From 0d52471ee18c10c5b58dde64bd72fe0958e2fec6 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Dec 17 2012 10:49:56 +0000 Subject: Additional rules for svirt_t --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 0706dc0..2f29e17 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58,6 +58,21 @@ index 313d837..ef3c532 100644 @echo "Success." ######################################## +diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context +index d387b42..150f281 100644 +--- a/config/appconfig-mcs/virtual_domain_context ++++ b/config/appconfig-mcs/virtual_domain_context +@@ -1 +1,2 @@ + system_u:system_r:svirt_t:s0 ++system_u:system_r:svirt_tcg_t:s0 +diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context +index c049e10..150f281 100644 +--- a/config/appconfig-standard/virtual_domain_context ++++ b/config/appconfig-standard/virtual_domain_context +@@ -1 +1,2 @@ +-system_u:system_r:svirt_t ++system_u:system_r:svirt_t:s0 ++system_u:system_r:svirt_tcg_t:s0 diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8 new file mode 100644 index 0000000..62a48d7 @@ -117684,7 +117699,7 @@ index 8796ca3..cb02728 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..d042988 100644 +index e1e814d..37f3b90 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -118302,7 +118317,7 @@ index e1e814d..d042988 100644 ') ######################################## -@@ -4126,6 +4493,127 @@ interface(`files_read_world_readable_sockets',` +@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -118362,12 +118377,18 @@ index e1e814d..d042988 100644 + + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config") + filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") +') @@ -118430,7 +118451,7 @@ index e1e814d..d042988 100644 ######################################## ## ## Allow the specified type to associate -@@ -4148,6 +4636,26 @@ interface(`files_associate_tmp',` +@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -118457,7 +118478,7 @@ index e1e814d..d042988 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4161,6 +4669,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -118465,7 +118486,7 @@ index e1e814d..d042988 100644 allow $1 tmp_t:dir getattr; ') -@@ -4171,7 +4680,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -118474,7 +118495,7 @@ index e1e814d..d042988 100644 ## ## # -@@ -4198,6 +4707,7 @@ interface(`files_search_tmp',` +@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -118482,7 +118503,7 @@ index e1e814d..d042988 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4234,6 +4744,7 @@ interface(`files_list_tmp',` +@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -118490,7 +118511,7 @@ index e1e814d..d042988 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4243,7 +4754,7 @@ interface(`files_list_tmp',` +@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',` ## ## ## @@ -118499,7 +118520,7 @@ index e1e814d..d042988 100644 ## ## # -@@ -4255,6 +4766,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -118525,7 +118546,7 @@ index e1e814d..d042988 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4270,6 +4800,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -118533,7 +118554,7 @@ index e1e814d..d042988 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4311,6 +4842,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -118566,7 +118587,7 @@ index e1e814d..d042988 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4365,6 +4922,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -118609,7 +118630,7 @@ index e1e814d..d042988 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4383,6 +4976,42 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -118652,7 +118673,7 @@ index e1e814d..d042988 100644 ## List all tmp directories. ## ## -@@ -4428,7 +5057,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -118661,7 +118682,7 @@ index e1e814d..d042988 100644 ## ## # -@@ -4488,7 +5117,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -118670,7 +118691,7 @@ index e1e814d..d042988 100644 ## ## # -@@ -4573,6 +5202,16 @@ interface(`files_purge_tmp',` +@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -118687,7 +118708,7 @@ index e1e814d..d042988 100644 ') ######################################## -@@ -5150,12 +5789,30 @@ interface(`files_list_var',` +@@ -5150,12 +5795,30 @@ interface(`files_list_var',` ######################################## ## @@ -118721,7 +118742,7 @@ index e1e814d..d042988 100644 ## ## # -@@ -5505,6 +6162,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -118747,7 +118768,7 @@ index e1e814d..d042988 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,7 +6226,7 @@ interface(`files_manage_mounttab',` +@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -118756,7 +118777,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -5558,12 +6234,13 @@ interface(`files_manage_mounttab',` +@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -118772,7 +118793,7 @@ index e1e814d..d042988 100644 ') ######################################## -@@ -5581,6 +6258,7 @@ interface(`files_search_locks',` +@@ -5581,6 +6264,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -118780,7 +118801,7 @@ index e1e814d..d042988 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5607,7 +6285,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -118808,7 +118829,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -5615,13 +6312,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -118825,7 +118846,7 @@ index e1e814d..d042988 100644 ') ######################################## -@@ -5640,7 +6336,7 @@ interface(`files_rw_lock_dirs',` +@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -118834,7 +118855,7 @@ index e1e814d..d042988 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5673,7 +6369,6 @@ interface(`files_create_lock_dirs',` +@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -118842,7 +118863,7 @@ index e1e814d..d042988 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5701,8 +6396,7 @@ interface(`files_getattr_generic_locks',` +@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -118852,7 +118873,7 @@ index e1e814d..d042988 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5718,13 +6412,12 @@ interface(`files_getattr_generic_locks',` +@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -118870,7 +118891,7 @@ index e1e814d..d042988 100644 ') ######################################## -@@ -5743,8 +6436,7 @@ interface(`files_manage_generic_locks',` +@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -118880,7 +118901,7 @@ index e1e814d..d042988 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5786,8 +6478,7 @@ interface(`files_read_all_locks',` +@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -118890,7 +118911,7 @@ index e1e814d..d042988 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6500,7 @@ interface(`files_manage_all_locks',` +@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -118900,7 +118921,7 @@ index e1e814d..d042988 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5847,8 +6537,7 @@ interface(`files_lock_filetrans',` +@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -118910,7 +118931,7 @@ index e1e814d..d042988 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5911,6 +6600,43 @@ interface(`files_search_pids',` +@@ -5911,6 +6606,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -118954,7 +118975,7 @@ index e1e814d..d042988 100644 ######################################## ## ## Do not audit attempts to search -@@ -5933,6 +6659,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -118980,7 +119001,7 @@ index e1e814d..d042988 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6048,7 +6793,6 @@ interface(`files_pid_filetrans',` +@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -118988,7 +119009,7 @@ index e1e814d..d042988 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6157,30 +6901,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -119023,7 +119044,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6188,43 +6927,35 @@ interface(`files_read_all_pids',` +@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',` ## ## # @@ -119074,7 +119095,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6232,21 +6963,17 @@ interface(`files_delete_all_pids',` +@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -119099,7 +119120,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6254,56 +6981,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -119175,7 +119196,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6311,18 +7041,17 @@ interface(`files_list_spool',` +@@ -6311,18 +7047,17 @@ interface(`files_list_spool',` ## ## # @@ -119198,7 +119219,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6330,19 +7059,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -119223,7 +119244,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6350,55 +7078,62 @@ interface(`files_read_generic_spool',` +@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',` ## ## # @@ -119310,7 +119331,7 @@ index e1e814d..d042988 100644 ## ## ## -@@ -6406,25 +7141,283 @@ interface(`files_spool_filetrans',` +@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',` ## ## # @@ -119609,7 +119630,7 @@ index e1e814d..d042988 100644 # is remounted for polyinstantiation aware programs (like gdm) allow $1 polyparent:dir { getattr mounton }; -@@ -6467,3 +7460,457 @@ interface(`files_unconfined',` +@@ -6467,3 +7466,457 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -126870,7 +126891,7 @@ index 4318f73..e4d0b31 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..613a47e 100644 +index 078bcd7..022c7db 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,9 +1,23 @@ @@ -126897,8 +126918,11 @@ index 078bcd7..613a47e 100644 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) -@@ -14,3 +28,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) + /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) ++/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -140959,7 +140983,7 @@ index 41a1853..af08353 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index ed363e1..3407878 100644 +index ed363e1..808e49e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0) @@ -141161,7 +141185,7 @@ index ed363e1..3407878 100644 +optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) -+ networkmanager_read_lib_files(dhcpc_t) ++ networkmanager_manage_lib(dhcpc_t) +') + +optional_policy(` diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index efe0c0b..e670e6d 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -14623,7 +14623,7 @@ index 0000000..33656de + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/cups.fc b/cups.fc -index 848bb92..108b23c 100644 +index 848bb92..600efa5 100644 --- a/cups.fc +++ b/cups.fc @@ -19,7 +19,10 @@ @@ -14637,7 +14637,7 @@ index 848bb92..108b23c 100644 /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -52,18 +55,31 @@ +@@ -52,18 +55,32 @@ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -14669,6 +14669,7 @@ index 848bb92..108b23c 100644 + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + ++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if index 305ddf4..f3cd95f 100644 @@ -23051,7 +23052,7 @@ index 7ff9d6d..b1c97f2 100644 allow $1 glance_api_t:process signal_perms; ps_process_pattern($1, glance_api_t) diff --git a/glance.te b/glance.te -index 4afb81f..58a8c1c 100644 +index 4afb81f..efff577 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.0) @@ -23064,17 +23065,20 @@ index 4afb81f..58a8c1c 100644 init_daemon_domain(glance_registry_t, glance_registry_exec_t) type glance_registry_initrc_exec_t; -@@ -17,8 +16,7 @@ init_script_file(glance_registry_initrc_exec_t) +@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t) type glance_registry_tmp_t; files_tmp_file(glance_registry_tmp_t) -type glance_api_t, glance_domain; -type glance_api_exec_t; ++type glance_registry_tmpfs_t; ++files_tmpfs_file(glance_registry_tmpfs_t) ++ +glance_basic_types_template(glance_api) init_daemon_domain(glance_api_t, glance_api_exec_t) type glance_api_initrc_exec_t; -@@ -54,16 +52,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -23096,8 +23100,14 @@ index 4afb81f..58a8c1c 100644 optional_policy(` sysnet_dns_name_resolve(glance_domain) -@@ -80,6 +80,14 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) +@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm + manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) + files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) ++manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) ++manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) ++fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file }) ++ corenet_tcp_bind_generic_node(glance_registry_t) corenet_tcp_bind_glance_registry_port(glance_registry_t) +corenet_tcp_connect_mysqld_port(glance_registry_t) @@ -23111,7 +23121,7 @@ index 4afb81f..58a8c1c 100644 ######################################## # -@@ -94,11 +102,15 @@ can_exec(glance_api_t, glance_tmp_t) +@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t) corecmd_exec_shell(glance_api_t) corenet_tcp_bind_generic_node(glance_api_t) @@ -23474,10 +23484,10 @@ index 00a19e3..5a2dbfd 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..6d054a2 100644 +index f5afe78..2a96043 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,44 +1,1047 @@ +@@ -1,44 +1,1048 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -23762,6 +23772,7 @@ index f5afe78..6d054a2 100644 + allow $1 gnome_home_type:dir manage_dir_perms; + allow $1 gnome_home_type:file manage_file_perms; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; ++ allow $1 gnome_home_type:sock_file manage_sock_file_perms; + userdom_search_user_home_dirs($1) +') + @@ -24543,7 +24554,7 @@ index f5afe78..6d054a2 100644 ## ## ## -@@ -46,37 +1049,91 @@ interface(`gnome_role',` +@@ -46,37 +1050,91 @@ interface(`gnome_role',` ## ## # @@ -24646,7 +24657,7 @@ index f5afe78..6d054a2 100644 ## ## ## -@@ -84,37 +1141,107 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',` ## ## # @@ -24765,7 +24776,7 @@ index f5afe78..6d054a2 100644 ## ## ## -@@ -122,17 +1249,36 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -24806,7 +24817,7 @@ index f5afe78..6d054a2 100644 ## ## ## -@@ -140,51 +1286,279 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -38393,7 +38404,7 @@ index 386543b..8fe1d63 100644 /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 2324d9e..7ccb55f 100644 +index 2324d9e..7c9fca9 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -38494,7 +38505,7 @@ index 2324d9e..7ccb55f 100644 ######################################## ## ## Read NetworkManager PID files. -@@ -191,3 +255,90 @@ interface(`networkmanager_read_pid_files',` +@@ -191,3 +255,110 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -38546,6 +38557,26 @@ index 2324d9e..7ccb55f 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') + ++####################################### ++## ++## Allow the specified domain to manage ++## to Network Manager lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_manage_lib',` ++ gen_require(` ++ type NetworkManager_log_t; ++ ') ++ ++ manage_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) ++') ++ ++ +######################################## +## +## Transition to networkmanager named content @@ -70829,7 +70860,7 @@ index 6f0736b..d91242a 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..ce27313 100644 +index 947bbc6..0b607f1 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) @@ -71074,7 +71105,7 @@ index 947bbc6..ce27313 100644 corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) -@@ -131,67 +223,65 @@ corenet_udp_bind_all_ports(svirt_t) +@@ -131,67 +223,69 @@ corenet_udp_bind_all_ports(svirt_t) corenet_tcp_bind_all_ports(svirt_t) corenet_tcp_connect_all_ports(svirt_t) @@ -71102,27 +71133,29 @@ index 947bbc6..ce27313 100644 -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(svirt_t) - fs_manage_cifs_files(svirt_t) --') -- ++optional_policy(` ++ xen_rw_image_files(svirt_t) + ') + -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(svirt_t) --') -- ++optional_policy(` ++ nscd_use(svirt_t) + ') + -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(svirt_t) - fs_manage_dos_dirs(svirt_t) - fs_manage_dos_files(svirt_t) -') -- - optional_policy(` - xen_rw_image_files(svirt_t) - ') - +####################################### +# +# svirt_prot_exec local policy +# -+ + +-optional_policy(` +- xen_rw_image_files(svirt_t) +-') +allow svirt_tcg_t self:process { execmem execstack }; +corenet_udp_sendrecv_generic_if(svirt_tcg_t) +corenet_udp_sendrecv_generic_node(svirt_tcg_t) @@ -71131,7 +71164,7 @@ index 947bbc6..ce27313 100644 +corenet_udp_bind_all_ports(svirt_tcg_t) +corenet_tcp_bind_all_ports(svirt_tcg_t) +corenet_tcp_connect_all_ports(svirt_tcg_t) -+ + ######################################## # # virtd local policy @@ -71183,7 +71216,7 @@ index 947bbc6..ce27313 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +292,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +296,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -71218,7 +71251,7 @@ index 947bbc6..ce27313 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +324,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +328,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -71242,7 +71275,7 @@ index 947bbc6..ce27313 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -71276,7 +71309,7 @@ index 947bbc6..ce27313 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -71295,7 +71328,7 @@ index 947bbc6..ce27313 100644 mcs_process_set_categories(virtd_t) -@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t) +@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -71305,7 +71338,7 @@ index 947bbc6..ce27313 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +420,33 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +424,33 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -71339,7 +71372,7 @@ index 947bbc6..ce27313 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +465,10 @@ optional_policy(` +@@ -322,6 +469,10 @@ optional_policy(` ') optional_policy(` @@ -71350,7 +71383,7 @@ index 947bbc6..ce27313 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +482,34 @@ optional_policy(` +@@ -335,19 +486,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -71386,7 +71419,7 @@ index 947bbc6..ce27313 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +524,12 @@ optional_policy(` +@@ -362,6 +528,12 @@ optional_policy(` ') optional_policy(` @@ -71399,7 +71432,7 @@ index 947bbc6..ce27313 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +537,11 @@ optional_policy(` +@@ -369,11 +541,11 @@ optional_policy(` ') optional_policy(` @@ -71416,7 +71449,7 @@ index 947bbc6..ce27313 100644 ') optional_policy(` -@@ -384,6 +552,7 @@ optional_policy(` +@@ -384,6 +556,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -71424,7 +71457,7 @@ index 947bbc6..ce27313 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -402,35 +571,85 @@ optional_policy(` +@@ -402,35 +575,85 @@ optional_policy(` # # virtual domains common policy # @@ -71519,7 +71552,7 @@ index 947bbc6..ce27313 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +657,601 @@ dev_write_sound(virt_domain) +@@ -438,34 +661,601 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -71587,7 +71620,7 @@ index 947bbc6..ce27313 100644 +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) - ') ++') + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) @@ -71985,7 +72018,7 @@ index 947bbc6..ce27313 100644 +optional_policy(` + apache_exec_modules(svirt_lxc_domain) + apache_read_sys_content(svirt_lxc_domain) -+') + ') + +virt_lxc_domain_template(svirt_lxc_net) + @@ -72959,7 +72992,7 @@ index fc0adf8..cf479f3 100644 # Manual transition from userhelper optional_policy(` diff --git a/wm.if b/wm.if -index b3efef7..c1be6ab 100644 +index b3efef7..177cf16 100644 --- a/wm.if +++ b/wm.if @@ -31,17 +31,14 @@ template(`wm_role_template',` @@ -72982,7 +73015,7 @@ index b3efef7..c1be6ab 100644 allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; allow $3 $1_wm_t:process { signal sigchld signull }; -@@ -50,42 +47,18 @@ template(`wm_role_template',` +@@ -50,19 +47,19 @@ template(`wm_role_template',` allow $1_wm_t $3:dbus send_msg; allow $3 $1_wm_t:dbus send_msg; @@ -73002,17 +73035,19 @@ index b3efef7..c1be6ab 100644 - - files_read_etc_files($1_wm_t) - files_read_usr_files($1_wm_t) -- ++ auth_use_nsswitch($1_wm_t) + - fs_getattr_tmpfs($1_wm_t) -- -- mls_file_read_all_levels($1_wm_t) -- mls_file_write_all_levels($1_wm_t) -- mls_xwin_read_all_levels($1_wm_t) -- mls_xwin_write_all_levels($1_wm_t) -- mls_fd_use_all_levels($1_wm_t) -- - auth_use_nsswitch($1_wm_t) ++ kernel_read_system_state($1_wm_t) + + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) +@@ -70,22 +67,6 @@ template(`wm_role_template',` + mls_xwin_write_all_levels($1_wm_t) + mls_fd_use_all_levels($1_wm_t) +- auth_use_nsswitch($1_wm_t) +- - application_signull($1_wm_t) - - miscfiles_read_fonts($1_wm_t) @@ -73031,7 +73066,7 @@ index b3efef7..c1be6ab 100644 xserver_role($2, $1_wm_t) xserver_manage_core_devices($1_wm_t) diff --git a/wm.te b/wm.te -index 19d447e..9c0a1c2 100644 +index 19d447e..996a3d4 100644 --- a/wm.te +++ b/wm.te @@ -1,5 +1,7 @@ @@ -73042,7 +73077,7 @@ index 19d447e..9c0a1c2 100644 ######################################## # # Declarations -@@ -7,3 +9,42 @@ policy_module(wm, 1.2.0) +@@ -7,3 +9,34 @@ policy_module(wm, 1.2.0) type wm_exec_t; corecmd_executable_file(wm_exec_t) @@ -73052,8 +73087,6 @@ index 19d447e..9c0a1c2 100644 +allow wm_domain self:shm create_shm_perms; +allow wm_domain self:unix_dgram_socket create_socket_perms; + -+kernel_read_system_state(wm_domain) -+ +dev_read_urand(wm_domain) + +files_read_etc_files(wm_domain) @@ -73061,12 +73094,6 @@ index 19d447e..9c0a1c2 100644 + +fs_getattr_tmpfs(wm_domain) + -+mls_file_read_all_levels(wm_domain) -+mls_file_write_all_levels(wm_domain) -+mls_xwin_read_all_levels(wm_domain) -+mls_xwin_write_all_levels(wm_domain) -+mls_fd_use_all_levels(wm_domain) -+ +application_signull(wm_domain) + +miscfiles_read_fonts(wm_domain)