From 0fdab306d68f60db10775949d01a024ce1da608c Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jun 09 2014 14:13:54 +0000 Subject: * Mon Jun 09 2014 Lukas Vrabec 3.12.1-167 - Allow keystone to connect to additional ports to make OpenStack working - Allow thumb_t to connect to the xserver port when you are runnin it via an ssh tunnel - Allow certmonger to manage all certs - rhsmcertd seems to need these accesses. - Add cups_execmem boolean - Allow cups to execute its rw_etc_t files, for brothers printers - Need these privs inorder to watch videon - Allow locate to list directories without labels - Allow staff_t to communicate and run docker - Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dir - Allow bitlbee to use tcp/7778 port - /etc/cron.daily/logrotate to execute fail2ban-client. - Allow keepalives to connect to SNMP port. Support to do SNMP stuff - Allow also fowner cap for varnishd - Allow keepalived to execute bin_t/shell_exec_t - Fix bitlbee policy - Fix rabbitmq.te - Fix labels on rabbitmq_var_run_t on file/dir creation - Allow neutron to create sock files - Allow postfix domains to getattr on all file systems - Add fixes for squid which is configured to run with more than one worker. - Allow certmonger to manage all certs - Fix *_ecryptfs_home_dirs booleans - Fix typoes in userdomain.if and libraries.te - Allow ldconfig_t to read/write inherited user tmp pipes - Use proper calling in ssh.te for userdom_home_manager attribute - Fix decl for cockip port --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 9a9a2d9..5d6dbed 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -3362,10 +3362,10 @@ index 1dc7a85..c6f4da0 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..b516b43 100644 +index 7590165..85186a9 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -3425,17 +3425,20 @@ index 7590165..b516b43 100644 - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) + fs_dontaudit_list_inotifyfs(seunshare_domain) -+ -+ optional_policy(` -+ gnome_dontaudit_rw_inherited_config(seunshare_domain) -+ ') optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) ++ gnome_dontaudit_rw_inherited_config(seunshare_domain) + ') ++ ++ optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_domain) + mozilla_plugin_dontaudit_leaks(seunshare_domain) - ') - ') ++ ') ++') ++optional_policy(` ++ rsync_exec(seunshare_domain) ++') + +tunable_policy(`use_nfs_home_dirs',` + fs_mounton_nfs(seunshare_domain) @@ -3447,7 +3450,7 @@ index 7590165..b516b43 100644 + +tunable_policy(`use_fusefs_home_dirs',` + fs_mounton_fusefs(seunshare_domain) -+') + ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 644d4d7..ad789c2 100644 --- a/policy/modules/kernel/corecommands.fc @@ -5634,7 +5637,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..77dedae 100644 +index 4edc40d..421e8b1 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5708,7 +5711,7 @@ index 4edc40d..77dedae 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,54 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,54 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5727,6 +5730,7 @@ index 4edc40d..77dedae 100644 network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) ++network_port(cockpit, udp,1001,s0) +network_port(collectd, udp,25826,s0) network_port(chronyd, udp,323,s0) network_port(clamd, tcp,3310,s0) @@ -5785,7 +5789,7 @@ index 4edc40d..77dedae 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5852,7 +5856,7 @@ index 4edc40d..77dedae 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5893,7 +5897,7 @@ index 4edc40d..77dedae 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -214,64 +268,73 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,64 +269,73 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5978,7 +5982,7 @@ index 4edc40d..77dedae 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -285,19 +348,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -285,19 +349,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6005,7 +6009,7 @@ index 4edc40d..77dedae 100644 ######################################## # -@@ -330,6 +397,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +398,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6014,7 +6018,7 @@ index 4edc40d..77dedae 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +411,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +412,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -20460,7 +20464,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..5247b99 100644 +index 5da7870..147eab1 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) @@ -20535,7 +20539,7 @@ index 5da7870..5247b99 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +82,114 @@ optional_policy(` +@@ -23,11 +82,119 @@ optional_policy(` ') optional_policy(` @@ -20564,6 +20568,11 @@ index 5da7870..5247b99 100644 optional_policy(` - git_role(staff_r, staff_t) ++ docker_stream_connect(staff_t) ++ docker_exec(staff_t) ++') ++ ++optional_policy(` + dnsmasq_read_pid_files(staff_t) +') + @@ -20651,7 +20660,7 @@ index 5da7870..5247b99 100644 ') optional_policy(` -@@ -35,15 +197,31 @@ optional_policy(` +@@ -35,15 +202,31 @@ optional_policy(` ') optional_policy(` @@ -20685,7 +20694,7 @@ index 5da7870..5247b99 100644 ') optional_policy(` -@@ -52,11 +230,61 @@ optional_policy(` +@@ -52,11 +235,61 @@ optional_policy(` ') optional_policy(` @@ -20747,7 +20756,7 @@ index 5da7870..5247b99 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +293,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +298,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20758,7 +20767,7 @@ index 5da7870..5247b99 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +302,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +307,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -20769,7 +20778,7 @@ index 5da7870..5247b99 100644 ') optional_policy(` -@@ -101,10 +321,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +326,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20780,7 +20789,7 @@ index 5da7870..5247b99 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +341,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +346,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20791,7 +20800,7 @@ index 5da7870..5247b99 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +353,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +358,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20802,7 +20811,7 @@ index 5da7870..5247b99 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +384,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +389,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -24003,7 +24012,7 @@ index fe0c682..e8dcfa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..5a9d307 100644 +index 5fc0391..9f1c453 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3) @@ -24489,9 +24498,11 @@ index 5fc0391..5a9d307 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +501,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -322,7 +500,14 @@ auth_use_nsswitch(ssh_keygen_t) + logging_send_syslog_msg(ssh_keygen_t) ++userdom_home_manager(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) + @@ -24502,7 +24513,7 @@ index 5fc0391..5a9d307 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +515,140 @@ optional_policy(` +@@ -331,3 +516,141 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -24643,6 +24654,7 @@ index 5fc0391..5a9d307 100644 + xserver_use_xdm_fds(ssh_agent_type) + xserver_rw_xdm_pipes(ssh_agent_type) +') ++ diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index d1f64a0..7acda6c 100644 --- a/policy/modules/services/xserver.fc @@ -31605,7 +31617,7 @@ index 24e7804..2863546 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..98967f5 100644 +index dd3be8d..04c271c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -31767,7 +31779,7 @@ index dd3be8d..98967f5 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +201,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -31777,6 +31789,10 @@ index dd3be8d..98967f5 100644 corecmd_exec_bin(init_t) -dev_read_sysfs(init_t) ++corenet_all_recvfrom_netlabel(init_t) ++corenet_tcp_bind_all_ports(init_t) ++corenet_udp_bind_all_ports(init_t) ++ +dev_rw_sysfs(init_t) +dev_read_urand(init_t) +dev_read_raw_memory(init_t) @@ -31787,7 +31803,7 @@ index dd3be8d..98967f5 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t) +@@ -139,14 +224,22 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -31810,7 +31826,7 @@ index dd3be8d..98967f5 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +245,53 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +249,53 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -31854,11 +31870,11 @@ index dd3be8d..98967f5 100644 seutil_read_config(init_t) +seutil_read_module_store(init_t) - --miscfiles_read_localization(init_t) ++ +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) @@ -31867,7 +31883,7 @@ index dd3be8d..98967f5 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +300,232 @@ ifdef(`distro_gentoo',` +@@ -186,29 +304,232 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -31898,15 +31914,14 @@ index dd3be8d..98967f5 100644 + +optional_policy(` + chronyd_read_keys(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + kdump_read_crash(init_t) + kdump_read_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) +') @@ -32074,13 +32089,14 @@ index dd3be8d..98967f5 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -32088,18 +32104,18 @@ index dd3be8d..98967f5 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + networkmanager_stream_connect(init_t) +') + @@ -32109,7 +32125,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -216,7 +533,30 @@ optional_policy(` +@@ -216,7 +537,30 @@ optional_policy(` ') optional_policy(` @@ -32140,7 +32156,7 @@ index dd3be8d..98967f5 100644 ') ######################################## -@@ -225,8 +565,9 @@ optional_policy(` +@@ -225,8 +569,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -32152,7 +32168,7 @@ index dd3be8d..98967f5 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +602,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -32169,7 +32185,7 @@ index dd3be8d..98967f5 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +627,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -32212,7 +32228,7 @@ index dd3be8d..98967f5 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +664,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -32224,7 +32240,7 @@ index dd3be8d..98967f5 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +672,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +676,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -32235,7 +32251,7 @@ index dd3be8d..98967f5 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +683,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +687,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -32245,7 +32261,7 @@ index dd3be8d..98967f5 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +692,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +696,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -32253,7 +32269,7 @@ index dd3be8d..98967f5 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +703,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -32261,7 +32277,7 @@ index dd3be8d..98967f5 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +707,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +711,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -32279,7 +32295,7 @@ index dd3be8d..98967f5 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +725,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +729,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -32293,7 +32309,7 @@ index dd3be8d..98967f5 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +740,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +744,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -32307,7 +32323,7 @@ index dd3be8d..98967f5 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +753,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +757,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -32315,7 +32331,7 @@ index dd3be8d..98967f5 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +765,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +769,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -32323,7 +32339,7 @@ index dd3be8d..98967f5 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +784,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +788,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -32347,7 +32363,7 @@ index dd3be8d..98967f5 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +817,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +821,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -32355,7 +32371,7 @@ index dd3be8d..98967f5 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +851,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +855,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -32366,7 +32382,7 @@ index dd3be8d..98967f5 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +875,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +879,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -32375,7 +32391,7 @@ index dd3be8d..98967f5 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +890,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +894,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -32383,7 +32399,7 @@ index dd3be8d..98967f5 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +911,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +915,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -32391,7 +32407,7 @@ index dd3be8d..98967f5 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +921,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +925,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -32436,7 +32452,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -558,14 +966,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +970,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -32468,7 +32484,7 @@ index dd3be8d..98967f5 100644 ') ') -@@ -576,6 +1001,39 @@ ifdef(`distro_suse',` +@@ -576,6 +1005,39 @@ ifdef(`distro_suse',` ') ') @@ -32508,7 +32524,7 @@ index dd3be8d..98967f5 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1046,8 @@ optional_policy(` +@@ -588,6 +1050,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -32517,7 +32533,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -609,6 +1069,7 @@ optional_policy(` +@@ -609,6 +1073,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -32525,7 +32541,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -625,6 +1086,17 @@ optional_policy(` +@@ -625,6 +1090,17 @@ optional_policy(` ') optional_policy(` @@ -32543,7 +32559,7 @@ index dd3be8d..98967f5 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1113,13 @@ optional_policy(` +@@ -641,9 +1117,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -32557,7 +32573,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -656,15 +1132,11 @@ optional_policy(` +@@ -656,15 +1136,11 @@ optional_policy(` ') optional_policy(` @@ -32575,7 +32591,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -685,6 +1157,15 @@ optional_policy(` +@@ -685,6 +1161,15 @@ optional_policy(` ') optional_policy(` @@ -32591,7 +32607,7 @@ index dd3be8d..98967f5 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1206,7 @@ optional_policy(` +@@ -725,6 +1210,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -32599,7 +32615,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -742,7 +1224,13 @@ optional_policy(` +@@ -742,7 +1228,13 @@ optional_policy(` ') optional_policy(` @@ -32614,7 +32630,7 @@ index dd3be8d..98967f5 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1253,10 @@ optional_policy(` +@@ -765,6 +1257,10 @@ optional_policy(` ') optional_policy(` @@ -32625,7 +32641,7 @@ index dd3be8d..98967f5 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1266,20 @@ optional_policy(` +@@ -774,10 +1270,20 @@ optional_policy(` ') optional_policy(` @@ -32646,7 +32662,7 @@ index dd3be8d..98967f5 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1288,10 @@ optional_policy(` +@@ -786,6 +1292,10 @@ optional_policy(` ') optional_policy(` @@ -32657,7 +32673,7 @@ index dd3be8d..98967f5 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1313,6 @@ optional_policy(` +@@ -807,8 +1317,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -32666,7 +32682,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -817,6 +1321,10 @@ optional_policy(` +@@ -817,6 +1325,10 @@ optional_policy(` ') optional_policy(` @@ -32677,7 +32693,7 @@ index dd3be8d..98967f5 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1334,12 @@ optional_policy(` +@@ -826,10 +1338,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -32690,7 +32706,7 @@ index dd3be8d..98967f5 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1366,35 @@ optional_policy(` +@@ -856,12 +1370,35 @@ optional_policy(` ') optional_policy(` @@ -32727,7 +32743,7 @@ index dd3be8d..98967f5 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1404,18 @@ optional_policy(` +@@ -871,6 +1408,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -32746,7 +32762,7 @@ index dd3be8d..98967f5 100644 ') optional_policy(` -@@ -886,6 +1431,10 @@ optional_policy(` +@@ -886,6 +1435,10 @@ optional_policy(` ') optional_policy(` @@ -32757,7 +32773,7 @@ index dd3be8d..98967f5 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1445,218 @@ optional_policy(` +@@ -896,3 +1449,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -34246,7 +34262,7 @@ index 808ba93..57a68da 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 23a645e..52a8540 100644 +index 23a645e..5a985c8 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -34310,7 +34326,7 @@ index 23a645e..52a8540 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',` ') ') @@ -34319,11 +34335,12 @@ index 23a645e..52a8540 100644 +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) ++userdom_rw_inherited_user_tmp_pipes(ldconfig_t) + ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -34335,7 +34352,7 @@ index 23a645e..52a8540 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +148,14 @@ optional_policy(` +@@ -131,6 +149,14 @@ optional_policy(` ') optional_policy(` @@ -34350,7 +34367,7 @@ index 23a645e..52a8540 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +166,3 @@ optional_policy(` +@@ -141,6 +167,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -36287,10 +36304,38 @@ index 9fe8e01..83acb32 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..416ac0f 100644 +index fc28bc3..faa2281 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if -@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` +@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` + + ######################################## + ## ++## Read all SSL certificates. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_manage_all_certs',` ++ gen_require(` ++ attribute cert_type; ++ ') ++ ++ allow $1 cert_type:dir list_dir_perms; ++ manage_files_pattern($1, cert_type, cert_type) ++ manage_lnk_files_pattern($1, cert_type, cert_type) ++') ++ ++######################################## ++## + ## Read generic SSL certificates. + ## + ## +@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` ######################################## ## @@ -36315,7 +36360,7 @@ index fc28bc3..416ac0f 100644 ## Manage generic SSL certificates. ## ## -@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',` +@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',` ######################################## ## @@ -36342,7 +36387,7 @@ index fc28bc3..416ac0f 100644 ## Manage SSL certificates. ## ## -@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',` +@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) @@ -36350,7 +36395,7 @@ index fc28bc3..416ac0f 100644 ') ######################################## -@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',` +@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',` files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) @@ -36358,7 +36403,7 @@ index fc28bc3..416ac0f 100644 ') ######################################## -@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',` +@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',` type locale_t; ') @@ -36366,7 +36411,7 @@ index fc28bc3..416ac0f 100644 allow $1 locale_t:file execute; ') -@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',` +@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',` allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -36377,7 +36422,7 @@ index fc28bc3..416ac0f 100644 ') ######################################## -@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',` +@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -36407,7 +36452,7 @@ index fc28bc3..416ac0f 100644 ') ######################################## -@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',` +@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -36438,7 +36483,7 @@ index fc28bc3..416ac0f 100644 ## Read public files used for file ## transfer services. ## -@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -36452,7 +36497,7 @@ index fc28bc3..416ac0f 100644 ') ######################################## -@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -43806,7 +43851,7 @@ index db75976..4ca3a28 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..a7657fa 100644 +index 3c5dba7..79030dd 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -46064,7 +46109,35 @@ index 3c5dba7..a7657fa 100644 ## temporary symbolic links. ## ## -@@ -2664,6 +3333,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2569,6 +3238,27 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # ++interface(`userdom_rw_inherited_user_tmp_pipes',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ files_search_tmp($1) ++') ++ ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary named pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; +@@ -2664,6 +3354,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -46090,7 +46163,7 @@ index 3c5dba7..a7657fa 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3368,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3389,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -46106,7 +46179,7 @@ index 3c5dba7..a7657fa 100644 ## ## ## -@@ -2707,7 +3396,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3417,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -46115,7 +46188,7 @@ index 3c5dba7..a7657fa 100644 ## ## ## -@@ -2715,14 +3404,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3425,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -46150,7 +46223,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -2817,6 +3522,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3543,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -46175,7 +46248,7 @@ index 3c5dba7..a7657fa 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3558,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3579,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -46218,7 +46291,7 @@ index 3c5dba7..a7657fa 100644 ## ## ## -@@ -2859,14 +3594,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3615,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -46256,7 +46329,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -2885,8 +3639,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3660,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -46286,7 +46359,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -2958,69 +3731,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3752,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -46387,7 +46460,7 @@ index 3c5dba7..a7657fa 100644 ## ## ## -@@ -3028,12 +3800,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3821,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46402,7 +46475,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -3097,7 +3869,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3890,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46411,7 +46484,7 @@ index 3c5dba7..a7657fa 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3885,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,16 +3906,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46422,11 +46495,54 @@ index 3c5dba7..a7657fa 100644 files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Send signull to unprivileged user domains. ++## Send general signals to unprivileged user domains. + ## + ## + ## +@@ -3130,17 +3925,17 @@ interface(`userdom_search_user_home_content',` + ## + ## + # +-interface(`userdom_signull_unpriv_users',` ++interface(`userdom_signal_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + +- allow $1 unpriv_userdomain:process signull; ++ allow $1 unpriv_userdomain:process signal; + ') + + ######################################## + ## +-## Send general signals to unprivileged user domains. ++## Inherit the file descriptors from unprivileged user domains. + ## + ## + ## +@@ -3148,30 +3943,12 @@ interface(`userdom_signull_unpriv_users',` + ## + ## + # +-interface(`userdom_signal_unpriv_users',` ++interface(`userdom_use_unpriv_users_fds',` + gen_require(` + attribute unpriv_userdomain; + ') + +- allow $1 unpriv_userdomain:process signal; -') - -######################################## -## --## Send signull to unprivileged user domains. +-## Inherit the file descriptors from unprivileged user domains. -## -## -## @@ -46434,18 +46550,17 @@ index 3c5dba7..a7657fa 100644 -## -## -# --interface(`userdom_signull_unpriv_users',` +-interface(`userdom_use_unpriv_users_fds',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:process signull; -+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; +- allow $1 unpriv_userdomain:fd use; ++ allow $1 unpriv_userdomain:fd use; ') ######################################## -@@ -3217,7 +3973,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3994,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46472,7 +46587,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -3272,7 +4046,83 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +4067,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46557,7 +46672,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -3290,7 +4140,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4161,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -46566,7 +46681,7 @@ index 3c5dba7..a7657fa 100644 ') ######################################## -@@ -3309,6 +4159,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4180,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -46574,7 +46689,7 @@ index 3c5dba7..a7657fa 100644 kernel_search_proc($1) ') -@@ -3385,6 +4236,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4257,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46617,7 +46732,7 @@ index 3c5dba7..a7657fa 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4292,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4313,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46642,7 +46757,7 @@ index 3c5dba7..a7657fa 100644 ## Create keys for all user domains. ## ## -@@ -3423,6 +4328,24 @@ interface(`userdom_create_all_users_keys',` +@@ -3423,6 +4349,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## @@ -46667,7 +46782,7 @@ index 3c5dba7..a7657fa 100644 ## Send a dbus message to all user domains. ## ## -@@ -3438,4 +4361,1661 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4382,1661 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -46817,7 +46932,7 @@ index 3c5dba7..a7657fa 100644 + + dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir list_dir_perms; -+') + ') + +######################################## +## @@ -46855,7 +46970,7 @@ index 3c5dba7..a7657fa 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; - ') ++') + +######################################## +## @@ -48330,7 +48445,7 @@ index 3c5dba7..a7657fa 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..0730c10 100644 +index e2b538b..4027ca7 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5) @@ -48419,7 +48534,7 @@ index e2b538b..0730c10 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,382 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -48528,6 +48643,7 @@ index e2b538b..0730c10 100644 + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_certs_type) ++ fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type) +') + +tunable_policy(`use_nfs_home_dirs',` @@ -48545,6 +48661,7 @@ index e2b538b..0730c10 100644 + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_type) ++ fs_read_ecryptfs_symlinks(userdom_home_reader_type) +') + +tunable_policy(`use_nfs_home_dirs',` @@ -48569,7 +48686,9 @@ index e2b538b..0730c10 100644 +tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_dirs(userdom_home_manager_type) + fs_manage_ecryptfs_files(userdom_home_manager_type) ++ fs_manage_ecryptfs_symlinks(userdom_home_manager_type) +') ++ +# vi /etc/mtab can cause an avc trying to relabel to self. +dontaudit userdomain self:file relabelto; + diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index ce16f17..f6fedab 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -9079,7 +9079,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index ac8c91e..80ecd7e 100644 +index ac8c91e..48a96b7 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) @@ -9097,15 +9097,17 @@ index ac8c91e..80ecd7e 100644 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; allow bitlbee_t bitlbee_conf_t:file read_file_perms; -@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; +@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) ++logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file }) manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) @@ -9115,7 +9117,17 @@ index ac8c91e..80ecd7e 100644 corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) -@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) +@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t) + + corenet_sendrecv_ircd_server_packets(bitlbee_t) + corenet_tcp_bind_ircd_port(bitlbee_t) ++corenet_tcp_bind_interwise_port(bitlbee_t) + corenet_sendrecv_ircd_client_packets(bitlbee_t) ++corenet_tcp_connect_interwise_port(bitlbee_t) + corenet_tcp_connect_ircd_port(bitlbee_t) + corenet_tcp_sendrecv_ircd_port(bitlbee_t) + +@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -10922,7 +10934,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 2354e21..b2b0a2f 100644 +index 2354e21..9a5e1fd 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -10986,17 +10998,17 @@ index 2354e21..b2b0a2f 100644 fs_search_cgroup_dirs(certmonger_t) -@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t) +@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t) logging_send_syslog_msg(certmonger_t) -miscfiles_read_localization(certmonger_t) - miscfiles_manage_generic_cert_files(certmonger_t) - -+systemd_exec_systemctl(certmonger_t) +-miscfiles_manage_generic_cert_files(certmonger_t) ++miscfiles_manage_all_certs(certmonger_t) + ++systemd_exec_systemctl(certmonger_t) + userdom_search_user_home_content(certmonger_t) -+userdom_manage_home_certs(certmonger_t) optional_policy(` - apache_initrc_domtrans(certmonger_t) @@ -11007,7 +11019,7 @@ index 2354e21..b2b0a2f 100644 ') optional_policy(` -@@ -92,11 +108,51 @@ optional_policy(` +@@ -92,11 +107,51 @@ optional_policy(` ') optional_policy(` @@ -13028,7 +13040,7 @@ index c223f81..8b567c1 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 2a71346..3a38b11 100644 +index 2a71346..7755558 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -13089,7 +13101,7 @@ index 2a71346..3a38b11 100644 ') optional_policy(` -@@ -179,12 +183,22 @@ optional_policy(` +@@ -179,12 +183,26 @@ optional_policy(` optional_policy(` dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) @@ -13104,6 +13116,10 @@ index 2a71346..3a38b11 100644 +') + +optional_policy(` ++ gnome_dontaudit_search_config(cobblerd_t) ++') ++ ++optional_policy(` + libs_exec_ldconfig(cobblerd_t) +') + @@ -13112,7 +13128,7 @@ index 2a71346..3a38b11 100644 ') optional_policy(` -@@ -192,13 +206,13 @@ optional_policy(` +@@ -192,13 +210,13 @@ optional_policy(` ') optional_policy(` @@ -18588,14 +18604,21 @@ index 06da9a0..c18145d 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..f3aaaed 100644 +index 9f34c2e..e694e2f 100644 --- a/cups.te +++ b/cups.te -@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) +@@ -5,19 +5,31 @@ policy_module(cups, 1.15.9) # Declarations # -type cupsd_config_t; ++## ++##

++## Allow cups execmem/execstack ++##

++## ++gen_tunable(cups_execmem, false) ++ +attribute cups_domain; + +type cupsd_config_t, cups_domain; @@ -18618,7 +18641,7 @@ index 9f34c2e..f3aaaed 100644 files_config_file(cupsd_etc_t) type cupsd_initrc_exec_t; -@@ -33,13 +38,15 @@ type cupsd_lock_t; +@@ -33,13 +45,15 @@ type cupsd_lock_t; files_lock_file(cupsd_lock_t) type cupsd_log_t; @@ -18638,7 +18661,7 @@ index 9f34c2e..f3aaaed 100644 type cupsd_lpd_tmp_t; files_tmp_file(cupsd_lpd_tmp_t) -@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t) +@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t) type cupsd_lpd_var_run_t; files_pid_file(cupsd_lpd_var_run_t) @@ -18647,7 +18670,7 @@ index 9f34c2e..f3aaaed 100644 type cups_pdf_exec_t; cups_backend(cups_pdf_t, cups_pdf_exec_t) -@@ -55,29 +62,17 @@ type cups_pdf_tmp_t; +@@ -55,29 +69,17 @@ type cups_pdf_tmp_t; files_tmp_file(cups_pdf_tmp_t) type cupsd_tmp_t; @@ -18681,7 +18704,7 @@ index 9f34c2e..f3aaaed 100644 type ptal_t; type ptal_exec_t; -@@ -97,21 +92,49 @@ ifdef(`enable_mls',` +@@ -97,21 +99,49 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') @@ -18735,7 +18758,7 @@ index 9f34c2e..f3aaaed 100644 allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -18746,10 +18769,11 @@ index 9f34c2e..f3aaaed 100644 filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) +cups_filetrans_named_content(cupsd_t) ++can_exec(cupsd_t, cupsd_rw_etc_t) allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; +@@ -133,28 +166,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; files_lock_filetrans(cupsd_t, cupsd_lock_t, file) manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) @@ -18784,7 +18808,7 @@ index 9f34c2e..f3aaaed 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -18796,7 +18820,7 @@ index 9f34c2e..f3aaaed 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -189,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -18821,7 +18845,7 @@ index 9f34c2e..f3aaaed 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -206,7 +243,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -18829,7 +18853,7 @@ index 9f34c2e..f3aaaed 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,17 +243,19 @@ files_read_world_readable_files(cupsd_t) +@@ -215,17 +251,19 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -18851,7 +18875,7 @@ index 9f34c2e..f3aaaed 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) -@@ -235,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -18860,7 +18884,7 @@ index 9f34c2e..f3aaaed 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -18886,8 +18910,15 @@ index 9f34c2e..f3aaaed 100644 +userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) ++tunable_policy(`cups_execmem',` ++ allow cupsd_t self:process { execmem execstack }; ++') ++ ++ optional_policy(` -@@ -275,6 +307,8 @@ optional_policy(` + apm_domtrans_client(cupsd_t) + ') +@@ -275,6 +320,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -18896,7 +18927,7 @@ index 9f34c2e..f3aaaed 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +319,10 @@ optional_policy(` +@@ -285,8 +332,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -18907,7 +18938,7 @@ index 9f34c2e..f3aaaed 100644 ') ') -@@ -299,8 +335,8 @@ optional_policy(` +@@ -299,8 +348,8 @@ optional_policy(` ') optional_policy(` @@ -18917,7 +18948,7 @@ index 9f34c2e..f3aaaed 100644 ') optional_policy(` -@@ -309,7 +345,6 @@ optional_policy(` +@@ -309,7 +358,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -18925,7 +18956,7 @@ index 9f34c2e..f3aaaed 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +372,11 @@ optional_policy(` +@@ -337,7 +385,11 @@ optional_policy(` ') optional_policy(` @@ -18938,7 +18969,7 @@ index 9f34c2e..f3aaaed 100644 ') ######################################## -@@ -345,12 +384,11 @@ optional_policy(` +@@ -345,12 +397,11 @@ optional_policy(` # Configuration daemon local policy # @@ -18954,7 +18985,7 @@ index 9f34c2e..f3aaaed 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -18975,7 +19006,7 @@ index 9f34c2e..f3aaaed 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -18996,7 +19027,7 @@ index 9f34c2e..f3aaaed 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -19008,7 +19039,7 @@ index 9f34c2e..f3aaaed 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +475,12 @@ optional_policy(` +@@ -452,9 +488,12 @@ optional_policy(` ') optional_policy(` @@ -19022,7 +19053,7 @@ index 9f34c2e..f3aaaed 100644 ') optional_policy(` -@@ -490,10 +516,6 @@ optional_policy(` +@@ -490,10 +529,6 @@ optional_policy(` # Lpd local policy # @@ -19033,7 +19064,7 @@ index 9f34c2e..f3aaaed 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +533,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +546,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -19067,7 +19098,7 @@ index 9f34c2e..f3aaaed 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +560,6 @@ optional_policy(` +@@ -546,7 +573,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -19075,7 +19106,7 @@ index 9f34c2e..f3aaaed 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +575,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -19104,13 +19135,11 @@ index 9f34c2e..f3aaaed 100644 - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` +- +-optional_policy(` - lpd_manage_spool(cups_pdf_t) -+ gnome_read_config(cups_pdf_t) - ') - +-') +- -######################################## -# -# HPLIP local policy @@ -19199,15 +19228,17 @@ index 9f34c2e..f3aaaed 100644 -userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_user_home_dirs(hplip_t) -userdom_dontaudit_search_user_home_content(hplip_t) -- --optional_policy(` ++userdom_home_manager(cups_pdf_t) + + optional_policy(` - dbus_system_bus_client(hplip_t) - - optional_policy(` - userdom_dbus_send_all_users(hplip_t) - ') --') -- ++ gnome_read_config(cups_pdf_t) + ') + -optional_policy(` - lpd_read_config(hplip_t) - lpd_manage_spool(hplip_t) @@ -19227,7 +19258,7 @@ index 9f34c2e..f3aaaed 100644 ######################################## # -@@ -731,7 +619,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -19235,7 +19266,7 @@ index 9f34c2e..f3aaaed 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +628,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -19249,7 +19280,7 @@ index 9f34c2e..f3aaaed 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +640,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -19258,7 +19289,7 @@ index 9f34c2e..f3aaaed 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +652,4 @@ optional_policy(` +@@ -769,3 +665,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -23542,10 +23573,10 @@ index 0000000..1c4ac02 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..66fe66d +index 0000000..683dfdc --- /dev/null +++ b/docker.if -@@ -0,0 +1,344 @@ +@@ -0,0 +1,363 @@ + +## The open-source application container engine. + @@ -23570,6 +23601,25 @@ index 0000000..66fe66d + +######################################## +## ++## Execute docker in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`docker_exec',` ++ gen_require(` ++ type docker_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, docker_exec_t) ++') ++ ++######################################## ++## +## Search docker lib directories. +## +## @@ -36641,10 +36691,10 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..535f79b +index 0000000..2c08717 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,55 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -36680,6 +36730,11 @@ index 0000000..535f79b +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) + ++corecmd_exec_bin(keepalived_t) ++corecmd_exec_shell(keepalived_t) ++ ++corenet_tcp_connect_snmp_port(keepalived_t) ++ +auth_use_nsswitch(keepalived_t) + +corenet_tcp_connect_connlcli_port(keepalived_t) @@ -36692,6 +36747,9 @@ index 0000000..535f79b + +logging_send_syslog_msg(keepalived_t) + ++optional_policy(` ++ snmp_read_snmp_var_lib_files(keepalived_t) ++') diff --git a/kerberos.fc b/kerberos.fc index 4fe75fd..b029c28 100644 --- a/kerberos.fc @@ -38175,7 +38233,7 @@ index d3e7fc9..f20248c 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 3494d9b..e1fd252 100644 +index 3494d9b..477d7b6 100644 --- a/keystone.te +++ b/keystone.te @@ -21,10 +21,14 @@ files_type(keystone_var_lib_t) @@ -38193,12 +38251,15 @@ index 3494d9b..e1fd252 100644 allow keystone_t self:fifo_file rw_fifo_file_perms; allow keystone_t self:unix_stream_socket { accept listen }; -@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t) +@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t) corenet_tcp_sendrecv_generic_if(keystone_t) corenet_tcp_sendrecv_generic_node(keystone_t) corenet_tcp_bind_generic_node(keystone_t) +corenet_tcp_connect_mysqld_port(keystone_t) +corenet_tcp_connect_ldap_port(keystone_t) ++corenet_tcp_connect_keystone_port(keystone_t) ++corenet_tcp_connect_amqp_port(keystone_t) ++corenet_tcp_connect_osapi_compute_port(keystone_t) corenet_sendrecv_commplex_main_server_packets(keystone_t) corenet_tcp_bind_commplex_main_port(keystone_t) @@ -39857,7 +39918,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..17ea89c 100644 +index 7bab8e5..5fef0a4 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,26 @@ @@ -40072,7 +40133,7 @@ index 7bab8e5..17ea89c 100644 ') optional_policy(` -@@ -170,6 +203,10 @@ optional_policy(` +@@ -170,6 +203,11 @@ optional_policy(` ') optional_policy(` @@ -40080,10 +40141,11 @@ index 7bab8e5..17ea89c 100644 +') + +optional_policy(` ++ fail2ban_domtrans_client(logrotate_t) fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +215,7 @@ optional_policy(` +@@ -178,7 +216,7 @@ optional_policy(` ') optional_policy(` @@ -40092,7 +40154,7 @@ index 7bab8e5..17ea89c 100644 ') optional_policy(` -@@ -198,21 +235,26 @@ optional_policy(` +@@ -198,21 +236,26 @@ optional_policy(` ') optional_policy(` @@ -40123,7 +40185,7 @@ index 7bab8e5..17ea89c 100644 ') optional_policy(` -@@ -228,10 +270,21 @@ optional_policy(` +@@ -228,10 +271,21 @@ optional_policy(` ') optional_policy(` @@ -40145,7 +40207,7 @@ index 7bab8e5..17ea89c 100644 su_exec(logrotate_t) ') -@@ -241,13 +294,11 @@ optional_policy(` +@@ -241,13 +295,11 @@ optional_policy(` ####################################### # @@ -44424,7 +44486,7 @@ index 6ffaba2..ab66d2f 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..cafb2b0 100644 +index 6194b80..7490fe3 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -44710,7 +44772,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,140 +173,156 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` @@ -44814,7 +44876,8 @@ index 6194b80..cafb2b0 100644 + allow $1 mozilla_plugin_t:shm rw_shm_perms; + + ps_process_pattern($1, mozilla_plugin_t) -+ allow $1 mozilla_plugin_t:process signal_perms; ++ ps_process_pattern(mozilla_plugin_t, $1) ++ allow $1 mozilla_plugin_t:process { signal_perms noatsecure }; + + list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) @@ -44926,7 +44989,7 @@ index 6194b80..cafb2b0 100644 ') ######################################## -@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +348,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -44936,7 +44999,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -45110,7 +45173,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -45135,7 +45198,7 @@ index 6194b80..cafb2b0 100644 ## ## ## -@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -48779,7 +48842,7 @@ index b744fe3..17e2514 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index 97370e4..e53abbb 100644 +index 97370e4..dac7323 100644 --- a/munin.te +++ b/munin.te @@ -37,44 +37,47 @@ munin_plugin_template(disk) @@ -49015,7 +49078,7 @@ index 97370e4..e53abbb 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -413,3 +430,31 @@ optional_policy(` +@@ -413,3 +430,32 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -49033,12 +49096,13 @@ index 97370e4..e53abbb 100644 + +manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) +manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) ++files_tmp_filetrans(httpd_munin_script_t, httpd_munin_script_tmp_t, { dir file }) + +read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) ++list_dirs_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) +read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) + -+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) -+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) ++manage_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) + +files_search_var_lib(httpd_munin_script_t) + @@ -66112,7 +66176,7 @@ index 2e23946..d8a163f 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..cd766c0 100644 +index 191a66f..c6cf897 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -66294,8 +66358,9 @@ index 191a66f..cd766c0 100644 -######################################## -# -# Common postfix user domain local policy --# -- ++# Postfix master process local policy + # + -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -66303,9 +66368,8 @@ index 191a66f..cd766c0 100644 -######################################## -# -# Master local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -66911,7 +66975,7 @@ index 191a66f..cd766c0 100644 ') optional_policy(` -@@ -720,29 +658,30 @@ optional_policy(` +@@ -720,28 +658,28 @@ optional_policy(` ######################################## # @@ -66939,18 +67003,17 @@ index 191a66f..cd766c0 100644 - corecmd_exec_bin(postfix_smtpd_t) +-fs_getattr_all_dirs(postfix_smtpd_t) +-fs_getattr_all_fs(postfix_smtpd_t) +# for OpenSSL certificates -+ -+# postfix checks the size of all mounted file systems - fs_getattr_all_dirs(postfix_smtpd_t) - fs_getattr_all_fs(postfix_smtpd_t) -mta_read_aliases(postfix_smtpd_t) -- ++# postfix checks the size of all mounted file systems ++fs_getattr_all_dirs(postfix_smtpd_t) + optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) - dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +693,7 @@ optional_policy(` +@@ -754,6 +692,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -66958,7 +67021,7 @@ index 191a66f..cd766c0 100644 ') optional_policy(` -@@ -764,31 +704,99 @@ optional_policy(` +@@ -764,31 +703,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -67035,7 +67098,7 @@ index 191a66f..cd766c0 100644 +dev_read_urand(postfix_domain) + +fs_search_auto_mountpoints(postfix_domain) -+fs_getattr_xattr_fs(postfix_domain) ++fs_getattr_all_fs(postfix_domain) +fs_rw_anon_inodefs_files(postfix_domain) + +term_dontaudit_use_console(postfix_domain) @@ -73856,10 +73919,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..a7b42e6 100644 +index 769d1fd..5c8b3c0 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,144 @@ +@@ -1,96 +1,145 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -73938,6 +74001,7 @@ index 769d1fd..a7b42e6 100644 -logging_log_filetrans(quantum_t, quantum_log_t, dir) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) @@ -74506,7 +74570,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..9fb98a1 100644 +index 3698b51..12f5c46 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -74519,7 +74583,7 @@ index 3698b51..9fb98a1 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t) +@@ -30,64 +33,107 @@ files_pid_file(rabbitmq_var_run_t) # Beam local policy # @@ -74528,14 +74592,17 @@ index 3698b51..9fb98a1 100644 allow rabbitmq_beam_t self:process { setsched signal signull }; allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_beam_t self:tcp_socket { accept listen }; -@@ -38,56 +43,94 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) ++files_var_lib_filetrans(rabbitmq_beam_t, rabbitmq_var_lib_t, { dir file }) manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++logging_log_filetrans(rabbitmq_beam_t, rabbitmq_var_log_t, { dir file }) + +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) @@ -74543,9 +74610,10 @@ index 3698b51..9fb98a1 100644 manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) - -+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) ++files_pid_filetrans(rabbitmq_beam_t, rabbitmq_var_run_t, { dir file }) + ++ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) + can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) @@ -74633,7 +74701,7 @@ index 3698b51..9fb98a1 100644 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) -@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +145,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -79800,10 +79868,20 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 1cedd70..87038e7 100644 +index 1cedd70..7dc8f6e 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te -@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) +@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) + type rhsmcertd_lock_t; + files_lock_file(rhsmcertd_lock_t) + ++type rhsmcertd_tmp_t; ++files_tmp_file(rhsmcertd_tmp_t) ++ + type rhsmcertd_var_lib_t; + files_type(rhsmcertd_var_lib_t) + +@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t) # allow rhsmcertd_t self:capability sys_nice; @@ -79821,7 +79899,15 @@ index 1cedd70..87038e7 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -51,22 +50,48 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) + ++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) ++files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file }) ++ + manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) + manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) + +@@ -51,22 +57,51 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -79844,13 +79930,16 @@ index 1cedd70..87038e7 100644 -files_read_usr_files(rhsmcertd_t) +files_manage_generic_locks(rhsmcertd_t) +files_manage_system_conf_files(rhsmcertd_t) ++files_create_boot_flag(rhsmcertd_t) + +auth_read_passwd(rhsmcertd_t) -+ -+init_read_state(rhsmcertd_t) -miscfiles_read_localization(rhsmcertd_t) -miscfiles_read_generic_certs(rhsmcertd_t) ++libs_exec_ldconfig(rhsmcertd_t) ++ ++init_read_state(rhsmcertd_t) ++ +logging_send_syslog_msg(rhsmcertd_t) + +miscfiles_manage_cert_files(rhsmcertd_t) @@ -90298,7 +90387,7 @@ index 7880d1f..8804935 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index ba26427..669d253 100644 +index ba26427..5149419 100644 --- a/slocate.te +++ b/slocate.te @@ -18,7 +18,7 @@ files_type(locate_var_lib_t) @@ -90310,7 +90399,15 @@ index ba26427..669d253 100644 allow locate_t self:fifo_file rw_fifo_file_perms; allow locate_t self:unix_stream_socket create_socket_perms; -@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t) +@@ -35,6 +35,7 @@ dev_getattr_all_blk_files(locate_t) + dev_getattr_all_chr_files(locate_t) + + files_list_all(locate_t) ++files_list_isid_type_dirs(locate_t) + files_dontaudit_read_all_symlinks(locate_t) + files_getattr_all_files(locate_t) + files_getattr_all_pipes(locate_t) +@@ -53,7 +54,6 @@ fs_read_noxattr_fs_symlinks(locate_t) auth_use_nsswitch(locate_t) @@ -90318,7 +90415,7 @@ index ba26427..669d253 100644 ifdef(`enable_mls',` files_dontaudit_getattr_all_dirs(locate_t) -@@ -62,3 +61,8 @@ ifdef(`enable_mls',` +@@ -62,3 +62,8 @@ ifdef(`enable_mls',` optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') @@ -97335,10 +97432,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..0e30ce2 +index 0000000..7f7e7ff --- /dev/null +++ b/thumb.te -@@ -0,0 +1,157 @@ +@@ -0,0 +1,159 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -97409,6 +97506,8 @@ index 0000000..0e30ce2 +corecmd_exec_bin(thumb_t) +corecmd_exec_shell(thumb_t) + ++corenet_tcp_connect_xserver_port(thumb_t) ++ +dev_read_sysfs(thumb_t) +dev_read_urand(thumb_t) +dev_dontaudit_rw_dri(thumb_t) @@ -99817,7 +99916,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..a58e2dd 100644 +index 9d4d8cb..8cade37 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -99842,22 +99941,22 @@ index 9d4d8cb..a58e2dd 100644 # -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown }; ++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket { accept listen }; -@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) +@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) dev_read_urand(varnishd_t) -files_read_usr_files(varnishd_t) - +- fs_getattr_all_fs(varnishd_t) -@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t) + auth_use_nsswitch(varnishd_t) logging_send_syslog_msg(varnishd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0511c76..8b33711 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 166%{?dist} +Release: 167%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,35 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 09 2014 Lukas Vrabec 3.12.1-167 +- Allow keystone to connect to additional ports to make OpenStack working +- Allow thumb_t to connect to the xserver port when you are runnin it via an ssh tunnel +- Allow certmonger to manage all certs +- rhsmcertd seems to need these accesses. +- Add cups_execmem boolean +- Allow cups to execute its rw_etc_t files, for brothers printers +- Need these privs inorder to watch videon +- Allow locate to list directories without labels +- Allow staff_t to communicate and run docker +- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dir +- Allow bitlbee to use tcp/7778 port +- /etc/cron.daily/logrotate to execute fail2ban-client. +- Allow keepalives to connect to SNMP port. Support to do SNMP stuff +- Allow also fowner cap for varnishd +- Allow keepalived to execute bin_t/shell_exec_t +- Fix bitlbee policy +- Fix rabbitmq.te +- Fix labels on rabbitmq_var_run_t on file/dir creation +- Allow neutron to create sock files +- Allow postfix domains to getattr on all file systems +- Add fixes for squid which is configured to run with more than one worker. +- Allow certmonger to manage all certs +- Fix *_ecryptfs_home_dirs booleans +- Fix typoes in userdomain.if and libraries.te +- Allow ldconfig_t to read/write inherited user tmp pipes +- Use proper calling in ssh.te for userdom_home_manager attribute +- Fix decl for cockip port + * Wed May 21 2014 Miroslav Grepl 3.12.1-166 - Allow cockpit to bind to its port - Add fixes for squid which is configured to run with more than one worker.