files(hplip_t) +-files_read_etc_runtime_files(hplip_t) +-files_read_usr_files(hplip_t) +- -logging_send_syslog_msg(hplip_t) -+fs_getattr_all_fs(hplip_t) -+fs_search_auto_mountpoints(hplip_t) -+fs_rw_anon_inodefs_files(hplip_t) - +- -miscfiles_read_localization(hplip_t) -+term_use_ptmx(hplip_t) -+ -+auth_read_passwd(hplip_t) -+ -+logging_send_syslog_msg(hplip_t) - - sysnet_read_config(hplip_t) - - userdom_dontaudit_use_unpriv_user_fds(hplip_t) - userdom_dontaudit_search_user_home_dirs(hplip_t) - userdom_dontaudit_search_user_home_content(hplip_t) -+userdom_dbus_send_all_users(hplip_t) - +- +-sysnet_read_config(hplip_t) +- +-userdom_dontaudit_use_unpriv_user_fds(hplip_t) +-userdom_dontaudit_search_user_home_dirs(hplip_t) +-userdom_dontaudit_search_user_home_content(hplip_t) +- -lpd_read_config(hplip_t) -lpd_manage_spool(hplip_t) -+optional_policy(` -+ lpd_read_config(hplip_t) -+ lpd_manage_spool(hplip_t) -+') ++userdom_home_manager(cups_pdf_t) optional_policy(` - dbus_system_bus_client(hplip_t) -@@ -743,7 +785,6 @@ kernel_read_kernel_sysctls(ptal_t) +- dbus_system_bus_client(hplip_t) ++ gnome_read_config(cups_pdf_t) + ') + +-optional_policy(` +- seutil_sigchld_newrole(hplip_t) +-') +- +-optional_policy(` +- snmp_read_snmp_var_lib_files(hplip_t) +-') +- +-optional_policy(` +- udev_read_db(hplip_t) +-') + + ######################################## + # +@@ -723,14 +592,12 @@ optional_policy(` + allow ptal_t self:capability { chown sys_rawio }; + dontaudit ptal_t self:capability sys_tty_config; + allow ptal_t self:fifo_file rw_fifo_file_perms; +-allow ptal_t self:unix_dgram_socket create_socket_perms; +-allow ptal_t self:unix_stream_socket create_stream_socket_perms; ++allow ptal_t self:unix_stream_socket { accept listen }; + allow ptal_t self:tcp_socket create_stream_socket_perms; + + allow ptal_t ptal_etc_t:dir list_dir_perms; + read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) + read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) +-files_search_etc(ptal_t) + + manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) + manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) +@@ -743,29 +610,26 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -15465,20 +15990,34 @@ index e5a8924..ac29949 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -760,13 +801,10 @@ fs_search_auto_mountpoints(ptal_t) +-corenet_tcp_sendrecv_all_ports(ptal_t) + corenet_tcp_bind_generic_node(ptal_t) ++ ++corenet_sendrecv_ptal_server_packets(ptal_t) + corenet_tcp_bind_ptal_port(ptal_t) ++corenet_tcp_sendrecv_ptal_port(ptal_t) + +-dev_read_sysfs(ptal_t) + dev_read_usbfs(ptal_t) + dev_rw_printer(ptal_t) +-fs_getattr_all_fs(ptal_t) +-fs_search_auto_mountpoints(ptal_t) +- domain_use_interactive_fds(ptal_t) -files_read_etc_files(ptal_t) files_read_etc_runtime_files(ptal_t) - logging_send_syslog_msg(ptal_t) +-logging_send_syslog_msg(ptal_t) ++fs_getattr_all_fs(ptal_t) ++fs_search_auto_mountpoints(ptal_t) -miscfiles_read_localization(ptal_t) -- ++logging_send_syslog_msg(ptal_t) + sysnet_read_config(ptal_t) - userdom_dontaudit_use_unpriv_user_fds(ptal_t) diff --git a/cvs.if b/cvs.if index c43ff4c..5da88b5 100644 --- a/cvs.if @@ -21160,10 +21699,10 @@ index 0000000..33508c1 + diff --git a/fcoemon.te b/fcoemon.te new file mode 100644 -index 0000000..724ca0d +index 0000000..cb04d99 --- /dev/null +++ b/fcoemon.te -@@ -0,0 +1,44 @@ +@@ -0,0 +1,46 @@ +policy_module(fcoemon, 1.0.0) + +######################################## @@ -21185,13 +21724,15 @@ index 0000000..724ca0d + +# dac_override +# /var/rnn/fcm/fcm_clif socket is owned by root -+allow fcoemon_t self:capability { net_admin dac_override }; ++allow fcoemon_t self:capability { net_admin net_raw dac_override }; +allow fcoemon_t self:capability { kill }; + +allow fcoemon_t self:fifo_file rw_fifo_file_perms; +allow fcoemon_t self:unix_stream_socket create_stream_socket_perms; +allow fcoemon_t self:netlink_socket create_socket_perms; +allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; ++allow fcoemon_t self:packet_socket create_socket_perms; ++allow fcoemon_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) @@ -21200,7 +21741,7 @@ index 0000000..724ca0d + +files_read_etc_files(fcoemon_t) + -+dev_read_sysfs(fcoemon_t) ++dev_rw_sysfs(fcoemon_t) + +logging_send_syslog_msg(fcoemon_t) + @@ -23643,12 +24184,35 @@ index 0000000..e15bbb0 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..b0039ff +index 0000000..3685c24 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,104 @@ +@@ -0,0 +1,127 @@ +policy_module(glusterd, 1.0.0) + ++## ++##

    ++## Allow glusterfsd to modify public files used for public file ++## transfer services. Files/Directories must be labeled ++## public_content_rw_t. ++##

    ++##
    ++gen_tunable(gluster_anon_write, false) ++ ++## ++##

    ++## Allow glusterfsd to share any file/directory read only. ++##

    ++##
    ++gen_tunable(gluster_export_all_ro, false) ++ ++## ++##

    ++## Allow glusterfsd to share any file/directory read/write. ++##

    ++##
    ++gen_tunable(gluster_export_all_rw, true) ++ +######################################## +# +# Declarations @@ -26008,7 +26572,7 @@ index 6d50300..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 72a113e..9711129 100644 +index 72a113e..8221a4b 100644 --- a/gpg.te +++ b/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0) @@ -26252,7 +26816,13 @@ index 72a113e..9711129 100644 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -@@ -223,43 +257,34 @@ corecmd_read_bin_symlinks(gpg_agent_t) +@@ -219,47 +253,40 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + # allow gpg to connect to the gpg agent + stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + ++kernel_read_system_state(gpg_agent_t) ++ + corecmd_read_bin_symlinks(gpg_agent_t) corecmd_search_bin(gpg_agent_t) corecmd_exec_shell(gpg_agent_t) @@ -26301,7 +26871,7 @@ index 72a113e..9711129 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -294,10 +319,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) +@@ -294,10 +321,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) @@ -26313,7 +26883,7 @@ index 72a113e..9711129 100644 corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) corenet_tcp_bind_generic_node(gpg_pinentry_t) corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) -@@ -310,7 +335,6 @@ dev_read_rand(gpg_pinentry_t) +@@ -310,7 +337,6 @@ dev_read_rand(gpg_pinentry_t) files_read_usr_files(gpg_pinentry_t) # read /etc/X11/qtrc @@ -26321,7 +26891,7 @@ index 72a113e..9711129 100644 fs_dontaudit_list_inotifyfs(gpg_pinentry_t) fs_getattr_tmpfs(gpg_pinentry_t) -@@ -320,18 +344,19 @@ auth_use_nsswitch(gpg_pinentry_t) +@@ -320,18 +346,19 @@ auth_use_nsswitch(gpg_pinentry_t) logging_send_syslog_msg(gpg_pinentry_t) miscfiles_read_fonts(gpg_pinentry_t) @@ -26347,7 +26917,7 @@ index 72a113e..9711129 100644 ') optional_policy(` -@@ -340,6 +365,12 @@ optional_policy(` +@@ -340,6 +367,12 @@ optional_policy(` ') optional_policy(` @@ -26360,7 +26930,7 @@ index 72a113e..9711129 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -349,4 +380,27 @@ optional_policy(` +@@ -349,4 +382,27 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -28223,10 +28793,10 @@ index 9878499..01673a4 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index 53e53ca..c1ce1b7 100644 +index 53e53ca..1f2daae 100644 --- a/jabber.te +++ b/jabber.te -@@ -1,94 +1,146 @@ +@@ -1,94 +1,147 @@ -policy_module(jabber, 1.9.0) +policy_module(jabber, 1.8.0) @@ -28351,6 +28921,7 @@ index 53e53ca..c1ce1b7 100644 -sysnet_read_config(jabberd_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_router_port(jabberd_t) ++corenet_tcp_connect_jabber_interserver_port(jabberd_t) userdom_dontaudit_use_unpriv_user_fds(jabberd_t) userdom_dontaudit_search_user_home_dirs(jabberd_t) @@ -29404,7 +29975,7 @@ index d6af9b0..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 0c52f60..acb89ac 100644 +index 0c52f60..6454b8f 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0) @@ -29474,7 +30045,7 @@ index 0c52f60..acb89ac 100644 + +optional_policy(` + bootloader_exec(kdumpgui_t) -+ bootloader_rw_config(kdumpgui_t) ++ bootloader_manage_config(kdumpgui_t) +') optional_policy(` @@ -29821,7 +30392,7 @@ index 604f67b..138e1e2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") +') diff --git a/kerberos.te b/kerberos.te -index 6a95faf..6127834 100644 +index 6a95faf..9ed7d30 100644 --- a/kerberos.te +++ b/kerberos.te @@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) @@ -29920,8 +30491,12 @@ index 6a95faf..6127834 100644 domain_use_interactive_fds(kadmind_t) -@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t) +@@ -147,10 +155,13 @@ files_read_var_files(kadmind_t) + + selinux_validate_context(kadmind_t) ++auth_read_passwd(kadmind_t) ++ logging_send_syslog_msg(kadmind_t) -miscfiles_read_localization(kadmind_t) @@ -29931,7 +30506,7 @@ index 6a95faf..6127834 100644 seutil_read_file_contexts(kadmind_t) sysnet_read_config(kadmind_t) -@@ -164,10 +173,18 @@ optional_policy(` +@@ -164,10 +175,18 @@ optional_policy(` ') optional_policy(` @@ -29950,7 +30525,7 @@ index 6a95faf..6127834 100644 seutil_sigchld_newrole(kadmind_t) ') -@@ -182,6 +199,7 @@ optional_policy(` +@@ -182,6 +201,7 @@ optional_policy(` # Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; @@ -29958,7 +30533,7 @@ index 6a95faf..6127834 100644 dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) +@@ -197,13 +217,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -29974,7 +30549,7 @@ index 6a95faf..6127834 100644 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t) +@@ -221,7 +240,6 @@ kernel_search_network_sysctl(krb5kdc_t) corecmd_exec_bin(krb5kdc_t) @@ -29982,7 +30557,7 @@ index 6a95faf..6127834 100644 corenet_all_recvfrom_netlabel(krb5kdc_t) corenet_tcp_sendrecv_generic_if(krb5kdc_t) corenet_udp_sendrecv_generic_if(krb5kdc_t) -@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t) +@@ -242,6 +260,7 @@ dev_read_urand(krb5kdc_t) fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) @@ -29990,8 +30565,12 @@ index 6a95faf..6127834 100644 domain_use_interactive_fds(krb5kdc_t) -@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t) +@@ -251,9 +270,11 @@ files_read_var_files(krb5kdc_t) + selinux_validate_context(krb5kdc_t) + ++auth_read_passwd(krb5kdc_t) ++ logging_send_syslog_msg(krb5kdc_t) -miscfiles_read_localization(krb5kdc_t) @@ -29999,7 +30578,7 @@ index 6a95faf..6127834 100644 seutil_read_file_contexts(krb5kdc_t) -@@ -268,6 +285,10 @@ optional_policy(` +@@ -268,6 +289,10 @@ optional_policy(` ') optional_policy(` @@ -30010,7 +30589,7 @@ index 6a95faf..6127834 100644 nis_use_ypbind(krb5kdc_t) ') -@@ -276,6 +297,10 @@ optional_policy(` +@@ -276,6 +301,10 @@ optional_policy(` ') optional_policy(` @@ -30021,7 +30600,7 @@ index 6a95faf..6127834 100644 udev_read_db(krb5kdc_t) ') -@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -308,7 +337,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -30029,7 +30608,7 @@ index 6a95faf..6127834 100644 corenet_tcp_sendrecv_generic_if(kpropd_t) corenet_tcp_sendrecv_generic_node(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) -@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t) +@@ -324,8 +352,6 @@ selinux_validate_context(kpropd_t) logging_send_syslog_msg(kpropd_t) @@ -31972,7 +32551,7 @@ index 572b5db..1e55f43 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.te b/logrotate.te -index 7090dae..14b3dd7 100644 +index 7090dae..e80b2eb 100644 --- a/logrotate.te +++ b/logrotate.te @@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t) @@ -31995,7 +32574,7 @@ index 7090dae..14b3dd7 100644 allow logrotate_t self:fifo_file rw_fifo_file_perms; allow logrotate_t self:unix_dgram_socket create_socket_perms; allow logrotate_t self:unix_stream_socket create_stream_socket_perms; -@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) +@@ -61,20 +61,23 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) @@ -32003,7 +32582,16 @@ index 7090dae..14b3dd7 100644 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) -@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t) + kernel_read_kernel_sysctls(logrotate_t) + + dev_read_urand(logrotate_t) ++dev_read_sysfs(logrotate_t) + + fs_search_auto_mountpoints(logrotate_t) +-fs_getattr_xattr_fs(logrotate_t) ++fs_getattr_all_fs(logrotate_t) + fs_list_inotifyfs(logrotate_t) + mls_file_read_all_levels(logrotate_t) mls_file_write_all_levels(logrotate_t) mls_file_upgrade(logrotate_t) @@ -32011,7 +32599,7 @@ index 7090dae..14b3dd7 100644 selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) -@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t) +@@ -85,6 +88,7 @@ auth_use_nsswitch(logrotate_t) # Run helper programs. corecmd_exec_bin(logrotate_t) corecmd_exec_shell(logrotate_t) @@ -32019,7 +32607,7 @@ index 7090dae..14b3dd7 100644 domain_signal_all_domains(logrotate_t) domain_use_interactive_fds(logrotate_t) -@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t) +@@ -93,7 +97,6 @@ domain_getattr_all_entry_files(logrotate_t) domain_read_all_domains_state(logrotate_t) files_read_usr_files(logrotate_t) @@ -32027,7 +32615,7 @@ index 7090dae..14b3dd7 100644 files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t) -@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) +@@ -102,6 +105,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -32035,7 +32623,7 @@ index 7090dae..14b3dd7 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -112,21 +115,23 @@ logging_send_audit_msgs(logrotate_t) +@@ -112,21 +116,23 @@ logging_send_audit_msgs(logrotate_t) # cjp: why is this needed? logging_exec_all_logs(logrotate_t) @@ -32068,7 +32656,7 @@ index 7090dae..14b3dd7 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +143,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +144,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -32077,7 +32665,7 @@ index 7090dae..14b3dd7 100644 ') optional_policy(` -@@ -154,6 +159,10 @@ optional_policy(` +@@ -154,6 +160,10 @@ optional_policy(` ') optional_policy(` @@ -32088,7 +32676,7 @@ index 7090dae..14b3dd7 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +171,20 @@ optional_policy(` +@@ -162,10 +172,20 @@ optional_policy(` ') optional_policy(` @@ -32109,7 +32697,7 @@ index 7090dae..14b3dd7 100644 cups_domtrans(logrotate_t) ') -@@ -178,6 +197,10 @@ optional_policy(` +@@ -178,6 +198,10 @@ optional_policy(` ') optional_policy(` @@ -32120,7 +32708,7 @@ index 7090dae..14b3dd7 100644 icecast_signal(logrotate_t) ') -@@ -194,15 +217,23 @@ optional_policy(` +@@ -194,15 +218,23 @@ optional_policy(` ') optional_policy(` @@ -32144,7 +32732,7 @@ index 7090dae..14b3dd7 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -217,6 +248,15 @@ optional_policy(` +@@ -217,6 +249,15 @@ optional_policy(` ') optional_policy(` @@ -32160,7 +32748,7 @@ index 7090dae..14b3dd7 100644 squid_domtrans(logrotate_t) ') -@@ -228,3 +268,14 @@ optional_policy(` +@@ -228,3 +269,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -33341,10 +33929,10 @@ index 0000000..4a4e899 +') diff --git a/mandb.te b/mandb.te new file mode 100644 -index 0000000..cc1c704 +index 0000000..dbeac05 --- /dev/null +++ b/mandb.te -@@ -0,0 +1,41 @@ +@@ -0,0 +1,43 @@ +policy_module(mandb, 1.0.0) + +######################################## @@ -33386,6 +33974,8 @@ index 0000000..cc1c704 +domain_use_interactive_fds(mandb_t) + +files_read_etc_files(mandb_t) ++ ++miscfiles_setattr_man_pages(mandb_t) diff --git a/mcelog.fc b/mcelog.fc index 56c43c0..409bbfc 100644 --- a/mcelog.fc @@ -33833,7 +34423,7 @@ index 1ec5a6c..64ac6f0 100644 /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if -index ee72cbe..bdf319a 100644 +index ee72cbe..8735916 100644 --- a/milter.if +++ b/milter.if @@ -24,9 +24,13 @@ template(`milter_template',` @@ -33851,7 +34441,7 @@ index ee72cbe..bdf319a 100644 # Allow communication with MTA over a TCP socket allow $1_milter_t self:tcp_socket create_stream_socket_perms; -@@ -36,12 +40,13 @@ template(`milter_template',` +@@ -36,12 +40,15 @@ template(`milter_template',` # Create other data files and directories in the data directory manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) @@ -33863,10 +34453,12 @@ index ee72cbe..bdf319a 100644 files_read_etc_files($1_milter_t) - miscfiles_read_localization($1_milter_t) ++ dev_read_rand($1_milter_t) ++ dev_read_urand($1_milter_t) logging_send_syslog_msg($1_milter_t) ') -@@ -61,6 +66,7 @@ interface(`milter_stream_connect_all',` +@@ -61,6 +68,7 @@ interface(`milter_stream_connect_all',` attribute milter_data_type, milter_domains; ') @@ -33874,7 +34466,7 @@ index ee72cbe..bdf319a 100644 getattr_dirs_pattern($1, milter_data_type, milter_data_type) stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) ') -@@ -86,6 +92,24 @@ interface(`milter_getattr_all_sockets',` +@@ -86,6 +94,24 @@ interface(`milter_getattr_all_sockets',` ######################################## ## @@ -33899,7 +34491,7 @@ index ee72cbe..bdf319a 100644 ## Manage spamassassin milter state ## ## -@@ -104,3 +128,22 @@ interface(`milter_manage_spamass_state',` +@@ -104,3 +130,22 @@ interface(`milter_manage_spamass_state',` manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) ') @@ -35672,20 +36264,97 @@ index d4fcb75..b788245 100644 + userdom_execmod_user_home_files(mozilla_plugin_t) ') diff --git a/mpd.fc b/mpd.fc -index ddc14d6..c74bf3d 100644 +index ddc14d6..5c34d21 100644 --- a/mpd.fc +++ b/mpd.fc -@@ -6,3 +6,5 @@ +@@ -6,3 +6,7 @@ /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) + -+/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) ++/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) ++ ++/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0) diff --git a/mpd.if b/mpd.if -index d72276f..cb8c563 100644 +index d72276f..695854e 100644 --- a/mpd.if +++ b/mpd.if -@@ -244,8 +244,11 @@ interface(`mpd_admin',` +@@ -222,8 +222,72 @@ interface(`mpd_manage_lib_dirs',` + + ######################################## + ## +-## All of the rules required to administrate +-## an mpd environment ++## Connect to mpd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mpd_stream_connect',` ++ gen_require(` ++ type mpd_t, mpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t) ++') ++ ++####################################### ++## ++## Create, read, write, and delete ++## mpd user data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mpd_manage_user_data_content',` ++ gen_require(` ++ type mpd_user_data_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 mpd_user_data_t:dir manage_dir_perms; ++ allow $1 mpd_user_data_t:file manage_file_perms; ++ allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms; ++') ++ ++####################################### ++## ++## Create, read, write, and delete ++## mpd user data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++interface(`mpd_relabel_user_data_content',` ++ gen_require(` ++ type mpd_user_data_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 mpd_user_data_t:dir relabel_dir_perms; ++ allow $1 mpd_user_data_t:file relabel_file_perms; ++ allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms; ++') ++ ++######################################## ++## ++## All of the rules required to ++## administrate an mpd environment. + ## + ## + ## +@@ -244,8 +308,11 @@ interface(`mpd_admin',` type mpd_tmpfs_t; ') @@ -35699,10 +36368,23 @@ index d72276f..cb8c563 100644 mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/mpd.te b/mpd.te -index 7f68872..d92aaa8 100644 +index 7f68872..5e3afd2 100644 --- a/mpd.te +++ b/mpd.te -@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +@@ -31,6 +31,12 @@ files_tmpfs_file(mpd_tmpfs_t) + type mpd_var_lib_t; + files_type(mpd_var_lib_t) + ++type mpd_user_data_t; ++userdom_user_home_content(mpd_user_data_t) # customizable ++ ++type mpd_var_run_t; ++files_pid_file(mpd_var_run_t) ++ + ######################################## + # + # mpd local policy +@@ -44,6 +50,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow mpd_t self:tcp_socket create_stream_socket_perms; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -35712,7 +36394,7 @@ index 7f68872..d92aaa8 100644 manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) -@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) +@@ -51,6 +60,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) @@ -35723,7 +36405,20 @@ index 7f68872..d92aaa8 100644 manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t) +@@ -65,14 +78,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) + manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) + files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) + +-# needed by pulseaudio ++manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file }) ++ + kernel_getattr_proc(mpd_t) + kernel_read_system_state(mpd_t) + kernel_read_kernel_sysctls(mpd_t) corecmd_exec_bin(mpd_t) @@ -35731,7 +36426,7 @@ index 7f68872..d92aaa8 100644 corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t) +@@ -87,6 +104,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t) corenet_sendrecv_pulseaudio_client_packets(mpd_t) corenet_sendrecv_soundd_client_packets(mpd_t) @@ -35739,7 +36434,7 @@ index 7f68872..d92aaa8 100644 dev_read_sound(mpd_t) dev_write_sound(mpd_t) dev_read_sysfs(mpd_t) -@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t) +@@ -101,7 +119,9 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) @@ -35750,7 +36445,7 @@ index 7f68872..d92aaa8 100644 optional_policy(` alsa_read_rw_config(mpd_t) -@@ -122,5 +131,20 @@ optional_policy(` +@@ -122,5 +142,20 @@ optional_policy(` ') optional_policy(` @@ -37485,19 +38180,25 @@ index c358d8f..1cc176c 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..fea9b77 100644 +index f17583b..f076c38 100644 --- a/munin.te +++ b/munin.te -@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) +@@ -1,10 +1,13 @@ +-policy_module(munin, 1.8.0) ++policy_module(munin, 1.8.10) + + ######################################## + # # Declarations # +attribute munin_plugin_domain; ++attribute munin_plugin_tmp_content; + type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t) -@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t) +@@ -24,40 +27,77 @@ files_tmp_file(munin_tmp_t) type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t) @@ -37507,18 +38208,51 @@ index f17583b..fea9b77 100644 type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) -@@ -31,16 +36,20 @@ munin_plugin_template(disk) - + munin_plugin_template(disk) +- munin_plugin_template(mail) - +- +munin_plugin_template(selinux) -+ munin_plugin_template(services) - +- munin_plugin_template(system) - +munin_plugin_template(unconfined) + ++type httpd_munin_script_tmp_t; ++files_tmp_file(httpd_munin_script_tmp_t) ++ ++################################ ++# ++# Common munin plugin local policy ++# ++ ++allow munin_plugin_domain self:process signal_perms; ++allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; ++ ++allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; ++ ++read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) ++ ++allow munin_plugin_domain munin_exec_t:file read_file_perms; ++ ++allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; ++ ++manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) ++ ++corenet_tcp_sendrecv_generic_if(munin_plugin_domain) ++corenet_tcp_sendrecv_generic_node(munin_plugin_domain) ++ ++corecmd_exec_bin(munin_plugin_domain) ++corecmd_exec_shell(munin_plugin_domain) ++ ++files_search_var_lib(munin_plugin_domain) ++ ++fs_getattr_all_fs(munin_plugin_domain) ++ ++optional_policy(` ++ nscd_use(munin_plugin_domain) ++') + ######################################## # # Local policy @@ -37528,38 +38262,93 @@ index f17583b..fea9b77 100644 +allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; - allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -71,9 +80,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +-allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; +-allow munin_t self:tcp_socket create_stream_socket_perms; +-allow munin_t self:udp_socket create_socket_perms; ++allow munin_t self:unix_stream_socket { accept connectto listen }; ++allow munin_t self:unix_dgram_socket sendto; ++allow munin_t self:tcp_socket { accept listen }; + allow munin_t self:fifo_file manage_fifo_file_perms; + +-allow munin_t munin_etc_t:dir list_dir_perms; +-read_files_pattern(munin_t, munin_etc_t, munin_etc_t) +-read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) +-files_search_etc(munin_t) ++allow munin_t munin_plugin_domain:process signal_perms; + +-can_exec(munin_t, munin_exec_t) ++allow munin_t munin_etc_t:dir list_dir_perms; ++allow munin_t munin_etc_t:file read_file_perms; ++allow munin_t munin_etc_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +-manage_files_pattern(munin_t, munin_log_t, munin_log_t) ++append_files_pattern(munin_t, munin_log_t, munin_log_t) ++create_files_pattern(munin_t, munin_log_t, munin_log_t) ++setattr_files_pattern(munin_t, munin_log_t, munin_log_t) + logging_log_filetrans(munin_t, munin_log_t, { file dir }) + + manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) +@@ -65,15 +105,18 @@ manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) + manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) + files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file }) + +-# Allow access to the munin databases + manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - files_search_var_lib(munin_t) +-files_search_var_lib(munin_t) ++rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) ++ +manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, file) -+files_pid_filetrans(munin_t, munin_var_run_t, { file dir }) ++files_pid_filetrans(munin_t, munin_var_run_t, { dir file }) + -+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) ++can_exec(munin_t, munin_exec_t) kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) -@@ -82,7 +94,6 @@ kernel_read_all_sysctls(munin_t) +@@ -82,18 +125,20 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) -corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) - corenet_udp_sendrecv_generic_if(munin_t) -@@ -101,7 +112,6 @@ dev_read_urand(munin_t) +-corenet_udp_sendrecv_generic_if(munin_t) + corenet_tcp_sendrecv_generic_node(munin_t) +-corenet_udp_sendrecv_generic_node(munin_t) +-corenet_tcp_sendrecv_all_ports(munin_t) +-corenet_udp_sendrecv_all_ports(munin_t) + corenet_tcp_bind_generic_node(munin_t) ++ ++corenet_sendrecv_munin_server_packets(munin_t) + corenet_tcp_bind_munin_port(munin_t) ++corenet_sendrecv_munin_client_packets(munin_t) + corenet_tcp_connect_munin_port(munin_t) ++corenet_tcp_sendrecv_munin_port(munin_t) ++ ++corenet_sendrecv_http_client_packets(munin_t) + corenet_tcp_connect_http_port(munin_t) ++corenet_tcp_sendrecv_http_port(munin_t) + + dev_read_sysfs(munin_t) + dev_read_urand(munin_t) +@@ -101,9 +146,7 @@ dev_read_urand(munin_t) domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) -files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) - files_read_usr_files(munin_t) +-files_read_usr_files(munin_t) files_list_spool(munin_t) -@@ -115,7 +125,7 @@ logging_send_syslog_msg(munin_t) + + fs_getattr_all_fs(munin_t) +@@ -115,20 +158,13 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) @@ -37568,55 +38357,61 @@ index f17583b..fea9b77 100644 sysnet_exec_ifconfig(munin_t) -@@ -128,6 +138,11 @@ optional_policy(` - manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - apache_search_sys_content(munin_t) -+ -+ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) -+ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) -+ -+ files_search_var_lib(httpd_munin_script_t) - ') + userdom_dontaudit_use_unpriv_user_fds(munin_t) + userdom_dontaudit_search_user_home_dirs(munin_t) + +-optional_policy(` +- apache_content_template(munin) +- +- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +- apache_search_sys_content(munin_t) +-') optional_policy(` -@@ -145,6 +160,7 @@ optional_policy(` + cron_system_entry(munin_t, munin_exec_t) +@@ -143,9 +179,10 @@ optional_policy(` + ') + optional_policy(` - mta_read_config(munin_t) - mta_send_mail(munin_t) + mta_list_queue(munin_t) + mta_read_config(munin_t) +- mta_send_mail(munin_t) mta_read_queue(munin_t) ++ mta_send_mail(munin_t) ') -@@ -155,10 +171,13 @@ optional_policy(` + optional_policy(` +@@ -155,6 +192,8 @@ optional_policy(` optional_policy(` netutils_domtrans_ping(munin_t) -+ netutils_signal_ping(munin_t) + netutils_kill_ping(munin_t) ++ netutils_signal_ping(munin_t) ') optional_policy(` - postfix_list_spool(munin_t) -+ postfix_getattr_spool_files(munin_t) - ') +@@ -179,26 +218,29 @@ optional_policy(` - optional_policy(` -@@ -182,6 +201,7 @@ optional_policy(` - # local policy for disk plugins + ################################### + # +-# local policy for disk plugins ++# Disk local policy # +allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t) +-corecmd_exec_shell(disk_munin_plugin_t) +- ++corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) ++corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) -files_read_etc_files(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) -+files_read_usr_files(disk_munin_plugin_t) -fs_getattr_all_fs(disk_munin_plugin_t) - @@ -37633,7 +38428,13 @@ index f17583b..fea9b77 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -217,34 +240,56 @@ optional_policy(` +@@ -212,56 +254,81 @@ optional_policy(` + + #################################### + # +-# local policy for mail plugins ++# Mail local policy + # allow mail_munin_plugin_t self:capability dac_override; @@ -37654,17 +38455,17 @@ index f17583b..fea9b77 100644 +optional_policy(` + exim_read_log(mail_munin_plugin_t) +') - --mta_read_config(mail_munin_plugin_t) --mta_send_mail(mail_munin_plugin_t) --mta_read_queue(mail_munin_plugin_t) ++ +optional_policy(` + mta_read_config(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) + mta_list_queue(mail_munin_plugin_t) + mta_read_queue(mail_munin_plugin_t) +') -+ + +-mta_read_config(mail_munin_plugin_t) +-mta_send_mail(mail_munin_plugin_t) +-mta_read_queue(mail_munin_plugin_t) +optional_policy(` + nscd_socket_use(mail_munin_plugin_t) +') @@ -37681,14 +38482,15 @@ index f17583b..fea9b77 100644 +################################## +# -+# local policy for selinux plugins ++# Selinux local policy +# + +selinux_get_enforce_mode(selinux_munin_plugin_t) + ################################### # - # local policy for service plugins +-# local policy for service plugins ++# Service local policy # +allow services_munin_plugin_t self:shm create_sem_perms; @@ -37696,7 +38498,12 @@ index f17583b..fea9b77 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +300,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) + ++corenet_sendrecv_all_client_packets(services_munin_plugin_t) + corenet_tcp_connect_all_ports(services_munin_plugin_t) + corenet_tcp_connect_http_port(services_munin_plugin_t) ++corenet_tcp_sendrecv_all_ports(services_munin_plugin_t) + dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -37707,11 +38514,15 @@ index f17583b..fea9b77 100644 sysnet_read_config(services_munin_plugin_t) optional_policy(` ++ bind_read_config(munin_services_plugin_t) ++') ++ ++optional_policy(` + cups_read_config(services_munin_plugin_t) cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +321,14 @@ optional_policy(` +@@ -279,6 +346,14 @@ optional_policy(` ') optional_policy(` @@ -37726,7 +38537,7 @@ index f17583b..fea9b77 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +336,18 @@ optional_policy(` +@@ -286,30 +361,79 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -37738,30 +38549,35 @@ index f17583b..fea9b77 100644 + varnishd_read_lib_files(services_munin_plugin_t) +') + -+optional_policy(` -+ bind_read_config(munin_services_plugin_t) -+') -+ ################################## # - # local policy for system plugins -@@ -295,12 +357,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +-# local policy for system plugins ++# System local policy + # + + allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) --kernel_read_network_state(system_munin_plugin_t) --kernel_read_all_sysctls(system_munin_plugin_t) -+# needed by munin_* plugins +read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) ++ + kernel_read_network_state(system_munin_plugin_t) + kernel_read_all_sysctls(system_munin_plugin_t) -corecmd_exec_shell(system_munin_plugin_t) - -fs_getattr_all_fs(system_munin_plugin_t) -+kernel_read_network_state(system_munin_plugin_t) - +- dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +373,47 @@ init_read_utmp(system_munin_plugin_t) + + domain_read_all_domains_state(system_munin_plugin_t) + +-# needed by users plugin + init_read_utmp(system_munin_plugin_t) + ++logging_search_logs(system_munin_plugin_t) ++ sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -37774,40 +38590,38 @@ index f17583b..fea9b77 100644 + +####################################### +# -+# Unconfined plugin policy ++# Unconfined plugin local policy +# + +optional_policy(` + unconfined_domain(unconfined_munin_plugin_t) +') + -+################################ ++ ++####################################### +# -+# local policy for munin plugin domains ++# Munin CGI script local policy +# + -+allow munin_plugin_domain self:process signal; ++apache_content_template(munin) + -+allow munin_plugin_domain munin_exec_t:file read_file_perms; -+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; ++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + -+# creates plugin state files -+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) ++manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) ++manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) + -+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) ++read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) ++read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) + -+corecmd_exec_bin(munin_plugin_domain) -+corecmd_exec_shell(munin_plugin_domain) ++allow httpd_munin_script_t munin_log_t:file read_file_perms; + -+files_search_var_lib(munin_plugin_domain) -+files_read_usr_files(munin_plugin_domain) ++files_search_var_lib(httpd_munin_script_t) + -+fs_getattr_all_fs(munin_plugin_domain) -+ -+auth_read_passwd(munin_plugin_domain) ++auth_read_passwd(httpd_munin_script_t) + +optional_policy(` -+ nscd_socket_use(munin_plugin_domain) ++ apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc index 716d666..43f60de 100644 @@ -47840,7 +48654,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 44db896..946bfb5 100644 +index 44db896..6e3b3fd 100644 --- a/policykit.te +++ b/policykit.te @@ -1,51 +1,67 @@ @@ -47924,7 +48738,7 @@ index 44db896..946bfb5 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +72,115 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +72,116 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -48030,6 +48844,7 @@ index 44db896..946bfb5 100644 + +fs_getattr_all_fs(policykit_auth_t) +fs_search_tmpfs(policykit_auth_t) ++fs_dontaudit_append_ecryptfs_files(policykit_auth_t) +auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) @@ -48051,7 +48866,7 @@ index 44db896..946bfb5 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +193,26 @@ optional_policy(` +@@ -118,14 +194,26 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -48080,7 +48895,7 @@ index 44db896..946bfb5 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -142,22 +229,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -142,22 +230,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -48108,7 +48923,7 @@ index 44db896..946bfb5 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +254,8 @@ optional_policy(` +@@ -167,9 +255,8 @@ optional_policy(` # polkit_resolve local policy # @@ -48120,7 +48935,7 @@ index 44db896..946bfb5 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -182,17 +268,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t +@@ -182,17 +269,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t can_exec(policykit_resolve_t, policykit_resolve_exec_t) corecmd_search_bin(policykit_resolve_t) @@ -51538,7 +52353,7 @@ index 84f23dc..0e7d875 100644 /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff --git a/pulseaudio.if b/pulseaudio.if -index f40c64d..8a82574 100644 +index f40c64d..191600b 100644 --- a/pulseaudio.if +++ b/pulseaudio.if @@ -35,6 +35,9 @@ interface(`pulseaudio_role',` @@ -51566,7 +52381,7 @@ index f40c64d..8a82574 100644 ') ######################################## -@@ -257,4 +262,87 @@ interface(`pulseaudio_manage_home_files',` +@@ -257,4 +262,106 @@ interface(`pulseaudio_manage_home_files',` userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) @@ -51653,12 +52468,40 @@ index f40c64d..8a82574 100644 + + kernel_search_proc($1) + ps_process_pattern($1, pulseaudio_t) ++') ++ ++###################################### ++## ++## Make the specified tmpfs file type ++## pulseaudio tmpfs content. ++## ++## ++## ++## File type to make pulseaudio tmpfs content. ++## ++## ++# ++interface(`pulseaudio_tmpfs_content',` ++ gen_require(` ++ attribute pulseaudio_tmpfsfile; ++ ') ++ ++ typeattribute $1 pulseaudio_tmpfsfile; ') diff --git a/pulseaudio.te b/pulseaudio.te -index 901ac9b..bef43f7 100644 +index 901ac9b..68f1fb6 100644 --- a/pulseaudio.te +++ b/pulseaudio.te -@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -5,6 +5,8 @@ policy_module(pulseaudio, 1.5.0) + # Declarations + # + ++attribute pulseaudio_tmpfsfile; ++ + type pulseaudio_t; + type pulseaudio_exec_t; + init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) +@@ -41,7 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) @@ -51672,7 +52515,7 @@ index 901ac9b..bef43f7 100644 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -51,7 +57,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) +@@ -51,7 +59,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -51681,7 +52524,7 @@ index 901ac9b..bef43f7 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -61,7 +69,6 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -51689,7 +52532,7 @@ index 901ac9b..bef43f7 100644 corenet_all_recvfrom_netlabel(pulseaudio_t) corenet_tcp_bind_pulseaudio_port(pulseaudio_t) corenet_tcp_bind_soundd_port(pulseaudio_t) -@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t) +@@ -70,32 +77,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t) corenet_udp_bind_sap_port(pulseaudio_t) corenet_udp_sendrecv_generic_if(pulseaudio_t) corenet_udp_sendrecv_generic_node(pulseaudio_t) @@ -51726,7 +52569,11 @@ index 901ac9b..bef43f7 100644 + fs_manage_nfs_named_sockets(pulseaudio_t) + fs_manage_nfs_named_pipes(pulseaudio_t) +') -+ + +-# cjp: this seems excessive. need to confirm +-userdom_manage_user_home_content_files(pulseaudio_t) +-userdom_manage_user_tmp_files(pulseaudio_t) +-userdom_manage_user_tmpfs_files(pulseaudio_t) +tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs(pulseaudio_t) + fs_mounton_cifs(pulseaudio_t) @@ -51736,18 +52583,14 @@ index 901ac9b..bef43f7 100644 + fs_manage_cifs_named_sockets(pulseaudio_t) + fs_manage_cifs_named_pipes(pulseaudio_t) +') - --# cjp: this seems excessive. need to confirm --userdom_manage_user_home_content_files(pulseaudio_t) --userdom_manage_user_tmp_files(pulseaudio_t) --userdom_manage_user_tmpfs_files(pulseaudio_t) ++ +optional_policy(` + alsa_read_rw_config(pulseaudio_t) +') optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -125,16 +147,37 @@ optional_policy(` +@@ -125,16 +149,37 @@ optional_policy(` ') optional_policy(` @@ -51785,7 +52628,7 @@ index 901ac9b..bef43f7 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -146,3 +189,7 @@ optional_policy(` +@@ -146,3 +191,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -53997,10 +54840,10 @@ index 0000000..010b2be +') diff --git a/quantum.te b/quantum.te new file mode 100644 -index 0000000..6e15504 +index 0000000..992837f --- /dev/null +++ b/quantum.te -@@ -0,0 +1,80 @@ +@@ -0,0 +1,81 @@ +policy_module(quantum, 1.0.0) + +######################################## @@ -54057,6 +54900,7 @@ index 0000000..6e15504 +corenet_tcp_bind_generic_node(quantum_t) +corenet_tcp_bind_quantum_port(quantum_t) +corenet_tcp_connect_mysqld_port(quantum_t) ++corenet_tcp_connect_amqp_port(quantum_t) + +dev_read_urand(quantum_t) +dev_list_sysfs(quantum_t) @@ -58701,10 +59545,10 @@ index a63e9ee..e4a0c9b 100644 + nis_use_ypbind(rpcbind_t) +') diff --git a/rpm.fc b/rpm.fc -index b2a0b6a..3916381 100644 +index b2a0b6a..d8a9750 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -2,10 +2,12 @@ +@@ -2,10 +2,13 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) @@ -58713,11 +59557,12 @@ index b2a0b6a..3916381 100644 /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -20,12 +22,18 @@ +@@ -20,12 +23,18 @@ /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` @@ -58736,7 +59581,7 @@ index b2a0b6a..3916381 100644 ') /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -@@ -35,10 +43,12 @@ ifdef(`distro_redhat', ` +@@ -35,10 +44,12 @@ ifdef(`distro_redhat', ` /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) @@ -59373,7 +60218,7 @@ index ffb9605..4bb7119 100644 - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/rsync.fc b/rsync.fc -index 479615b..2d77839 100644 +index 479615b..d92f567 100644 --- a/rsync.fc +++ b/rsync.fc @@ -2,6 +2,6 @@ @@ -59381,7 +60226,7 @@ index 479615b..2d77839 100644 /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) -/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) -+/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) ++/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0) /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if @@ -60130,7 +60975,7 @@ index 82cb169..4f6fe4a 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 905883f..4293f70 100644 +index 905883f..57f516b 100644 --- a/samba.te +++ b/samba.te @@ -12,7 +12,7 @@ policy_module(samba, 1.15.0) @@ -60445,11 +61290,13 @@ index 905883f..4293f70 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -501,11 +534,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) +@@ -500,12 +533,15 @@ read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) ++manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) +files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") @@ -60461,7 +61308,7 @@ index 905883f..4293f70 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -513,7 +548,6 @@ kernel_read_network_state(nmbd_t) +@@ -513,7 +549,6 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -60469,7 +61316,7 @@ index 905883f..4293f70 100644 corenet_all_recvfrom_netlabel(nmbd_t) corenet_tcp_sendrecv_generic_if(nmbd_t) corenet_udp_sendrecv_generic_if(nmbd_t) -@@ -527,8 +561,10 @@ corenet_sendrecv_nmbd_server_packets(nmbd_t) +@@ -527,8 +562,10 @@ corenet_sendrecv_nmbd_server_packets(nmbd_t) corenet_sendrecv_nmbd_client_packets(nmbd_t) corenet_tcp_connect_smbd_port(nmbd_t) @@ -60481,7 +61328,7 @@ index 905883f..4293f70 100644 fs_getattr_all_fs(nmbd_t) fs_search_auto_mountpoints(nmbd_t) -@@ -536,7 +572,6 @@ fs_search_auto_mountpoints(nmbd_t) +@@ -536,7 +573,6 @@ fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) @@ -60489,7 +61336,7 @@ index 905883f..4293f70 100644 files_list_var_lib(nmbd_t) auth_use_nsswitch(nmbd_t) -@@ -544,12 +579,14 @@ auth_use_nsswitch(nmbd_t) +@@ -544,12 +580,14 @@ auth_use_nsswitch(nmbd_t) logging_search_logs(nmbd_t) logging_send_syslog_msg(nmbd_t) @@ -60506,7 +61353,7 @@ index 905883f..4293f70 100644 seutil_sigchld_newrole(nmbd_t) ') -@@ -562,18 +599,21 @@ optional_policy(` +@@ -562,18 +600,21 @@ optional_policy(` # smbcontrol local policy # @@ -60532,7 +61379,7 @@ index 905883f..4293f70 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -581,11 +621,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -581,11 +622,19 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -60555,7 +61402,7 @@ index 905883f..4293f70 100644 ######################################## # -@@ -604,18 +652,20 @@ allow smbmount_t samba_etc_t:file read_file_perms; +@@ -604,18 +653,20 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) @@ -60578,7 +61425,7 @@ index 905883f..4293f70 100644 corenet_all_recvfrom_netlabel(smbmount_t) corenet_tcp_sendrecv_generic_if(smbmount_t) corenet_raw_sendrecv_generic_if(smbmount_t) -@@ -645,31 +695,32 @@ files_list_mnt(smbmount_t) +@@ -645,31 +696,32 @@ files_list_mnt(smbmount_t) files_mounton_mnt(smbmount_t) files_manage_etc_runtime_files(smbmount_t) files_etc_filetrans_etc_runtime(smbmount_t, file) @@ -60616,7 +61463,7 @@ index 905883f..4293f70 100644 allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -684,7 +735,8 @@ samba_domtrans_nmbd(swat_t) +@@ -684,7 +736,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -60626,7 +61473,7 @@ index 905883f..4293f70 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -698,13 +750,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -698,13 +751,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) @@ -60644,7 +61491,7 @@ index 905883f..4293f70 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -717,6 +773,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -717,6 +774,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -60652,7 +61499,7 @@ index 905883f..4293f70 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -726,7 +783,6 @@ kernel_read_network_state(swat_t) +@@ -726,7 +784,6 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -60660,7 +61507,7 @@ index 905883f..4293f70 100644 corenet_all_recvfrom_netlabel(swat_t) corenet_tcp_sendrecv_generic_if(swat_t) corenet_udp_sendrecv_generic_if(swat_t) -@@ -744,7 +800,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) +@@ -744,7 +801,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) dev_read_urand(swat_t) files_list_var_lib(swat_t) @@ -60668,7 +61515,7 @@ index 905883f..4293f70 100644 files_search_home(swat_t) files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) -@@ -759,7 +814,10 @@ logging_send_syslog_msg(swat_t) +@@ -759,7 +815,10 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -60680,7 +61527,7 @@ index 905883f..4293f70 100644 optional_policy(` cups_read_rw_config(swat_t) -@@ -790,7 +848,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -790,7 +849,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -60690,7 +61537,7 @@ index 905883f..4293f70 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,6 +865,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) +@@ -806,6 +866,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) manage_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) @@ -60699,7 +61546,7 @@ index 905883f..4293f70 100644 files_list_var_lib(winbind_t) rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) -@@ -813,21 +874,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -813,21 +875,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -60733,7 +61580,7 @@ index 905883f..4293f70 100644 corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) corenet_udp_sendrecv_generic_if(winbind_t) -@@ -840,12 +906,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -840,12 +907,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -60749,7 +61596,7 @@ index 905883f..4293f70 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -855,12 +924,14 @@ auth_manage_cache(winbind_t) +@@ -855,12 +925,14 @@ auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) @@ -60766,7 +61613,7 @@ index 905883f..4293f70 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -871,6 +942,15 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -871,6 +943,15 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -60782,7 +61629,7 @@ index 905883f..4293f70 100644 kerberos_use(winbind_t) ') -@@ -909,9 +989,7 @@ auth_use_nsswitch(winbind_helper_t) +@@ -909,9 +990,7 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -60793,7 +61640,7 @@ index 905883f..4293f70 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -929,19 +1007,34 @@ optional_policy(` +@@ -929,19 +1008,34 @@ optional_policy(` # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 11590e0..e8f551b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 81%{?dist} +Release: 82%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,38 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Feb 28 2013 Miroslav Grepl 3.11.1-82 +- Allow logrotate to read /sys +- Allow mandb to setattr on man dirs +- label /usr/bin/yum-builddep as rpm_exec_t +- Remove init_daemon_run_dir from CUPS policy +- Backport cups+hplip merge from rawhide +- Allow munin CGI scritp to search munin logs +- Allow quantum to connect to amqp port +- Allow jabberd to connect to jabber_interserver_port_t +- Fix authconfig.py labeling +- Fix fcoemon policy +- Allow kdumpgui to manage bootloader_config +- Allow httpd_collectd_script to read /etc/passwd +- Allow milter domains to read /dev/random +- Allow nmbd_t to create samba_var_t directories +- Allow logrotote to getattr on all file sytems +- fcoemon wants also net_raw cap. We have net_admin cap. +- Allow gpg-agent to access fips_enabled file +- Allow collectd to read utmp +- Backport munin policy from rawhide +- Allow kadmind to read /etc/passwd +- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth +- Allow chrome_nacl to execute /dev/zero +- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelperas bin_t +- Add fs_dontaudit_append_fusefs_files() interface +- Allow systemd domains to talk to kernel_t using unix_dgram_socket +- Add miscfiles_setattr_man_pages() +- Add manage interface to be used bu kdumpgui +- Localectl needs to be able to send dbus signals to users +- Hostname needs to send syslog messages +- Add stream support for mpd, accessible from users + * Fri Feb 22 2013 Miroslav Grepl 3.11.1-81 - Fix systemd_dbus_chat_timedated interface - Allow userdomains to dbus chat with systemd-hostnamed