From 184f70428bdc913d40b7001a7be88536be935dfe Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 08 2012 12:54:14 +0000 Subject: - Allow collectd to read virt config - Allow collectd setsched - Add support for /usr/sbin/mdm* - Fix java binaries labels when installed under /usr/lib/jvm/java - Add labeling for /var/run/mdm - Allow apps that can read net_conf_t files read symlinks - Allow all domains that can search or read tmp_t, able to read a tmp_t link - Dontaudit mozilla_plugin looking at xdm_tmp_t - Looks like collectd needs to change it scheduling priority - Allow uux_t to access nsswitch data - New labeling for samba, pid dirs moved to subdirs of samba - Allow nova_api to use nsswitch - Allow mozilla_plugin to execute files labeled as lib_t - Label content under HOME_DIR/zimbrauserdata as mozilla_home date - abrt is fooled into reading mozilla_plugin content, we want to dontaudit - Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window - Allow winbind to create content in smbd_var_run_t directories - Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it - Support libvirt plugin for collectd --- diff --git a/policy-F16.patch b/policy-F16.patch index 221a418..6034671 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -62658,7 +62658,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..968fdbe 100644 +index 441cf22..b599f68 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto; @@ -62941,18 +62941,6 @@ index 441cf22..968fdbe 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -531,6 +547,11 @@ optional_policy(` - ') - - optional_policy(` -+ rpc_list_nfs_state_data(useradd_t) -+ rpc_read_nfs_state_data(useradd_t) -+') -+ -+optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(useradd_t) - ') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index ebf4b26..b58c822 100644 --- a/policy/modules/admin/vpn.te @@ -66828,10 +66816,10 @@ index dff0f12..ecab36d 100644 init_dbus_chat_script(mono_t) diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc -index 93ac529..6e03a8c 100644 +index 93ac529..82f8e65 100644 --- a/policy/modules/apps/mozilla.fc +++ b/policy/modules/apps/mozilla.fc -@@ -1,8 +1,16 @@ +@@ -1,8 +1,17 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -66845,10 +66833,11 @@ index 93ac529..6e03a8c 100644 +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /bin -@@ -14,16 +22,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +@@ -14,16 +23,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -67137,7 +67126,7 @@ index fbb5c5a..ce9aee0 100644 ') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..c5f9431 100644 +index 2e9318b..3a09bbc 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3) @@ -67185,7 +67174,7 @@ index 2e9318b..c5f9431 100644 type mozilla_tmp_t; files_tmp_file(mozilla_tmp_t) ubac_constrained(mozilla_tmp_t) -@@ -111,7 +128,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t) +@@ -111,12 +128,15 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) corenet_tcp_sendrecv_squid_port(mozilla_t) @@ -67195,16 +67184,24 @@ index 2e9318b..c5f9431 100644 corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -156,6 +175,8 @@ fs_rw_tmpfs_files(mozilla_t) + corenet_tcp_connect_squid_port(mozilla_t) + corenet_tcp_connect_ftp_port(mozilla_t) ++corenet_tcp_connect_ircd_port(mozilla_plugin_t) + corenet_tcp_connect_ipp_port(mozilla_t) + corenet_tcp_connect_generic_port(mozilla_t) + corenet_tcp_connect_soundd_port(mozilla_t) +@@ -156,6 +176,10 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) +auth_use_nsswitch(mozilla_t) + ++libs_exec_lib_files(mozilla_plugin_t) ++ logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -@@ -165,27 +186,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -165,27 +189,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -67238,7 +67235,7 @@ index 2e9318b..c5f9431 100644 # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -262,6 +277,7 @@ optional_policy(` +@@ -262,6 +280,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -67246,7 +67243,7 @@ index 2e9318b..c5f9431 100644 ') optional_policy(` -@@ -278,10 +294,6 @@ optional_policy(` +@@ -278,10 +297,6 @@ optional_policy(` ') optional_policy(` @@ -67257,7 +67254,7 @@ index 2e9318b..c5f9431 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -296,25 +308,34 @@ optional_policy(` +@@ -296,25 +311,34 @@ optional_policy(` # mozilla_plugin local policy # @@ -67300,7 +67297,7 @@ index 2e9318b..c5f9431 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -322,6 +343,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -322,6 +346,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -67311,7 +67308,7 @@ index 2e9318b..c5f9431 100644 can_exec(mozilla_plugin_t, mozilla_exec_t) kernel_read_kernel_sysctls(mozilla_plugin_t) -@@ -331,22 +356,31 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -331,22 +359,31 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -67349,7 +67346,7 @@ index 2e9318b..c5f9431 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -355,6 +389,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -355,6 +392,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -67357,7 +67354,7 @@ index 2e9318b..c5f9431 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -362,11 +397,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -362,11 +400,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -67372,7 +67369,7 @@ index 2e9318b..c5f9431 100644 application_dontaudit_signull(mozilla_plugin_t) auth_use_nsswitch(mozilla_plugin_t) -@@ -383,35 +421,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -383,35 +424,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -67419,7 +67416,7 @@ index 2e9318b..c5f9431 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -421,11 +450,19 @@ optional_policy(` +@@ -421,11 +453,19 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -67439,7 +67436,7 @@ index 2e9318b..c5f9431 100644 ') optional_policy(` -@@ -438,18 +475,103 @@ optional_policy(` +@@ -438,18 +478,105 @@ optional_policy(` ') optional_policy(` @@ -67460,13 +67457,15 @@ index 2e9318b..c5f9431 100644 + +optional_policy(` + rtkit_scheduled(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ udev_read_db(mozilla_plugin_t) ') optional_policy(` ++ udev_read_db(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) xserver_read_xdm_pid(mozilla_plugin_t) xserver_stream_connect(mozilla_plugin_t) xserver_use_user_fonts(mozilla_plugin_t) @@ -71295,10 +71294,10 @@ index 0000000..9127cec +') diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..5a84da4 +index 0000000..04711c6 --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,104 @@ +@@ -0,0 +1,103 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -71361,7 +71360,6 @@ index 0000000..5a84da4 +dev_read_sysfs(thumb_t) +dev_read_urand(thumb_t) +dev_dontaudit_rw_dri(thumb_t) -+dev_rw_xserver_misc(thumb_t) + +domain_use_interactive_fds(thumb_t) + @@ -72120,7 +72118,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..f55e193 100644 +index 3fae11a..4172347 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -72209,7 +72207,7 @@ index 3fae11a..f55e193 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,67 +184,93 @@ ifdef(`distro_gentoo',` +@@ -179,67 +184,94 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -72244,6 +72242,7 @@ index 3fae11a..f55e193 100644 /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) +/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -72348,7 +72347,7 @@ index 3fae11a..f55e193 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -247,11 +278,18 @@ ifdef(`distro_gentoo',` +@@ -247,11 +279,18 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -72368,7 +72367,7 @@ index 3fae11a..f55e193 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -267,6 +305,10 @@ ifdef(`distro_gentoo',` +@@ -267,6 +306,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -72379,7 +72378,7 @@ index 3fae11a..f55e193 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,15 +328,19 @@ ifdef(`distro_gentoo',` +@@ -286,15 +329,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -72400,7 +72399,7 @@ index 3fae11a..f55e193 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +352,12 @@ ifdef(`distro_redhat', ` +@@ -306,10 +353,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -72415,7 +72414,7 @@ index 3fae11a..f55e193 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +367,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +368,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -72427,7 +72426,7 @@ index 3fae11a..f55e193 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,20 +413,21 @@ ifdef(`distro_redhat', ` +@@ -363,20 +414,21 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -72453,7 +72452,7 @@ index 3fae11a..f55e193 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +436,13 @@ ifdef(`distro_suse', ` +@@ -385,3 +437,13 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -76776,7 +76775,7 @@ index c19518a..7ace2f2 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..95fcd54 100644 +index ff006ea..dfb7ed0 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -77438,7 +77437,15 @@ index ff006ea..95fcd54 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -3945,7 +4357,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3935,6 +4347,7 @@ interface(`files_getattr_tmp_dirs',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; + ') + +@@ -3945,7 +4358,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -77447,7 +77454,23 @@ index ff006ea..95fcd54 100644 ## ## # -@@ -4017,7 +4429,7 @@ interface(`files_list_tmp',` +@@ -3972,6 +4385,7 @@ interface(`files_search_tmp',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; + ') + +@@ -4008,6 +4422,7 @@ interface(`files_list_tmp',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; + ') + +@@ -4017,7 +4432,7 @@ interface(`files_list_tmp',` ## ## ## @@ -77456,7 +77479,7 @@ index ff006ea..95fcd54 100644 ## ## # -@@ -4029,6 +4441,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4444,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -77475,13 +77498,22 @@ index ff006ea..95fcd54 100644 + type tmp_t; + ') + ++ files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; +') + ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4515,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4044,6 +4478,7 @@ interface(`files_delete_tmp_dir_entry',` + type tmp_t; + ') + ++ files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; + ') + +@@ -4085,6 +4520,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -77514,7 +77546,7 @@ index ff006ea..95fcd54 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4595,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,6 +4600,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -77557,7 +77589,7 @@ index ff006ea..95fcd54 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4694,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4699,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -77566,7 +77598,7 @@ index ff006ea..95fcd54 100644 ## ## # -@@ -4262,7 +4754,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4759,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -77575,7 +77607,7 @@ index ff006ea..95fcd54 100644 ## ## # -@@ -4318,7 +4810,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4815,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -77584,7 +77616,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -4342,6 +4834,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4839,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -77601,7 +77633,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -4681,7 +5183,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5188,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -77610,7 +77642,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -4914,6 +5416,24 @@ interface(`files_list_var',` +@@ -4914,6 +5421,24 @@ interface(`files_list_var',` ######################################## ## @@ -77635,7 +77667,7 @@ index ff006ea..95fcd54 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5084,7 +5604,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5609,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -77644,7 +77676,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -5219,7 +5739,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5744,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -77653,7 +77685,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -5259,6 +5779,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5259,6 +5784,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -77679,7 +77711,7 @@ index ff006ea..95fcd54 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5304,6 +5843,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5848,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -77705,7 +77737,7 @@ index ff006ea..95fcd54 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5875,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5880,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -77714,7 +77746,7 @@ index ff006ea..95fcd54 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5896,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5901,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -77730,7 +77762,7 @@ index ff006ea..95fcd54 100644 ## ## ## -@@ -5349,12 +5911,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5916,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -77763,7 +77795,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -5373,6 +5953,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5958,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -77771,7 +77803,7 @@ index ff006ea..95fcd54 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5966,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5971,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -77779,7 +77811,7 @@ index ff006ea..95fcd54 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5992,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5997,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -77788,7 +77820,7 @@ index ff006ea..95fcd54 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +6008,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +6013,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -77805,7 +77837,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -5452,7 +6032,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +6037,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -77814,7 +77846,7 @@ index ff006ea..95fcd54 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +6073,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +6078,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -77823,7 +77855,7 @@ index ff006ea..95fcd54 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +6095,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +6100,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -77832,7 +77864,7 @@ index ff006ea..95fcd54 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +6127,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +6132,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -77843,7 +77875,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -5608,6 +6188,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6193,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -77887,7 +77919,7 @@ index ff006ea..95fcd54 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6246,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,6 +6251,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -77913,7 +77945,7 @@ index ff006ea..95fcd54 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -5736,7 +6372,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6377,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -77922,7 +77954,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -5815,29 +6451,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6456,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -77956,18 +77988,16 @@ index ff006ea..95fcd54 100644 ## ## ## -@@ -5845,12 +6477,182 @@ interface(`files_read_all_pids',` +@@ -5845,7 +6482,177 @@ interface(`files_read_all_pids',` ## ## # -interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_pid_sockets',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + allow $1 pidfile:sock_file delete_sock_file_perms; +') + @@ -78134,15 +78164,10 @@ index ff006ea..95fcd54 100644 +## +# +interface(`files_mounton_all_poly_members',` -+ gen_require(` -+ attribute polymember; -+ ') -+ -+ allow $1 polymember:dir mounton; - ') - - ######################################## -@@ -5900,6 +6702,90 @@ interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute polymember; + ') +@@ -5900,6 +6707,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -78233,7 +78258,7 @@ index ff006ea..95fcd54 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6042,7 +6928,7 @@ interface(`files_spool_filetrans',` +@@ -6042,7 +6933,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -78242,7 +78267,7 @@ index ff006ea..95fcd54 100644 ') ######################################## -@@ -6117,3 +7003,332 @@ interface(`files_unconfined',` +@@ -6117,3 +7008,332 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -84514,7 +84539,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..c872f94 100644 +index 30861ec..9ea7f1f 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -84679,7 +84704,7 @@ index 30861ec..c872f94 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +197,26 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +197,30 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -84699,20 +84724,23 @@ index 30861ec..c872f94 100644 +tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +') - - optional_policy(` -- dbus_system_domain(abrt_t, abrt_exec_t) ++ ++optional_policy(` + apache_list_modules(abrt_t) + apache_read_modules(abrt_t) ++') + + optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) ') optional_policy(` - nis_use_ypbind(abrt_t) -+ dbus_system_domain(abrt_t, abrt_exec_t) ++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) ') optional_policy(` -@@ -167,6 +237,7 @@ optional_policy(` +@@ -167,6 +241,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -84720,7 +84748,7 @@ index 30861ec..c872f94 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +249,35 @@ optional_policy(` +@@ -178,12 +253,35 @@ optional_policy(` ') optional_policy(` @@ -84757,7 +84785,7 @@ index 30861ec..c872f94 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +294,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -84786,7 +84814,7 @@ index 30861ec..c872f94 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +317,146 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +321,146 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -84804,7 +84832,7 @@ index 30861ec..c872f94 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; -+') + ') + +####################################### +# @@ -84919,7 +84947,7 @@ index 30861ec..c872f94 100644 + +optional_policy(` + unconfined_domain(abrt_watch_log_t) - ') ++') + +####################################### +# @@ -93563,7 +93591,7 @@ index 0000000..40415f8 + diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 -index 0000000..e7ca6fc +index 0000000..04ff5c1 --- /dev/null +++ b/policy/modules/services/collectd.te @@ -0,0 +1,88 @@ @@ -93603,8 +93631,8 @@ index 0000000..e7ca6fc +# collectd local policy +# + -+allow collectd_t self:capability ipc_lock; -+allow collectd_t self:process { signal fork }; ++allow collectd_t self:capability { ipc_lock sys_nice }; ++allow collectd_t self:process { getsched setsched signal fork }; + +allow collectd_t self:fifo_file rw_fifo_file_perms; +allow collectd_t self:packet_socket create_socket_perms; @@ -104192,10 +104220,10 @@ index 0000000..ebe1dde +') diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 -index 0000000..57e0566 +index 0000000..842165a --- /dev/null +++ b/policy/modules/services/glance.te -@@ -0,0 +1,112 @@ +@@ -0,0 +1,117 @@ +policy_module(glance, 1.0.0) + +######################################## @@ -104255,12 +104283,17 @@ index 0000000..57e0566 +kernel_read_system_state(glance_domain) + +corecmd_exec_bin(glance_domain) ++corecmd_exec_shell(glance_domain) + +dev_read_urand(glance_domain) + +files_read_etc_files(glance_domain) +files_read_usr_files(glance_domain) + ++auth_read_passwd(glance_domain) ++ ++libs_exec_ldconfig(glance_domain) ++ +miscfiles_read_localization(glance_domain) + +optional_policy(` @@ -104278,6 +104311,7 @@ index 0000000..57e0566 + +corenet_tcp_bind_generic_node(glance_registry_t) +corenet_tcp_bind_glance_registry_port(glance_registry_t) ++corenet_tcp_connect_all_ephemeral_ports(glance_registry_t) + +logging_send_syslog_msg(glance_registry_t) + @@ -104300,14 +104334,13 @@ index 0000000..57e0566 + +corenet_tcp_bind_generic_node(glance_api_t) +corenet_tcp_bind_glance_port(glance_api_t) ++corenet_tcp_bind_hplip_port(glance_api_t) +corenet_tcp_connect_glance_registry_port(glance_api_t) +corenet_tcp_connect_all_ephemeral_ports(glance_api_t) + +dev_read_urand(glance_api_t) + +fs_getattr_xattr_fs(glance_api_t) -+ -+libs_exec_ldconfig(glance_api_t) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc index 462de63..5df751b 100644 --- a/policy/modules/services/gnomeclock.fc @@ -113896,7 +113929,7 @@ index 0000000..0d11800 +') diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te new file mode 100644 -index 0000000..b0d25bb +index 0000000..415b098 --- /dev/null +++ b/policy/modules/services/nova.te @@ -0,0 +1,328 @@ @@ -114043,7 +114076,7 @@ index 0000000..b0d25bb + +allow nova_cert_t self:udp_socket create_socket_perms; + -+auth_read_passwd(nova_cert_t) ++auth_use_nsswitch(nova_cert_t) + +miscfiles_read_certs(nova_cert_t) + @@ -115824,7 +115857,7 @@ index d883214..d6afa87 100644 init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te -index 8b550f4..6075d39 100644 +index 8b550f4..cae4941 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0) @@ -115869,25 +115902,21 @@ index 8b550f4..6075d39 100644 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; can_exec(openvpn_t, openvpn_etc_t) -@@ -58,9 +60,15 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) +@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) --allow openvpn_t openvpn_var_log_t:file manage_file_perms; --logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + + allow openvpn_t openvpn_var_log_t:file manage_file_perms; + logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) -+manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -+logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file }) -+ +manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) -@@ -68,6 +76,7 @@ kernel_read_kernel_sysctls(openvpn_t) +@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) @@ -115895,7 +115924,7 @@ index 8b550f4..6075d39 100644 corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) -@@ -87,6 +96,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) +@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) corenet_tcp_bind_http_port(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) @@ -115903,7 +115932,7 @@ index 8b550f4..6075d39 100644 corenet_tcp_connect_http_cache_port(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) corenet_sendrecv_openvpn_server_packets(openvpn_t) -@@ -100,33 +110,40 @@ dev_read_urand(openvpn_t) +@@ -100,33 +108,40 @@ dev_read_urand(openvpn_t) files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) @@ -115952,7 +115981,7 @@ index 8b550f4..6075d39 100644 optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) -@@ -138,3 +155,7 @@ optional_policy(` +@@ -138,3 +153,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') @@ -124468,7 +124497,7 @@ index 0000000..6572600 +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..d45cfe5 +index 0000000..cff25a9 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te @@ -0,0 +1,69 @@ @@ -124520,7 +124549,7 @@ index 0000000..d45cfe5 + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -+files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) ++files_pid_filetrans(rhsmcertd_var_run_t, rhsmcertd_var_run_t, { file dir }) + +kernel_read_network_state(rhsmcertd_t) +kernel_read_system_state(rhsmcertd_t) @@ -125181,7 +125210,7 @@ index 5c70c0c..b0c22f7 100644 /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if -index cda37bb..fa20a5d 100644 +index cda37bb..b3469d6 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -32,7 +32,11 @@ interface(`rpc_stub',` @@ -125317,42 +125346,23 @@ index cda37bb..fa20a5d 100644 ') ######################################## -@@ -375,7 +451,26 @@ interface(`rpc_search_nfs_state_data',` +@@ -375,7 +451,7 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List NFS state data in /var/lib/nfs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpc_list_nfs_state_data',` -+ gen_require(` -+ type var_lib_nfs_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 var_lib_nfs_t:dir list_dir_perms; ') ######################################## -@@ -414,4 +509,5 @@ interface(`rpc_manage_nfs_state_data',` +@@ -414,4 +490,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..6ca60ac 100644 +index b1468ed..f30c62e 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -125400,12 +125410,7 @@ index b1468ed..6ca60ac 100644 type nfsd_rw_t; files_type(nfsd_rw_t) -@@ -58,13 +64,14 @@ files_mountpoint(var_lib_nfs_t) - # RPC local policy - # - --allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; -+allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; +@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; @@ -126046,7 +126051,7 @@ index a07b2f4..36b4903 100644 + +userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc -index 69a6074..5c02dec 100644 +index 69a6074..3d65472 100644 --- a/policy/modules/services/samba.fc +++ b/policy/modules/services/samba.fc @@ -14,6 +14,8 @@ @@ -126058,17 +126063,22 @@ index 69a6074..5c02dec 100644 /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -@@ -36,6 +38,9 @@ +@@ -36,6 +38,10 @@ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) +/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) ++/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) + +/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -@@ -51,3 +56,7 @@ +@@ -48,6 +54,11 @@ + /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + ++/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -126077,13 +126087,32 @@ index 69a6074..5c02dec 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..0ed7e14 100644 +index 82cb169..9642fe3 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if -@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',` +@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',` ######################################## ## ++## Search the samba pid directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`samba_search_pid',` ++ gen_require(` ++ type smbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 smbd_var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## +## Connect to nmbd. +## +## @@ -126097,7 +126126,7 @@ index 82cb169..0ed7e14 100644 + type nmbd_t, nmbd_var_run_t; + ') + -+ files_search_pids($1) ++ samba_search_pid($1) + stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +') + @@ -126106,7 +126135,7 @@ index 82cb169..0ed7e14 100644 ## Execute samba server in the samba domain. ## ## -@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',` +@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',` ######################################## ## @@ -126136,7 +126165,7 @@ index 82cb169..0ed7e14 100644 ## Execute samba net in the samba_net domain. ## ## -@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',` +@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -126162,7 +126191,7 @@ index 82cb169..0ed7e14 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +164,51 @@ interface(`samba_run_net',` +@@ -103,6 +183,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -126214,61 +126243,19 @@ index 82cb169..0ed7e14 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -327,7 +433,6 @@ interface(`samba_search_var',` - type samba_var_t; - ') - -- files_search_var($1) - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; - ') -@@ -348,7 +453,6 @@ interface(`samba_read_var_files',` - type samba_var_t; - ') - -- files_search_var($1) - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) - ') -@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',` - type samba_var_t; - ') - -- files_search_var($1) - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) - ') -@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',` +@@ -409,9 +534,10 @@ interface(`samba_manage_var_files',` type samba_var_t; ') - files_search_var($1) ++ files_search_var_lib($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## -@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',` - ## Execute a domain transition to run smbcontrol. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`samba_domtrans_smbcontrol',` - gen_require(` -- type smbcontrol_t; -- type smbcontrol_exec_t; -+ type smbcontrol_t, smbcontrol_exec_t; - ') - - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +690,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -126276,7 +126263,28 @@ index 82cb169..0ed7e14 100644 ') ######################################## -@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',` +@@ -607,7 +734,7 @@ interface(`samba_read_winbind_pid',` + type winbind_var_run_t; + ') + +- files_search_pids($1) ++ samba_search_pid($1) + allow $1 winbind_var_run_t:file read_file_perms; + ') + +@@ -626,9 +753,10 @@ interface(`samba_stream_connect_winbind',` + type samba_var_t, winbind_t, winbind_var_run_t; + ') + +- files_search_pids($1) ++ samba_search_pid($1) + allow $1 samba_var_t:dir search_dir_perms; + stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) ++ samba_read_config($1) + + ifndef(`distro_redhat',` + gen_require(` +@@ -644,6 +772,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -126314,7 +126322,7 @@ index 82cb169..0ed7e14 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,33 +795,33 @@ interface(`samba_stream_connect_winbind',` +@@ -661,33 +820,33 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -126369,17 +126377,7 @@ index 82cb169..0ed7e14 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -709,9 +843,6 @@ interface(`samba_admin',` - admin_pattern($1, samba_var_t) - files_list_var($1) - -- admin_pattern($1, smbd_spool_t) -- files_list_spool($1) -- - admin_pattern($1, smbd_var_run_t) - files_list_pids($1) - -@@ -727,4 +858,9 @@ interface(`samba_admin',` +@@ -727,4 +886,9 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -126390,10 +126388,24 @@ index 82cb169..0ed7e14 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..ef60f40 100644 +index e30bb63..110ed47 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te -@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false) +@@ -1,4 +1,4 @@ +-policy_module(samba, 1.13.0) ++policy_module(samba, 1.14.1) + + ################################# + # +@@ -25,13 +25,21 @@ gen_tunable(samba_create_home_dirs, false) + ##

+ ## Allow samba to act as the domain controller, add users, + ## groups and change passwords. +-## ++## + ##

+ ## + gen_tunable(samba_domain_controller, false) ## ##

@@ -126428,15 +126440,7 @@ index e30bb63..ef60f40 100644 type winbind_var_run_t; files_pid_file(winbind_var_run_t) -@@ -181,7 +189,6 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) -- - kernel_read_proc_symlinks(samba_net_t) - kernel_read_system_state(samba_net_t) - -@@ -215,22 +222,30 @@ miscfiles_read_localization(samba_net_t) +@@ -215,22 +223,31 @@ miscfiles_read_localization(samba_net_t) samba_read_var_files(samba_net_t) @@ -126465,21 +126469,20 @@ index e30bb63..ef60f40 100644 # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; ++ +allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -248,7 +263,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - +@@ -249,6 +266,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; -+allow winbind_t smbd_var_run_t:dir search_dir_perms; allow smbd_t nmbd_var_run_t:file rw_file_perms; +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -263,12 +281,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -126494,7 +126497,7 @@ index e30bb63..ef60f40 100644 allow smbd_t smbcontrol_t:process { signal signull }; -@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -279,7 +298,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -126503,7 +126506,7 @@ index e30bb63..ef60f40 100644 allow smbd_t swat_t:process signal; -@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -316,6 +335,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -126511,7 +126514,7 @@ index e30bb63..ef60f40 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -323,15 +342,18 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,15 +343,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -126530,7 +126533,7 @@ index e30bb63..ef60f40 100644 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -343,6 +365,7 @@ files_read_usr_files(smbd_t) +@@ -343,6 +366,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -126538,7 +126541,7 @@ index e30bb63..ef60f40 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -354,6 +377,8 @@ logging_send_syslog_msg(smbd_t) +@@ -354,6 +378,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -126547,7 +126550,7 @@ index e30bb63..ef60f40 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -372,6 +397,11 @@ tunable_policy(`allow_smbd_anon_write',` +@@ -372,6 +398,11 @@ tunable_policy(`allow_smbd_anon_write',` miscfiles_manage_public_files(smbd_t) ') @@ -126559,7 +126562,7 @@ index e30bb63..ef60f40 100644 tunable_policy(`samba_domain_controller',` gen_require(` class passwd passwd; -@@ -385,12 +415,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +416,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -126573,7 +126576,7 @@ index e30bb63..ef60f40 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +435,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +436,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -126584,7 +126587,7 @@ index e30bb63..ef60f40 100644 optional_policy(` cups_read_rw_config(smbd_t) -@@ -422,6 +451,11 @@ optional_policy(` +@@ -422,6 +452,11 @@ optional_policy(` ') optional_policy(` @@ -126596,14 +126599,15 @@ index e30bb63..ef60f40 100644 lpd_exec_lpr(smbd_t) ') -@@ -445,26 +479,25 @@ optional_policy(` +@@ -445,26 +480,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) - userdom_home_filetrans_user_home_dir(smbd_t) ') -+userdom_home_filetrans_user_home_dir(smbd_t) ++userdom_home_filetrans_user_home_dir(smbd_t) ++ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) - auth_read_all_dirs_except_shadow(smbd_t) @@ -126630,19 +126634,29 @@ index e30bb63..ef60f40 100644 ######################################## # # nmbd Local policy -@@ -484,8 +517,10 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) ++manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) +manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) +files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) ++filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -555,18 +590,21 @@ optional_policy(` +@@ -497,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + + allow nmbd_t smbcontrol_t:process signal; + +-allow nmbd_t smbd_var_run_t:dir rw_dir_perms; +- + kernel_getattr_core_if(nmbd_t) + kernel_getattr_message_if(nmbd_t) + kernel_read_kernel_sysctls(nmbd_t) +@@ -555,18 +591,21 @@ optional_policy(` # smbcontrol local policy # @@ -126668,7 +126682,7 @@ index e30bb63..ef60f40 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +612,21 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +613,21 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -126691,7 +126705,7 @@ index e30bb63..ef60f40 100644 ######################################## # -@@ -644,19 +692,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +693,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -126716,7 +126730,7 @@ index e30bb63..ef60f40 100644 ######################################## # # SWAT Local policy -@@ -677,7 +727,8 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +728,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -126726,7 +126740,7 @@ index e30bb63..ef60f40 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +744,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -126741,7 +126755,7 @@ index e30bb63..ef60f40 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +764,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -126749,7 +126763,7 @@ index e30bb63..ef60f40 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -752,8 +806,12 @@ logging_send_syslog_msg(swat_t) +@@ -752,8 +807,12 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -126762,17 +126776,16 @@ index e30bb63..ef60f40 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +841,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +842,7 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; -allow winbind_t nmbd_var_run_t:file read_file_perms; -+allow winbind_t smbd_var_run_t:dir search_dir_perms; +read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +865,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +865,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -126784,17 +126797,20 @@ index e30bb63..ef60f40 100644 +userdom_manage_user_tmp_files(winbind_t) +userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) -+manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) ++manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, file) -+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) ++files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) ++filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) ++# /run/samba/krb5cc_samba ++manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +893,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +896,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -126802,7 +126818,7 @@ index e30bb63..ef60f40 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -850,10 +911,14 @@ domain_use_interactive_fds(winbind_t) +@@ -850,10 +914,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) @@ -126817,29 +126833,29 @@ index e30bb63..ef60f40 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +928,12 @@ userdom_manage_user_home_content_pipes(winbind_t) - userdom_manage_user_home_content_sockets(winbind_t) +@@ -864,6 +932,11 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) -+ -+optional_policy(` + optional_policy(` + ctdbd_stream_connect(winbind_t) + ctdbd_manage_lib_files(winbind_t) +') + - optional_policy(` ++optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +975,7 @@ logging_send_syslog_msg(winbind_helper_t) + +@@ -904,7 +977,8 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) -userdom_use_user_terminals(winbind_helper_t) +userdom_use_inherited_user_terminals(winbind_helper_t) ++ optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,19 +993,34 @@ optional_policy(` +@@ -922,19 +996,34 @@ optional_policy(` # optional_policy(` @@ -126862,14 +126878,14 @@ index e30bb63..ef60f40 100644 + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) +') - ++ +type samba_unconfined_script_t; +type samba_unconfined_script_exec_t; +domain_type(samba_unconfined_script_t) +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; -+ + +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; + @@ -127756,7 +127772,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..e010142 100644 +index 086cd5f..4e69f51 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -127860,7 +127876,7 @@ index 086cd5f..e010142 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,7 +173,11 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -127869,10 +127885,11 @@ index 086cd5f..e010142 100644 + seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) ++seutil_read_module_store(setroubleshoot_fixit_t) files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -131941,7 +131958,7 @@ index ebc5414..8f8ac45 100644 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..f14d337 100644 +index d4349e9..2f0887d 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -131962,7 +131979,16 @@ index d4349e9..f14d337 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) -@@ -145,5 +147,5 @@ optional_policy(` +@@ -134,6 +136,8 @@ files_read_etc_files(uux_t) + + fs_rw_anon_inodefs_files(uux_t) + ++auth_use_nsswitch(uux_t) ++ + logging_send_syslog_msg(uux_t) + + miscfiles_read_localization(uux_t) +@@ -145,5 +149,5 @@ optional_policy(` ') optional_policy(` @@ -133408,7 +133434,7 @@ index 7c5d8d8..85b7d8b 100644 + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..96f86b2 100644 +index 3eca020..cf6ce6e 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0) @@ -133836,9 +133862,9 @@ index 3eca020..96f86b2 100644 logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -133905,20 +133931,7 @@ index 3eca020..96f86b2 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -353,6 +544,12 @@ optional_policy(` - ') - - optional_policy(` -+ # Run mount in the mount_t domain. -+ mount_domtrans(virtd_t) -+ mount_signal(virtd_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) -@@ -360,11 +557,11 @@ optional_policy(` +@@ -360,11 +551,11 @@ optional_policy(` ') optional_policy(` @@ -133935,7 +133948,7 @@ index 3eca020..96f86b2 100644 ') optional_policy(` -@@ -394,20 +591,36 @@ optional_policy(` +@@ -394,20 +585,36 @@ optional_policy(` # virtual domains common policy # @@ -133975,7 +133988,7 @@ index 3eca020..96f86b2 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +625,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -133989,7 +134002,7 @@ index 3eca020..96f86b2 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +644,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +638,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -134002,7 +134015,7 @@ index 3eca020..96f86b2 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +657,428 @@ files_search_all(virt_domain) +@@ -440,25 +651,428 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -134010,12 +134023,12 @@ index 3eca020..96f86b2 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -134721,7 +134734,7 @@ index aa6e5a8..42a0efb 100644 ######################################## ##

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 4966c94..587ddea 100644 +index 4966c94..e3b85b6 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,34 @@ @@ -134790,7 +134803,7 @@ index 4966c94..587ddea 100644 # # /opt # -@@ -48,28 +71,35 @@ ifdef(`distro_redhat',` +@@ -48,28 +71,31 @@ ifdef(`distro_redhat',` # /tmp # @@ -134808,16 +134821,11 @@ index 4966c94..587ddea 100644 # /usr # --/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/sbin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/sbin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/sbin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/sbin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -134834,13 +134842,14 @@ index 4966c94..587ddea 100644 /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -@@ -90,17 +120,45 @@ ifdef(`distro_debian', ` +@@ -90,17 +116,45 @@ ifdef(`distro_debian', ` /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + @@ -134848,24 +134857,23 @@ index 4966c94..587ddea 100644 -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/(l)?xdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) ++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + -+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -139233,7 +139241,7 @@ index 73554ec..a0bd29b 100644 + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..27ad087 100644 +index b7a5f00..b2a6592 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1) @@ -139249,7 +139257,7 @@ index b7a5f00..27ad087 100644 + +## +##

-+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server ++## Allow users to login using a sssd server +##

+## +gen_tunable(authlogin_nsswitch_use_ldap, false) @@ -143399,22 +143407,20 @@ index 0e3c2a9..40adf5a 100644 +') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a0b379d..362176f 100644 +index a0b379d..95bf920 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) - type local_login_lock_t; - files_lock_file(local_login_lock_t) +@@ -17,6 +17,9 @@ type local_login_tmp_t; + files_tmp_file(local_login_tmp_t) + files_poly_parent(local_login_tmp_t) --type local_login_tmp_t; --files_tmp_file(local_login_tmp_t) --files_poly_parent(local_login_tmp_t) +type local_login_home_t; +userdom_user_home_content(local_login_home_t) - ++ type sulogin_t; type sulogin_exec_t; -@@ -32,9 +31,8 @@ role system_r types sulogin_t; + domain_obj_id_change_exemption(sulogin_t) +@@ -32,9 +35,8 @@ role system_r types sulogin_t; # Local login local policy # @@ -143426,18 +143432,16 @@ index a0b379d..362176f 100644 allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; -@@ -51,9 +49,7 @@ allow local_login_t self:key { search write link }; +@@ -51,6 +53,8 @@ allow local_login_t self:key { search write link }; allow local_login_t local_login_lock_t:file manage_file_perms; files_lock_filetrans(local_login_t, local_login_lock_t, file) --allow local_login_t local_login_tmp_t:dir manage_dir_perms; --allow local_login_t local_login_tmp_t:file manage_file_perms; --files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) +allow local_login_t local_login_home_t:file read_file_perms; - - kernel_read_system_state(local_login_t) - kernel_read_kernel_sysctls(local_login_t) -@@ -73,6 +69,8 @@ dev_getattr_power_mgmt_dev(local_login_t) ++ + allow local_login_t local_login_tmp_t:dir manage_dir_perms; + allow local_login_t local_login_tmp_t:file manage_file_perms; + files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) +@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t) dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) @@ -143446,7 +143450,7 @@ index a0b379d..362176f 100644 dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -120,11 +118,13 @@ term_setattr_unallocated_ttys(local_login_t) +@@ -120,11 +126,13 @@ term_setattr_unallocated_ttys(local_login_t) auth_rw_login_records(local_login_t) auth_rw_faillog(local_login_t) @@ -143461,7 +143465,7 @@ index a0b379d..362176f 100644 miscfiles_read_localization(local_login_t) -@@ -146,14 +146,14 @@ tunable_policy(`console_login',` +@@ -146,14 +154,12 @@ tunable_policy(`console_login',` term_relabel_console(local_login_t) ') @@ -143470,8 +143474,6 @@ index a0b379d..362176f 100644 - fs_read_nfs_symlinks(local_login_t) -') +userdom_home_reader(local_login_t) -+userdom_manage_tmp_files(local_login_t) -+userdom_tmp_filetrans_user_tmp(local_login_t, file) -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(local_login_t) @@ -143483,7 +143485,7 @@ index a0b379d..362176f 100644 ') optional_policy(` -@@ -177,14 +177,6 @@ optional_policy(` +@@ -177,14 +183,6 @@ optional_policy(` ') optional_policy(` @@ -143498,7 +143500,7 @@ index a0b379d..362176f 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,6 +207,7 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,6 +213,7 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -143506,7 +143508,7 @@ index a0b379d..362176f 100644 kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) -@@ -223,13 +216,17 @@ fs_rw_tmpfs_chr_files(sulogin_t) +@@ -223,13 +222,17 @@ fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) @@ -143524,7 +143526,7 @@ index a0b379d..362176f 100644 seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -@@ -238,14 +235,24 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -238,14 +241,24 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -143551,7 +143553,7 @@ index a0b379d..362176f 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +263,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -147057,7 +147059,7 @@ index 694fd94..ff9af99 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index ff80d0a..b8c1b90 100644 +index ff80d0a..419fc29 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',` @@ -147185,7 +147187,15 @@ index ff80d0a..b8c1b90 100644 ## Read network config files. ## ## -@@ -405,7 +494,7 @@ interface(`sysnet_etc_filetrans_config',` +@@ -329,6 +418,7 @@ interface(`sysnet_read_config',` + + ifdef(`distro_redhat',` + allow $1 net_conf_t:dir list_dir_perms; ++ allow $1 net_conf_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, net_conf_t, net_conf_t) + ') + ') +@@ -405,7 +495,7 @@ interface(`sysnet_etc_filetrans_config',` type net_conf_t; ') @@ -147194,7 +147204,7 @@ index ff80d0a..b8c1b90 100644 ') ####################################### -@@ -426,6 +515,7 @@ interface(`sysnet_manage_config',` +@@ -426,6 +516,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -147202,7 +147212,7 @@ index ff80d0a..b8c1b90 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -464,6 +554,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -464,6 +555,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -147210,7 +147220,7 @@ index ff80d0a..b8c1b90 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -554,6 +645,45 @@ interface(`sysnet_signal_ifconfig',` +@@ -554,6 +646,45 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -147256,7 +147266,7 @@ index ff80d0a..b8c1b90 100644 ## Read the DHCP configuration files. ## ## -@@ -661,6 +791,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -661,6 +792,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -147265,7 +147275,7 @@ index ff80d0a..b8c1b90 100644 sysnet_read_config($1) optional_policy(` -@@ -698,6 +830,9 @@ interface(`sysnet_use_ldap',` +@@ -698,6 +831,9 @@ interface(`sysnet_use_ldap',` corenet_sendrecv_ldap_client_packets($1) sysnet_read_config($1) @@ -147275,7 +147285,7 @@ index ff80d0a..b8c1b90 100644 ') ######################################## -@@ -731,3 +866,73 @@ interface(`sysnet_use_portmap',` +@@ -731,3 +867,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -150116,7 +150126,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..b0c7451 100644 +index 4b2878a..2fe0743 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -150431,33 +150441,7 @@ index 4b2878a..b0c7451 100644 ') ') -@@ -272,6 +317,25 @@ interface(`userdom_manage_home_role',` - ## - ## Manage user temporary files - ## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_manage_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file manage_file_perms; -+') -+ -+####################################### -+## -+## Manage user temporary files -+## - ## - ## - ## Role allowed access. -@@ -286,17 +350,64 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +331,64 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -150527,7 +150511,7 @@ index 4b2878a..b0c7451 100644 ') ####################################### -@@ -316,6 +427,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +408,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -150535,7 +150519,7 @@ index 4b2878a..b0c7451 100644 files_search_tmp($1) ') -@@ -347,59 +459,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +440,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -150630,7 +150614,7 @@ index 4b2878a..b0c7451 100644 ') ####################################### -@@ -430,6 +545,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +526,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -150638,7 +150622,7 @@ index 4b2878a..b0c7451 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -462,8 +578,8 @@ template(`userdom_change_password_template',` +@@ -462,8 +559,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -150649,7 +150633,7 @@ index 4b2878a..b0c7451 100644 ') ') -@@ -490,7 +606,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +587,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -150658,7 +150642,7 @@ index 4b2878a..b0c7451 100644 ############################## # -@@ -500,73 +616,83 @@ template(`userdom_common_user_template',` +@@ -500,73 +597,83 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -150680,27 +150664,27 @@ index 4b2878a..b0c7451 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -150724,10 +150708,10 @@ index 4b2878a..b0c7451 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) ++ ++ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) -+ application_getattr_socket($1_usertype) -+ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -150784,7 +150768,7 @@ index 4b2878a..b0c7451 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +700,113 @@ template(`userdom_common_user_template',` +@@ -574,67 +681,113 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -150843,51 +150827,51 @@ index 4b2878a..b0c7451 100644 + evolution_dbus_chat($1_usertype) + evolution_alarm_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ gnome_dbus_chat_gconfdefault($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ') - ') - - optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) -+ git_session_role($1_r, $1_usertype) ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ++ ') + ') + + optional_policy(` -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ git_session_role($1_r, $1_usertype) + ') + + optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) + ') + + optional_policy(` +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) + inn_read_config($1_usertype) + inn_read_news_lib($1_usertype) + inn_read_news_spool($1_usertype) @@ -150919,7 +150903,7 @@ index 4b2878a..b0c7451 100644 ') optional_policy(` -@@ -650,40 +822,52 @@ template(`userdom_common_user_template',` +@@ -650,40 +803,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -150955,35 +150939,35 @@ index 4b2878a..b0c7451 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ slrnpull_search_spool($1_usertype) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -708,17 +892,33 @@ template(`userdom_common_user_template',` +@@ -708,17 +873,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -150996,15 +150980,17 @@ index 4b2878a..b0c7451 100644 + typeattribute $1_t login_userdomain; + + userdom_manage_home_role($1_r, $1_usertype) ++ ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -151012,9 +150998,7 @@ index 4b2878a..b0c7451 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -151022,7 +151006,7 @@ index 4b2878a..b0c7451 100644 userdom_change_password_template($1) -@@ -727,81 +927,98 @@ template(`userdom_login_user_template', ` +@@ -727,81 +908,98 @@ template(`userdom_login_user_template', ` # User domain Local policy # @@ -151112,14 +151096,14 @@ index 4b2878a..b0c7451 100644 + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) - -- seutil_read_config($1_t) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) + ') -+ + +- seutil_read_config($1_t) + optional_policy(` + kerberos_use($1_usertype) + kerberos_filetrans_home_content($1_usertype) @@ -151156,7 +151140,7 @@ index 4b2878a..b0c7451 100644 ') ') -@@ -833,6 +1050,12 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1031,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -151169,7 +151153,7 @@ index 4b2878a..b0c7451 100644 ############################## # # Local policy -@@ -873,46 +1096,115 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -873,46 +1077,115 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -151298,7 +151282,7 @@ index 4b2878a..b0c7451 100644 ') ') -@@ -947,7 +1239,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1220,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -151307,7 +151291,7 @@ index 4b2878a..b0c7451 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1248,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1229,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -151325,7 +151309,7 @@ index 4b2878a..b0c7451 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1273,60 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1254,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -151368,11 +151352,9 @@ index 4b2878a..b0c7451 100644 + + optional_policy(` + gpg_role($1_r, $1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + gnomeclock_dbus_chat($1_t) + ') + @@ -151383,9 +151365,11 @@ index 4b2878a..b0c7451 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + wine_role_template($1, $1_r, $1_t) + ') + @@ -151395,7 +151379,7 @@ index 4b2878a..b0c7451 100644 ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1335,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1316,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -151406,7 +151390,7 @@ index 4b2878a..b0c7451 100644 ') ') -@@ -1039,7 +1373,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1354,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -151415,7 +151399,7 @@ index 4b2878a..b0c7451 100644 ') ############################## -@@ -1066,6 +1400,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1381,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -151423,7 +151407,7 @@ index 4b2878a..b0c7451 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1409,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1390,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -151433,7 +151417,7 @@ index 4b2878a..b0c7451 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1426,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1407,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -151441,7 +151425,7 @@ index 4b2878a..b0c7451 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1444,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1425,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -151455,7 +151439,7 @@ index 4b2878a..b0c7451 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1461,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1442,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -151498,7 +151482,7 @@ index 4b2878a..b0c7451 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1502,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1483,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -151507,7 +151491,7 @@ index 4b2878a..b0c7451 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1165,6 +1518,10 @@ template(`userdom_admin_user_template',` +@@ -1165,6 +1499,10 @@ template(`userdom_admin_user_template',` fs_read_noxattr_fs_files($1_t) ') @@ -151518,7 +151502,7 @@ index 4b2878a..b0c7451 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1210,6 +1567,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1548,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -151527,7 +151511,7 @@ index 4b2878a..b0c7451 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1581,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1562,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -151538,7 +151522,7 @@ index 4b2878a..b0c7451 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1594,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1575,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -151567,7 +151551,7 @@ index 4b2878a..b0c7451 100644 ') optional_policy(` -@@ -1251,12 +1622,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1603,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -151583,7 +151567,7 @@ index 4b2878a..b0c7451 100644 ') optional_policy(` -@@ -1279,25 +1650,74 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1631,103 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -151616,42 +151600,71 @@ index 4b2878a..b0c7451 100644 # -interface(`userdom_attach_admin_tun_iface',` +interface(`userdom_user_tmp_content',` -+ gen_require(` + gen_require(` +- attribute admindomain; + attribute user_tmp_type; -+ ') -+ + ') + +- allow $1 admindomain:tun_socket relabelfrom; +- allow $1 self:tun_socket relabelto; + typeattribute $1 user_tmp_type; + + files_tmp_file($1) + ubac_constrained($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of a user pty. +## Make the specified type usable in a +## generic tmpfs_t directory. -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Type to be used as a file in the +## generic temporary directory. -+## -+## -+# + ## + ## + # +-interface(`userdom_setattr_user_ptys',` +interface(`userdom_user_tmpfs_content',` -+ gen_require(` + gen_require(` +- type user_devpts_t; + attribute user_tmpfs_type; -+ ') -+ + ') + +- allow $1 user_devpts_t:chr_file setattr_chr_file_perms; + typeattribute $1 user_tmpfs_type; + + files_tmpfs_file($1) + ubac_constrained($1) + ') + + ######################################## + ## +-## Create a user pty. ++## Allow domain to attach to TUN devices created by administrative users. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_attach_admin_tun_iface',` ++ gen_require(` ++ attribute admindomain; ++ ') ++ ++ allow $1 admindomain:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; +') + +######################################## +## -+## Allow domain to attach to TUN devices created by administrative users. ++## Set the attributes of a user pty. +## +## +## @@ -151659,11 +151672,21 @@ index 4b2878a..b0c7451 100644 +## +## +# -+interface(`userdom_attach_admin_tun_iface',` - gen_require(` - attribute admindomain; - ') -@@ -1395,11 +1815,31 @@ interface(`userdom_search_user_home_dirs',` ++interface(`userdom_setattr_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file setattr_chr_file_perms; ++') ++ ++######################################## ++## ++## Create a user pty. + ## + ## + ## +@@ -1395,11 +1796,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -151695,7 +151718,7 @@ index 4b2878a..b0c7451 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1441,6 +1881,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1862,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -151710,7 +151733,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -1456,9 +1904,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1885,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -151722,7 +151745,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -1515,6 +1965,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1946,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -151765,7 +151788,7 @@ index 4b2878a..b0c7451 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2075,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2056,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -151774,7 +151797,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -1603,10 +2091,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2072,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -151789,7 +151812,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -1649,6 +2139,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2120,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -151833,7 +151856,7 @@ index 4b2878a..b0c7451 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2195,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2176,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -151859,7 +151882,7 @@ index 4b2878a..b0c7451 100644 ## Mmap user home files. ## ## -@@ -1698,14 +2244,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1698,14 +2225,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -151897,7 +151920,7 @@ index 4b2878a..b0c7451 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2284,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2265,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -151915,7 +151938,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -1779,6 +2350,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2331,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -151976,7 +151999,7 @@ index 4b2878a..b0c7451 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2435,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2416,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -151986,7 +152009,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -1827,20 +2451,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2432,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -152011,7 +152034,7 @@ index 4b2878a..b0c7451 100644 ######################################## ## -@@ -1941,6 +2559,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2540,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -152036,7 +152059,7 @@ index 4b2878a..b0c7451 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2644,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2625,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -152045,7 +152068,7 @@ index 4b2878a..b0c7451 100644 files_search_home($1) ') -@@ -2039,7 +2675,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2656,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -152054,7 +152077,7 @@ index 4b2878a..b0c7451 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2158,11 +2794,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2158,11 +2775,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -152069,7 +152092,7 @@ index 4b2878a..b0c7451 100644 files_search_tmp($1) ') -@@ -2182,7 +2818,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2799,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -152078,7 +152101,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -2390,7 +3026,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +3007,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -152087,7 +152110,7 @@ index 4b2878a..b0c7451 100644 files_search_tmp($1) ') -@@ -2419,6 +3055,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +3036,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -152113,7 +152136,7 @@ index 4b2878a..b0c7451 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3090,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3071,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -152129,7 +152152,7 @@ index 4b2878a..b0c7451 100644 ## ## ## -@@ -2462,7 +3118,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3099,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -152138,7 +152161,7 @@ index 4b2878a..b0c7451 100644 ## ## ## -@@ -2470,14 +3126,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3107,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -152173,7 +152196,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -2572,7 +3244,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3225,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -152182,24 +152205,21 @@ index 4b2878a..b0c7451 100644 ## ## ## -@@ -2580,32 +3252,62 @@ interface(`userdom_use_user_ttys',` +@@ -2580,7 +3233,25 @@ interface(`userdom_use_user_ttys',` ## ## # -interface(`userdom_use_user_ptys',` +interface(`userdom_use_inherited_user_ttys',` - gen_require(` -- type user_devpts_t; ++ gen_require(` + type user_tty_device_t; - ') - -- allow $1 user_devpts_t:chr_file rw_term_perms; ++ ') ++ + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; - ') - - ######################################## - ## --## Read and write a user TTYs and PTYs. ++') ++ ++######################################## ++## +## Read and write a user domain pty. +## +## @@ -152209,15 +152229,14 @@ index 4b2878a..b0c7451 100644 +## +# +interface(`userdom_use_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ allow $1 user_devpts_t:chr_file rw_term_perms; -+') -+ -+######################################## -+## + gen_require(` + type user_devpts_t; + ') +@@ -2590,22 +3261,34 @@ interface(`userdom_use_user_ptys',` + + ######################################## + ## +-## Read and write a user TTYs and PTYs. +## Read and write a inherited user domain pty. +## +## @@ -152256,7 +152275,7 @@ index 4b2878a..b0c7451 100644 ## ## ## -@@ -2614,14 +3316,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3297,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -152294,7 +152313,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -2640,8 +3361,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3342,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -152324,7 +152343,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -2713,69 +3453,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,69 +3434,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -152425,7 +152444,7 @@ index 4b2878a..b0c7451 100644 ## ## ## -@@ -2783,12 +3522,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2783,12 +3503,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -152440,7 +152459,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -2852,7 +3591,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3572,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -152449,7 +152468,7 @@ index 4b2878a..b0c7451 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3607,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3588,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -152483,7 +152502,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -2972,7 +3695,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3676,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -152492,7 +152511,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -3027,7 +3750,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3731,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -152539,7 +152558,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -3045,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3787,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -152548,7 +152567,7 @@ index 4b2878a..b0c7451 100644 ') ######################################## -@@ -3064,6 +3825,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3806,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -152556,7 +152575,7 @@ index 4b2878a..b0c7451 100644 kernel_search_proc($1) ') -@@ -3140,6 +3902,42 @@ interface(`userdom_signal_all_users',` +@@ -3140,6 +3883,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -152599,7 +152618,7 @@ index 4b2878a..b0c7451 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3160,6 +3958,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3939,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -152624,7 +152643,7 @@ index 4b2878a..b0c7451 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +4010,1292 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3991,1292 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8add07d..99ce12a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 128%{?dist} +Release: 129%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -479,6 +479,27 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jun 8 2012 Miroslav Grepl 3.10.0-129 +- Allow collectd to read virt config +- Allow collectd setsched +- Add support for /usr/sbin/mdm* +- Fix java binaries labels when installed under /usr/lib/jvm/java +- Add labeling for /var/run/mdm +- Allow apps that can read net_conf_t files read symlinks +- Allow all domains that can search or read tmp_t, able to read a tmp_t link +- Dontaudit mozilla_plugin looking at xdm_tmp_t +- Looks like collectd needs to change it scheduling priority +- Allow uux_t to access nsswitch data +- New labeling for samba, pid dirs moved to subdirs of samba +- Allow nova_api to use nsswitch +- Allow mozilla_plugin to execute files labeled as lib_t +- Label content under HOME_DIR/zimbrauserdata as mozilla_home date +- abrt is fooled into reading mozilla_plugin content, we want to dontaudit +- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window +- Allow winbind to create content in smbd_var_run_t directories +- Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it +- Support libvirt plugin for collectd + * Wed May 30 2012 Miroslav Grepl 3.10.0-128 - Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7