From 18e1158edab7608229606714d71ac86bdbba08a2 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 20 2013 06:24:04 +0000 Subject: - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_s - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cer - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket - xauth_t should be allowed to create xauth_home_t - selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 551beda..d5daf33 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -8430,7 +8430,7 @@ index 6a1e4d1..c691385 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..29e6b5c 100644 +index cf04cb5..602ad63 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8559,7 +8559,7 @@ index cf04cb5..29e6b5c 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +230,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8836,6 +8836,7 @@ index cf04cb5..29e6b5c 100644 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +optional_policy(` ++ rpm_rw_script_inherited_pipes(domain) + rpm_use_fds(domain) + rpm_read_pipes(domain) + rpm_search_log(domain) @@ -20166,7 +20167,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..3448145 100644 +index 5fc0391..dac68b3 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20179,15 +20180,15 @@ index 5fc0391..3448145 100644 +##

+## allow host key based authentication +##

- ## --gen_tunable(allow_ssh_keysign, false) ++## +gen_tunable(ssh_keysign, false) + +## +##

+## Allow ssh logins as sysadm_r:sysadm_t +##

-+## + ## +-gen_tunable(allow_ssh_keysign, false) +gen_tunable(ssh_sysadm_login, false) ## @@ -20323,8 +20324,12 @@ index 5fc0391..3448145 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t) +@@ -154,40 +175,46 @@ files_read_var_files(ssh_t) + logging_send_syslog_msg(ssh_t) + logging_read_generic_logs(ssh_t) ++term_use_ptmx(ssh_t) ++ auth_use_nsswitch(ssh_t) -miscfiles_read_localization(ssh_t) @@ -20385,7 +20390,7 @@ index 5fc0391..3448145 100644 ') optional_policy(` -@@ -195,6 +220,7 @@ optional_policy(` +@@ -195,6 +222,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -20393,7 +20398,7 @@ index 5fc0391..3448145 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -20401,7 +20406,7 @@ index 5fc0391..3448145 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +250,54 @@ optional_policy(` +@@ -223,33 +252,54 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20465,7 +20470,7 @@ index 5fc0391..3448145 100644 ') optional_policy(` -@@ -257,11 +305,24 @@ optional_policy(` +@@ -257,11 +307,24 @@ optional_policy(` ') optional_policy(` @@ -20491,7 +20496,7 @@ index 5fc0391..3448145 100644 ') optional_policy(` -@@ -269,6 +330,10 @@ optional_policy(` +@@ -269,6 +332,10 @@ optional_policy(` ') optional_policy(` @@ -20502,7 +20507,7 @@ index 5fc0391..3448145 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +344,69 @@ optional_policy(` +@@ -279,13 +346,69 @@ optional_policy(` ') optional_policy(` @@ -20572,7 +20577,7 @@ index 5fc0391..3448145 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +415,26 @@ optional_policy(` +@@ -294,19 +417,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20600,7 +20605,7 @@ index 5fc0391..3448145 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +453,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20613,7 +20618,7 @@ index 5fc0391..3448145 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +465,138 @@ optional_policy(` +@@ -331,3 +467,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -22490,7 +22495,7 @@ index 6bf0ecc..188613e 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..7d6fc31 100644 +index 2696452..509319f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22740,7 +22745,7 @@ index 2696452..7d6fc31 100644 ') ######################################## -@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +321,88 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -22803,6 +22808,11 @@ index 2696452..7d6fc31 100644 +userdom_use_inherited_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") xserver_rw_xdm_tmp_files(xauth_t) @@ -22835,7 +22845,7 @@ index 2696452..7d6fc31 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +408,107 @@ optional_policy(` +@@ -299,64 +413,107 @@ optional_policy(` # XDM Local policy # @@ -22953,7 +22963,7 @@ index 2696452..7d6fc31 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +517,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +522,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -22985,7 +22995,7 @@ index 2696452..7d6fc31 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +554,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23038,7 +23048,7 @@ index 2696452..7d6fc31 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +601,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +606,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23067,7 +23077,7 @@ index 2696452..7d6fc31 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +631,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +636,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23114,7 +23124,7 @@ index 2696452..7d6fc31 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +676,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +681,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23265,7 +23275,7 @@ index 2696452..7d6fc31 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +827,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +832,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23292,7 +23302,7 @@ index 2696452..7d6fc31 100644 ') optional_policy(` -@@ -514,12 +854,72 @@ optional_policy(` +@@ -514,12 +859,72 @@ optional_policy(` ') optional_policy(` @@ -23365,7 +23375,7 @@ index 2696452..7d6fc31 100644 hostname_exec(xdm_t) ') -@@ -537,28 +937,78 @@ optional_policy(` +@@ -537,28 +942,78 @@ optional_policy(` ') optional_policy(` @@ -23453,7 +23463,7 @@ index 2696452..7d6fc31 100644 ') optional_policy(` -@@ -570,6 +1020,14 @@ optional_policy(` +@@ -570,6 +1025,14 @@ optional_policy(` ') optional_policy(` @@ -23468,7 +23478,7 @@ index 2696452..7d6fc31 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23481,7 +23491,7 @@ index 2696452..7d6fc31 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23497,7 +23507,7 @@ index 2696452..7d6fc31 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23508,7 +23518,7 @@ index 2696452..7d6fc31 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1100,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23530,7 +23540,7 @@ index 2696452..7d6fc31 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1120,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23544,7 +23554,7 @@ index 2696452..7d6fc31 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1146,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23576,7 +23586,7 @@ index 2696452..7d6fc31 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23594,7 +23604,7 @@ index 2696452..7d6fc31 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1201,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1206,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23618,7 +23628,7 @@ index 2696452..7d6fc31 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23627,7 +23637,7 @@ index 2696452..7d6fc31 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1264,44 @@ optional_policy(` +@@ -775,16 +1269,44 @@ optional_policy(` ') optional_policy(` @@ -23673,7 +23683,7 @@ index 2696452..7d6fc31 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1310,10 @@ optional_policy(` +@@ -793,6 +1315,10 @@ optional_policy(` ') optional_policy(` @@ -23684,7 +23694,7 @@ index 2696452..7d6fc31 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23698,7 +23708,7 @@ index 2696452..7d6fc31 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23707,7 +23717,7 @@ index 2696452..7d6fc31 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1353,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1358,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23742,7 +23752,7 @@ index 2696452..7d6fc31 100644 ') optional_policy(` -@@ -902,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23751,7 +23761,7 @@ index 2696452..7d6fc31 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1472,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23783,7 +23793,7 @@ index 2696452..7d6fc31 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -28785,7 +28795,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..b63b6d3 100644 +index 9e54bf9..4bf2a53 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28897,7 +28907,7 @@ index 9e54bf9..b63b6d3 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -206,10 +219,11 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) +@@ -206,14 +219,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) @@ -28911,6 +28921,11 @@ index 9e54bf9..b63b6d3 100644 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; +-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) ++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) + + # _realsetup needs to be able to cat /var/run/pluto.pid, + # run ps on that pid, and delete the file @@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -30623,7 +30638,7 @@ index 4e94884..9b82ed0 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..692b00d 100644 +index 39ea221..bb695cf 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -30839,7 +30854,7 @@ index 39ea221..692b00d 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -30869,12 +30884,15 @@ index 39ea221..692b00d 100644 +ifdef(`hide_broken_symptoms',` + kernel_rw_unix_dgram_sockets(syslogd_t) +') ++ ++corecmd_exec_bin(syslogd_t) ++corecmd_exec_shell(syslogd_t) -corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) -@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -30902,7 +30920,7 @@ index 39ea221..692b00d 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -30922,7 +30940,7 @@ index 39ea221..692b00d 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +532,10 @@ init_use_fds(syslogd_t) +@@ -461,11 +535,10 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -30936,7 +30954,7 @@ index 39ea221..692b00d 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +572,36 @@ optional_policy(` +@@ -502,15 +575,36 @@ optional_policy(` ') optional_policy(` @@ -30973,7 +30991,7 @@ index 39ea221..692b00d 100644 ') optional_policy(` -@@ -521,3 +612,26 @@ optional_policy(` +@@ -521,3 +615,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -31546,7 +31564,7 @@ index 9fe8e01..83acb32 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..2960ed7 100644 +index fc28bc3..79f454f 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -31574,7 +31592,33 @@ index fc28bc3..2960ed7 100644 ## Manage generic SSL certificates. ## ## -@@ -434,6 +452,7 @@ interface(`miscfiles_rw_localization',` +@@ -169,6 +187,25 @@ interface(`miscfiles_manage_cert_files',` + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.') + ') + ++####################################### ++## ++## Do not audit attempts to access check cert dirs/files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`miscfiles_dontaudit_access_check_cert',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ dontaudit $1 cert_t:file audit_access; ++ dontaudit $1 cert_t:dir audit_access; ++') ++ + ######################################## + ## + ## Read fonts. +@@ -434,6 +471,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) @@ -31582,7 +31626,7 @@ index fc28bc3..2960ed7 100644 ') ######################################## -@@ -453,6 +472,7 @@ interface(`miscfiles_relabel_localization',` +@@ -453,6 +491,7 @@ interface(`miscfiles_relabel_localization',` files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) @@ -31590,7 +31634,7 @@ index fc28bc3..2960ed7 100644 ') ######################################## -@@ -470,7 +490,6 @@ interface(`miscfiles_legacy_read_localization',` +@@ -470,7 +509,6 @@ interface(`miscfiles_legacy_read_localization',` type locale_t; ') @@ -31598,7 +31642,7 @@ index fc28bc3..2960ed7 100644 allow $1 locale_t:file execute; ') -@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',` +@@ -531,6 +569,10 @@ interface(`miscfiles_read_man_pages',` allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -31609,7 +31653,7 @@ index fc28bc3..2960ed7 100644 ') ######################################## -@@ -554,6 +577,29 @@ interface(`miscfiles_delete_man_pages',` +@@ -554,6 +596,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -31639,7 +31683,7 @@ index fc28bc3..2960ed7 100644 ') ######################################## -@@ -622,6 +668,30 @@ interface(`miscfiles_manage_man_cache',` +@@ -622,6 +687,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -31670,7 +31714,7 @@ index fc28bc3..2960ed7 100644 ## Read public files used for file ## transfer services. ## -@@ -784,8 +854,11 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +873,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -31684,7 +31728,7 @@ index fc28bc3..2960ed7 100644 ') ######################################## -@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +901,61 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -32503,7 +32547,7 @@ index 4584457..e432df3 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..fa545e7 100644 +index 6a50270..e16b72d 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) @@ -32588,7 +32632,7 @@ index 6a50270..fa545e7 100644 +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount") ++files_pid_filetrans(mount_t,mount_var_run_t,{ dir file }) +files_var_filetrans(mount_t,mount_var_run_t,dir) +dev_filetrans(mount_t, mount_var_run_t, dir) + @@ -33058,7 +33102,7 @@ index d43f3b1..f958391 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..1029e3b 100644 +index 3822072..bddf002 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` @@ -33543,7 +33587,7 @@ index 3822072..1029e3b 100644 ') ####################################### -@@ -1137,3 +1488,98 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1488,99 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -33575,6 +33619,7 @@ index 3822072..1029e3b 100644 + mls_file_read_all_levels($1) + + selinux_get_enforce_mode($1) ++ selinux_set_enforce_mode($1) + + seutil_manage_bin_policy($1) + @@ -34853,7 +34898,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..a5086e8 100644 +index b7686d5..7a9577f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -35080,7 +35125,7 @@ index b7686d5..a5086e8 100644 vmware_append_log(dhcpc_t) ') -@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -35090,6 +35135,8 @@ index b7686d5..a5086e8 100644 +allow ifconfig_t self:netlink_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; ++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms }; ++ allow ifconfig_t self:tcp_socket { create ioctl }; +can_exec(ifconfig_t, ifconfig_exec_t) @@ -35102,7 +35149,7 @@ index b7686d5..a5086e8 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -35132,7 +35179,7 @@ index b7686d5..a5086e8 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -35160,7 +35207,7 @@ index b7686d5..a5086e8 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -35183,7 +35230,7 @@ index b7686d5..a5086e8 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -35197,7 +35244,7 @@ index b7686d5..a5086e8 100644 ') optional_policy(` -@@ -339,7 +428,15 @@ optional_policy(` +@@ -339,7 +430,15 @@ optional_policy(` ') optional_policy(` @@ -35214,7 +35261,7 @@ index b7686d5..a5086e8 100644 ') optional_policy(` -@@ -360,3 +457,13 @@ optional_policy(` +@@ -360,3 +459,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -38617,7 +38664,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..29b497d 100644 +index 3c5dba7..fbcee33 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39179,7 +39226,7 @@ index 3c5dba7..29b497d 100644 ############################## # -@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` +@@ -501,41 +632,52 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -39202,6 +39249,7 @@ index 3c5dba7..29b497d 100644 - kernel_read_device_sysctls($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) ++ kernel_stream_connect($1_usertype) - corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) @@ -39254,7 +39302,7 @@ index 3c5dba7..29b497d 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +687,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +688,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -39413,7 +39461,7 @@ index 3c5dba7..29b497d 100644 ') optional_policy(` -@@ -642,23 +810,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +811,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -39442,7 +39490,7 @@ index 3c5dba7..29b497d 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +837,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +838,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -39451,7 +39499,7 @@ index 3c5dba7..29b497d 100644 ') optional_policy(` -@@ -680,9 +846,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +847,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39464,7 +39512,7 @@ index 3c5dba7..29b497d 100644 ') ') -@@ -693,32 +859,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +860,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39511,7 +39559,7 @@ index 3c5dba7..29b497d 100644 ') ') -@@ -743,17 +912,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +913,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -39549,7 +39597,7 @@ index 3c5dba7..29b497d 100644 userdom_change_password_template($1) -@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` +@@ -761,82 +947,99 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -39685,7 +39733,7 @@ index 3c5dba7..29b497d 100644 ') ') -@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -39698,7 +39746,7 @@ index 3c5dba7..29b497d 100644 ############################## # # Local policy -@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -39809,7 +39857,7 @@ index 3c5dba7..29b497d 100644 ') optional_policy(` -@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -39840,7 +39888,7 @@ index 3c5dba7..29b497d 100644 ') ####################################### -@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -39878,7 +39926,7 @@ index 3c5dba7..29b497d 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -39949,7 +39997,7 @@ index 3c5dba7..29b497d 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -39960,7 +40008,7 @@ index 3c5dba7..29b497d 100644 ') ') -@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -39969,7 +40017,7 @@ index 3c5dba7..29b497d 100644 ') ############################## -@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -39977,7 +40025,7 @@ index 3c5dba7..29b497d 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -39987,7 +40035,7 @@ index 3c5dba7..29b497d 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -39995,7 +40043,7 @@ index 3c5dba7..29b497d 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -40010,7 +40058,7 @@ index 3c5dba7..29b497d 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -40053,7 +40101,7 @@ index 3c5dba7..29b497d 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -40062,7 +40110,7 @@ index 3c5dba7..29b497d 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40081,7 +40129,7 @@ index 3c5dba7..29b497d 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40090,7 +40138,7 @@ index 3c5dba7..29b497d 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40102,7 +40150,7 @@ index 3c5dba7..29b497d 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40145,7 +40193,7 @@ index 3c5dba7..29b497d 100644 ') optional_policy(` -@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40164,7 +40212,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40216,7 +40264,7 @@ index 3c5dba7..29b497d 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40248,7 +40296,7 @@ index 3c5dba7..29b497d 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40263,7 +40311,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40275,7 +40323,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40318,7 +40366,7 @@ index 3c5dba7..29b497d 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40327,7 +40375,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40342,7 +40390,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40369,7 +40417,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -1782,49 +2274,67 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,49 +2275,67 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -40449,7 +40497,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2359,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -40475,7 +40523,7 @@ index 3c5dba7..29b497d 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2408,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -40513,7 +40561,7 @@ index 3c5dba7..29b497d 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2448,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -40531,7 +40579,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2496,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -40558,7 +40606,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2524,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -40579,7 +40627,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2540,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -40630,7 +40678,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2617,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -40640,7 +40688,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2633,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -40665,7 +40713,7 @@ index 3c5dba7..29b497d 100644 ######################################## ## -@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2723,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -40674,7 +40722,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2731,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -40698,7 +40746,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2749,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -40714,7 +40762,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2991,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -40729,7 +40777,7 @@ index 3c5dba7..29b497d 100644 files_search_tmp($1) ') -@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3015,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -40738,7 +40786,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3262,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -40764,7 +40812,7 @@ index 3c5dba7..29b497d 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3297,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -40780,7 +40828,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3325,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -40789,7 +40837,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3333,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -40824,7 +40872,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3451,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -40849,7 +40897,7 @@ index 3c5dba7..29b497d 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3487,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -40892,7 +40940,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3523,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -40930,7 +40978,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3568,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -40960,7 +41008,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3660,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41061,7 +41109,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3729,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41076,7 +41124,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3798,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41085,7 +41133,7 @@ index 3c5dba7..29b497d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3814,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41119,7 +41167,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3902,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41146,7 +41194,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3975,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41212,7 +41260,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4050,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41221,7 +41269,7 @@ index 3c5dba7..29b497d 100644 ') ######################################## -@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4069,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41229,7 +41277,7 @@ index 3c5dba7..29b497d 100644 kernel_search_proc($1) ') -@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4146,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41272,7 +41320,7 @@ index 3c5dba7..29b497d 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,7 +4202,7 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -41281,7 +41329,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',` +@@ -3413,17 +4210,17 @@ interface(`userdom_sigchld_all_users',` ## ## # @@ -41302,7 +41350,7 @@ index 3c5dba7..29b497d 100644 ## ## ## -@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',` +@@ -3431,11 +4228,1516 @@ interface(`userdom_create_all_users_keys',` ## ## # diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 6e928a5..4ddf547 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -3239,7 +3239,7 @@ index 550a69e..53e5708 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 83e899c..c5be77c 100644 +index 83e899c..fac6fe5 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3255,7 +3255,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -13,118 +13,100 @@ +@@ -13,118 +13,101 @@ # template(`apache_content_template',` gen_require(` @@ -3410,6 +3410,7 @@ index 83e899c..c5be77c 100644 - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) ++ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; ') ') @@ -3420,7 +3421,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -133,47 +115,61 @@ template(`apache_content_template',` +@@ -133,47 +116,61 @@ template(`apache_content_template',` ## ## ## @@ -3511,7 +3512,7 @@ index 83e899c..c5be77c 100644 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') -@@ -184,7 +180,7 @@ interface(`apache_role',` +@@ -184,7 +181,7 @@ interface(`apache_role',` ######################################## ## @@ -3520,7 +3521,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',` +@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',` ######################################## ## @@ -3529,7 +3530,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -224,7 +220,7 @@ interface(`apache_read_user_content',` +@@ -224,7 +221,7 @@ interface(`apache_read_user_content',` ######################################## ## @@ -3538,7 +3539,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -241,27 +237,47 @@ interface(`apache_domtrans',` +@@ -241,27 +238,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -3593,7 +3594,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -279,7 +295,7 @@ interface(`apache_signal',` +@@ -279,7 +296,7 @@ interface(`apache_signal',` ######################################## ## @@ -3602,7 +3603,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -297,7 +313,7 @@ interface(`apache_signull',` +@@ -297,7 +314,7 @@ interface(`apache_signull',` ######################################## ## @@ -3611,7 +3612,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -315,8 +331,7 @@ interface(`apache_sigchld',` +@@ -315,8 +332,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -3621,7 +3622,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -334,8 +349,8 @@ interface(`apache_use_fds',` +@@ -334,8 +350,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -3632,7 +3633,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -3649,7 +3650,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` ######################################## ## @@ -3660,7 +3661,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -3670,7 +3671,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -3680,7 +3681,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -3690,7 +3691,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -453,7 +469,8 @@ interface(`apache_list_cache',` +@@ -453,7 +470,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -3700,7 +3701,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -3710,7 +3711,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -3720,7 +3721,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -3783,7 +3784,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -570,8 +591,8 @@ interface(`apache_manage_config',` +@@ -570,8 +592,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -3794,7 +3795,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -3836,7 +3837,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -639,7 +682,8 @@ interface(`apache_read_log',` +@@ -639,7 +683,8 @@ interface(`apache_read_log',` ######################################## ## @@ -3846,7 +3847,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -657,10 +701,29 @@ interface(`apache_append_log',` +@@ -657,10 +702,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3878,7 +3879,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -3889,7 +3890,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -698,47 +761,49 @@ interface(`apache_manage_log',` +@@ -698,47 +762,49 @@ interface(`apache_manage_log',` read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -3952,7 +3953,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -752,11 +817,13 @@ interface(`apache_list_modules',` +@@ -752,11 +818,13 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -3967,7 +3968,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -776,46 +843,63 @@ interface(`apache_exec_modules',` +@@ -776,46 +844,63 @@ interface(`apache_exec_modules',` ######################################## ## @@ -4048,7 +4049,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4065,7 +4066,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4073,7 +4074,7 @@ index 83e899c..c5be77c 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -4180,7 +4181,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4199,7 +4200,7 @@ index 83e899c..c5be77c 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4211,7 +4212,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4220,7 +4221,7 @@ index 83e899c..c5be77c 100644 ## to the specified role. ## ## -@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4228,7 +4229,7 @@ index 83e899c..c5be77c 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4238,7 +4239,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4254,7 +4255,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4263,7 +4264,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4278,7 +4279,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4287,7 +4288,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4297,7 +4298,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',` +@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',` ## # interface(`apache_manage_all_user_content',` @@ -4323,7 +4324,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',` +@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4333,7 +4334,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',` +@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4365,7 +4366,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4374,7 +4375,7 @@ index 83e899c..c5be77c 100644 ') ######################################## -@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4384,7 +4385,7 @@ index 83e899c..c5be77c 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',` +@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4417,7 +4418,7 @@ index 83e899c..c5be77c 100644 ## ## ## -@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',` +@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4446,7 +4447,7 @@ index 83e899c..c5be77c 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1204,10 +1418,10 @@ interface(`apache_admin',` +@@ -1204,10 +1419,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4460,7 +4461,7 @@ index 83e899c..c5be77c 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1218,9 +1432,129 @@ interface(`apache_admin',` +@@ -1218,9 +1433,129 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -7154,6 +7155,19 @@ index 3590e2f..e1494bd 100644 ') optional_policy(` +diff --git a/apt.if b/apt.if +index e2414c4..970736b 100644 +--- a/apt.if ++++ b/apt.if +@@ -152,7 +152,7 @@ interface(`apt_read_cache',` + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; +- dontaudit $1 apt_var_cache_t:dir write_dir_perms; ++ dontaudit $1 apt_var_cache_t:dir rw_dir_perms; + allow $1 apt_var_cache_t:file read_file_perms; + ') + diff --git a/apt.te b/apt.te index e2d8d52..d82403c 100644 --- a/apt.te @@ -7378,7 +7392,7 @@ index 7268a04..6ffd87d 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 5439f1c..0be374d 100644 +index 5439f1c..74c24a3 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -7400,7 +7414,7 @@ index 5439f1c..0be374d 100644 manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) - -+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file }) ++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file }) can_exec(asterisk_t, asterisk_exec_t) kernel_read_kernel_sysctls(asterisk_t) @@ -8360,7 +8374,7 @@ index 866a1e2..6c2dbe4 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..d4fb2a4 100644 +index 076ffee..1672ca4 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -8393,7 +8407,18 @@ index 076ffee..d4fb2a4 100644 allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; -@@ -110,7 +114,6 @@ kernel_read_network_state(named_t) +@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) + + can_exec(named_t, named_exec_t) + +-append_files_pattern(named_t, named_log_t, named_log_t) +-create_files_pattern(named_t, named_log_t, named_log_t) +-setattr_files_pattern(named_t, named_log_t, named_log_t) ++manage_files_pattern(named_t, named_log_t, named_log_t) + logging_log_filetrans(named_t, named_log_t, file) + + manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +@@ -110,7 +112,6 @@ kernel_read_network_state(named_t) corecmd_search_bin(named_t) @@ -8401,7 +8426,7 @@ index 076ffee..d4fb2a4 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t) +@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) dev_read_urand(named_t) @@ -8409,7 +8434,7 @@ index 076ffee..d4fb2a4 100644 domain_use_interactive_fds(named_t) -@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',` +@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -8425,7 +8450,7 @@ index 076ffee..d4fb2a4 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -183,6 +196,7 @@ optional_policy(` +@@ -183,6 +194,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(named, named_t) @@ -8433,7 +8458,7 @@ index 076ffee..d4fb2a4 100644 ') optional_policy(` -@@ -209,7 +223,8 @@ optional_policy(` +@@ -209,7 +221,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -8443,7 +8468,7 @@ index 076ffee..d4fb2a4 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -8455,7 +8480,7 @@ index 076ffee..d4fb2a4 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t) +@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -8651,10 +8676,10 @@ index bc5c984..63a4b1d 100644 + xserver_read_state_xdm(blueman_t) +') diff --git a/bluetooth.fc b/bluetooth.fc -index 2b9c7f3..63e4860 100644 +index 2b9c7f3..0086b95 100644 --- a/bluetooth.fc +++ b/bluetooth.fc -@@ -5,10 +5,13 @@ +@@ -5,10 +5,14 @@ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) @@ -8665,6 +8690,7 @@ index 2b9c7f3..63e4860 100644 /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0) ++/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) @@ -8785,7 +8811,7 @@ index c723a0a..3e8a553 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 6f09d24..9c48d18 100644 +index 6f09d24..b1ec892 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) @@ -8798,7 +8824,17 @@ index 6f09d24..9c48d18 100644 ######################################## # # Local policy -@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) +@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) + + manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) + manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) ++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) ++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file }) + + manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) + manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) can_exec(bluetooth_t, bluetooth_helper_exec_t) @@ -8825,7 +8861,7 @@ index 6f09d24..9c48d18 100644 dev_read_sysfs(bluetooth_t) dev_rw_usbfs(bluetooth_t) -@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t) +@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) @@ -8833,7 +8869,7 @@ index 6f09d24..9c48d18 100644 fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) -@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t) +@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t) logging_send_syslog_msg(bluetooth_t) @@ -8841,7 +8877,7 @@ index 6f09d24..9c48d18 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +@@ -130,8 +142,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) @@ -8854,7 +8890,7 @@ index 6f09d24..9c48d18 100644 optional_policy(` cups_dbus_chat(bluetooth_t) -@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t) +@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t) @@ -9105,7 +9141,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..f177ca5 100644 +index 7c92aa1..d4b9ffa 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,13 @@ @@ -9297,7 +9333,7 @@ index 7c92aa1..f177ca5 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +141,65 @@ init_read_utmp(boinc_t) +@@ -130,55 +141,69 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -9308,10 +9344,11 @@ index 7c92aa1..f177ca5 100644 mta_send_mail(boinc_t) ') --optional_policy(` + optional_policy(` - sysnet_dns_name_resolve(boinc_t) --') -- ++ xserver_stream_connect(boinc_t) + ') + ######################################## # -# Project local policy @@ -12421,7 +12458,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..b2709d1 100644 +index 6471fa8..dbb3f45 100644 --- a/collectd.te +++ b/collectd.te @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) @@ -12439,16 +12476,17 @@ index 6471fa8..b2709d1 100644 ######################################## # # Local policy -@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal }; +@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow collectd_t self:udp_socket create_socket_perms; ++allow collectd_t self:rawip_socket create_socket_perms; manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) +@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) files_pid_filetrans(collectd_t, collectd_var_run_t, file) @@ -12481,7 +12519,7 @@ index 6471fa8..b2709d1 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -19057,6 +19095,19 @@ index 2c2e7e1..493ab48 100644 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; +diff --git a/dcc.fc b/dcc.fc +index 62d3c4e..cef59a7 100644 +--- a/dcc.fc ++++ b/dcc.fc +@@ -10,6 +10,8 @@ + /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) + /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + ++/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) ++ + /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) + /usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) + /usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) diff --git a/dcc.if b/dcc.if index a5c21e0..4639421 100644 --- a/dcc.if @@ -19070,7 +19121,7 @@ index a5c21e0..4639421 100644 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te -index 15d908f..147dd14 100644 +index 15d908f..cecb0da 100644 --- a/dcc.te +++ b/dcc.te @@ -45,7 +45,7 @@ type dcc_var_t; @@ -19104,7 +19155,16 @@ index 15d908f..147dd14 100644 ######################################## # -@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid }; + + allow dcc_client_t dcc_client_map_t:file rw_file_perms; + ++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t) ++ + manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) + manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) + files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) +@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) kernel_read_system_state(dcc_client_t) @@ -19117,7 +19177,7 @@ index 15d908f..147dd14 100644 files_read_etc_runtime_files(dcc_client_t) fs_getattr_all_fs(dcc_client_t) -@@ -131,12 +140,10 @@ auth_use_nsswitch(dcc_client_t) +@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t) logging_send_syslog_msg(dcc_client_t) @@ -19132,7 +19192,7 @@ index 15d908f..147dd14 100644 ') optional_policy(` -@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) kernel_read_system_state(dcc_dbclean_t) @@ -19154,7 +19214,7 @@ index 15d908f..147dd14 100644 ######################################## # -@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) +@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) kernel_read_system_state(dccd_t) kernel_read_kernel_sysctls(dccd_t) @@ -19162,7 +19222,7 @@ index 15d908f..147dd14 100644 corenet_all_recvfrom_netlabel(dccd_t) corenet_udp_sendrecv_generic_if(dccd_t) corenet_udp_sendrecv_generic_node(dccd_t) -@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t) +@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t) logging_send_syslog_msg(dccd_t) @@ -19171,7 +19231,7 @@ index 15d908f..147dd14 100644 userdom_dontaudit_use_unpriv_user_fds(dccd_t) userdom_dontaudit_search_user_home_dirs(dccd_t) -@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) +@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) kernel_read_system_state(dccifd_t) kernel_read_kernel_sysctls(dccifd_t) @@ -19183,7 +19243,7 @@ index 15d908f..147dd14 100644 dev_read_sysfs(dccifd_t) domain_use_interactive_fds(dccifd_t) -@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t) +@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t) logging_send_syslog_msg(dccifd_t) @@ -19192,7 +19252,7 @@ index 15d908f..147dd14 100644 userdom_dontaudit_use_unpriv_user_fds(dccifd_t) userdom_dontaudit_search_user_home_dirs(dccifd_t) -@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) +@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) kernel_read_system_state(dccm_t) kernel_read_kernel_sysctls(dccm_t) @@ -19204,7 +19264,7 @@ index 15d908f..147dd14 100644 dev_read_sysfs(dccm_t) domain_use_interactive_fds(dccm_t) -@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t) +@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t) logging_send_syslog_msg(dccm_t) @@ -22994,7 +23054,7 @@ index 6041113..ef3b449 100644 role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; diff --git a/exim.te b/exim.te -index 19325ce..5957aad 100644 +index 19325ce..b5c157f 100644 --- a/exim.te +++ b/exim.te @@ -49,7 +49,7 @@ type exim_log_t; @@ -23051,7 +23111,18 @@ index 19325ce..5957aad 100644 ') optional_policy(` -@@ -218,6 +216,7 @@ optional_policy(` +@@ -192,8 +190,9 @@ optional_policy(` + ') + + optional_policy(` +- mailman_read_data_files(exim_t) ++ mailman_manage_data_files(exim_t) + mailman_domtrans(exim_t) ++ mailman_read_log(exim_t) + ') + + optional_policy(` +@@ -218,6 +217,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -24148,7 +24219,7 @@ index c12c067..a415012 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index c81b6e8..fcb022d 100644 +index c81b6e8..34e1f1c 100644 --- a/fprintd.te +++ b/fprintd.te @@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t) @@ -24159,8 +24230,11 @@ index c81b6e8..fcb022d 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t) +@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t) + + dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) ++dev_read_urand(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) -files_read_usr_files(fprintd_t) @@ -24174,7 +24248,7 @@ index c81b6e8..fcb022d 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +51,13 @@ optional_policy(` +@@ -54,8 +52,13 @@ optional_policy(` ') ') @@ -29774,7 +29848,7 @@ index ca07a87..6ea129c 100644 + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/iodine.if b/iodine.if -index a0bfbd0..6f5dbdf 100644 +index a0bfbd0..47f7c75 100644 --- a/iodine.if +++ b/iodine.if @@ -2,6 +2,30 @@ @@ -29796,7 +29870,7 @@ index a0bfbd0..6f5dbdf 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 iodined_unit_file_t:file read_file_perms; + allow $1 iodined_unit_file_t:service manage_service_perms; + @@ -31429,7 +31503,7 @@ index a49ae4e..913a0e3 100644 -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..f6402dc 100644 +index 3a00b3a..9d8c551 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -31619,7 +31693,7 @@ index 3a00b3a..f6402dc 100644 + type kdump_t, kdump_etc_t; + type kdump_initrc_exec_t; + type kdump_unit_file_t; -+ type kdump_crash_t ++ type kdump_crash_t; ') - allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; @@ -35941,7 +36015,7 @@ index 108c0f1..a248501 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index 8eaf51b..3229e0f 100644 +index 8eaf51b..a057913 100644 --- a/mailman.te +++ b/mailman.te @@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) @@ -35986,7 +36060,7 @@ index 8eaf51b..3229e0f 100644 ######################################## # # CGI local policy -@@ -115,8 +112,9 @@ optional_policy(` +@@ -115,20 +112,23 @@ optional_policy(` # Mail local policy # @@ -35998,7 +36072,12 @@ index 8eaf51b..3229e0f 100644 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) + files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) + ++can_exec(mailman_mail_t, mailman_mail_exec_t) ++ + corenet_sendrecv_innd_client_packets(mailman_mail_t) + corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) @@ -36008,7 +36087,7 @@ index 8eaf51b..3229e0f 100644 dev_read_urand(mailman_mail_t) -@@ -142,6 +140,10 @@ optional_policy(` +@@ -142,6 +142,10 @@ optional_policy(` ') optional_policy(` @@ -36019,7 +36098,7 @@ index 8eaf51b..3229e0f 100644 cron_read_pipes(mailman_mail_t) ') -@@ -182,3 +184,9 @@ optional_policy(` +@@ -182,3 +186,9 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) ') @@ -39143,7 +39222,7 @@ index 6194b80..3209b1c 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..2288b0e 100644 +index 6a306ee..2108bc7 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -39587,7 +39666,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -300,221 +324,183 @@ optional_policy(` +@@ -300,221 +324,184 @@ optional_policy(` ######################################## # @@ -39855,6 +39934,7 @@ index 6a306ee..2288b0e 100644 +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) +term_getattr_ptmx(mozilla_plugin_t) ++term_dontaudit_use_ptmx(mozilla_plugin_t) +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) +userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -39910,7 +39990,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -523,36 +509,44 @@ optional_policy(` +@@ -523,36 +510,44 @@ optional_policy(` ') optional_policy(` @@ -39925,13 +40005,6 @@ index 6a306ee..2288b0e 100644 + dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ gnome_manage_config(mozilla_plugin_t) -+ gnome_read_usr_config(mozilla_plugin_t) -+ gnome_filetrans_home_content(mozilla_plugin_t) -+ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` @@ -39939,6 +40012,13 @@ index 6a306ee..2288b0e 100644 - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") ++ gnome_manage_config(mozilla_plugin_t) ++ gnome_read_usr_config(mozilla_plugin_t) ++ gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') @@ -39968,7 +40048,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -560,7 +554,7 @@ optional_policy(` +@@ -560,7 +555,7 @@ optional_policy(` ') optional_policy(` @@ -39977,7 +40057,7 @@ index 6a306ee..2288b0e 100644 ') optional_policy(` -@@ -568,108 +562,126 @@ optional_policy(` +@@ -568,108 +563,128 @@ optional_policy(` ') optional_policy(` @@ -40006,12 +40086,12 @@ index 6a306ee..2288b0e 100644 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -- ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; + -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) @@ -40083,6 +40163,8 @@ index 6a306ee..2288b0e 100644 fs_getattr_all_fs(mozilla_plugin_config_t) -fs_search_auto_mountpoints(mozilla_plugin_config_t) -fs_list_inotifyfs(mozilla_plugin_config_t) ++ ++term_dontaudit_use_ptmx(mozilla_plugin_config_t) auth_use_nsswitch(mozilla_plugin_config_t) @@ -46294,7 +46376,7 @@ index 0000000..cf8f660 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..fc9f771 +index 0000000..92134cc --- /dev/null +++ b/nova.te @@ -0,0 +1,328 @@ @@ -46368,6 +46450,7 @@ index 0000000..fc9f771 + +optional_policy(` + sysnet_read_config(nova_domain) ++ sysnet_exec_ifconfig(nova_domain) +') + +###################################### @@ -46545,7 +46628,7 @@ index 0000000..fc9f771 +') + +optional_policy(` -+ iptables_domtrans(nova_network_t) ++ iptables_domtrans(nova_network_t) +') + +optional_policy(` @@ -46625,7 +46708,6 @@ index 0000000..fc9f771 +optional_policy(` + unconfined_domain(nova_volume_t) +') -+ diff --git a/nscd.fc b/nscd.fc index ba64485..429bd79 100644 --- a/nscd.fc @@ -48961,7 +49043,7 @@ index 379af96..41ff159 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..54bd4d7 100644 +index 57c0161..5eb71a0 100644 --- a/nut.if +++ b/nut.if @@ -1,39 +1,24 @@ @@ -48973,7 +49055,7 @@ index 57c0161..54bd4d7 100644 ## -## All of the rules required to -## administrate an nut environment. -+## Execute swift server in the swift domain. ++## Execute nut services in the nut domain. ## ## -## @@ -49005,7 +49087,7 @@ index 57c0161..54bd4d7 100644 - allow $2 system_r; +interface(`nut_systemctl',` + gen_require(` -+ type nut_t; ++ attribute nut_domain; + type nut_unit_file_t; + ') @@ -49017,7 +49099,7 @@ index 57c0161..54bd4d7 100644 - files_search_pids($1) - admin_pattern($1, nut_var_run_t) -+ ps_process_pattern($1, swift_t) ++ ps_process_pattern($1, nut_domain) ') diff --git a/nut.te b/nut.te index 0c9deb7..76988d6 100644 @@ -51540,7 +51622,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..8a6fbc2 100644 +index 3270ff9..83daba9 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -51606,8 +51688,11 @@ index 3270ff9..8a6fbc2 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t) +@@ -103,13 +121,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) + corenet_sendrecv_http_server_packets(openvpn_t) + corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) ++corenet_tcp_connect_squid_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_sendrecv_http_port(openvpn_t) - @@ -51620,7 +51705,7 @@ index 3270ff9..8a6fbc2 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -121,18 +141,24 @@ fs_search_auto_mountpoints(openvpn_t) auth_use_pam(openvpn_t) @@ -51648,7 +51733,7 @@ index 3270ff9..8a6fbc2 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -155,3 +180,27 @@ optional_policy(` +@@ -155,3 +181,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -56760,6 +56845,18 @@ index 316d53a..79b5c4f 100644 -miscfiles_read_localization(polipo_daemon) +userdom_home_manager(polipo_session_t) +diff --git a/portage.if b/portage.if +index 67e8c12..18b89d7 100644 +--- a/portage.if ++++ b/portage.if +@@ -67,6 +67,7 @@ interface(`portage_compile_domain',` + class dbus send_msg; + type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; + type portage_tmpfs_t; ++ type portage_sandbox_t; + ') + + allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; diff --git a/portage.te b/portage.te index a95fc4a..b9b5418 100644 --- a/portage.te @@ -59992,7 +60089,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index c0f047a..6f22887 100644 +index c0f047a..e04bdd6 100644 --- a/prelink.te +++ b/prelink.te @@ -1,4 +1,4 @@ @@ -60165,7 +60262,7 @@ index c0f047a..6f22887 100644 kernel_read_system_state(prelink_cron_system_t) -@@ -184,8 +168,11 @@ optional_policy(` +@@ -184,23 +168,36 @@ optional_policy(` dev_list_sysfs(prelink_cron_system_t) dev_read_sysfs(prelink_cron_system_t) @@ -60178,7 +60275,11 @@ index c0f047a..6f22887 100644 auth_use_nsswitch(prelink_cron_system_t) -@@ -196,11 +183,20 @@ optional_policy(` + init_telinit(prelink_cron_system_t) + init_exec(prelink_cron_system_t) ++ init_reload_services(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) logging_search_logs(prelink_cron_system_t) @@ -60884,7 +60985,7 @@ index 0000000..96a0d9f +/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) diff --git a/prosody.if b/prosody.if new file mode 100644 -index 0000000..8867237 +index 0000000..f1e1209 --- /dev/null +++ b/prosody.if @@ -0,0 +1,239 @@ @@ -61022,7 +61123,7 @@ index 0000000..8867237 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 prosody_unit_file_t:file read_file_perms; + allow $1 prosody_unit_file_t:service manage_service_perms; + @@ -65938,7 +66039,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..7054723 100644 +index 3698b51..8c4ba04 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -65996,7 +66097,7 @@ index 3698b51..7054723 100644 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -66017,6 +66118,8 @@ index 3698b51..7054723 100644 +fs_getattr_all_dirs(rabbitmq_beam_t) +fs_getattr_cgroup(rabbitmq_beam_t) + ++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) ++ +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) @@ -66043,7 +66146,7 @@ index 3698b51..7054723 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -72128,7 +72231,7 @@ index ebe91fc..6392cad 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..84f2fd7 100644 +index 0628d50..3031a82 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -72263,10 +72366,28 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',` +@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',` ######################################## ## ++## Read and write an unnamed RPM script pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_rw_script_inherited_pipes',` ++ gen_require(` ++ type rpm_t; ++ ') ++ ++ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## +## dontaudit read and write an leaked file descriptors +## +## @@ -72306,7 +72427,7 @@ index 0628d50..84f2fd7 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',` +@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',` ######################################## ## ## Send and receive messages from @@ -72315,7 +72436,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',` +@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',` ######################################## ## @@ -72324,7 +72445,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -263,7 +304,8 @@ interface(`rpm_search_log',` +@@ -263,7 +322,8 @@ interface(`rpm_search_log',` ##################################### ## @@ -72334,17 +72455,19 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -276,14 +318,30 @@ interface(`rpm_append_log',` +@@ -276,14 +336,30 @@ interface(`rpm_append_log',` type rpm_log_t; ') - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm log files. +## Create, read, write, and delete the RPM log. +## +## @@ -72359,17 +72482,15 @@ index 0628d50..84f2fd7 100644 + ') + + read_files_pattern($1, rpm_log_t, rpm_log_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm log files. ++') ++ ++######################################## ++## +## Create, read, write, and delete the RPM log. ## ## ## -@@ -302,7 +360,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +378,7 @@ interface(`rpm_manage_log',` ######################################## ## @@ -72378,7 +72499,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -72389,7 +72510,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -72406,7 +72527,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -72424,7 +72545,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -72440,7 +72561,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -72449,7 +72570,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -420,8 +482,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +500,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -72459,7 +72580,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -72468,7 +72589,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -459,11 +520,12 @@ interface(`rpm_read_db',` +@@ -459,11 +538,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -72482,7 +72603,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -482,8 +544,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +562,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -72492,7 +72613,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -503,8 +564,28 @@ interface(`rpm_manage_db',` +@@ -503,8 +582,28 @@ interface(`rpm_manage_db',` ######################################## ## @@ -72522,7 +72643,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -72531,7 +72652,7 @@ index 0628d50..84f2fd7 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -72541,7 +72662,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -72551,7 +72672,7 @@ index 0628d50..84f2fd7 100644 ## ## ## -@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',` +@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -72645,16 +72766,16 @@ index 0628d50..84f2fd7 100644 - allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rpm_t rpm_script_t }) -- ++ typeattribute $1 rpm_transition_domain; ++ allow $1 rpm_script_t:process transition; + - init_labeled_script_domtrans($1, rpm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpm_initrc_exec_t system_r; - allow $2 system_r; - - admin_pattern($1, rpm_file_t) -+ typeattribute $1 rpm_transition_domain; -+ allow $1 rpm_script_t:process transition; - +- - files_list_var($1) - admin_pattern($1, rpm_cache_t) - @@ -81068,10 +81189,27 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..de313d7 100644 +index 703efa3..7779402 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -70,7 +70,6 @@ files_list_all(sosreport_t) +@@ -33,6 +33,7 @@ allow sosreport_t self:process { setsched signull }; + allow sosreport_t self:fifo_file rw_fifo_file_perms; + allow sosreport_t self:tcp_socket { accept listen }; + allow sosreport_t self:unix_stream_socket { accept listen }; ++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) + manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +@@ -58,6 +59,8 @@ dev_read_rand(sosreport_t) + dev_read_urand(sosreport_t) + dev_read_raw_memory(sosreport_t) + dev_read_sysfs(sosreport_t) ++dev_getattr_all_chr_files(sosreport_t) ++dev_getattr_all_blk_files(sosreport_t) + + domain_getattr_all_domains(sosreport_t) + domain_read_all_domains_state(sosreport_t) +@@ -70,7 +73,6 @@ files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -81079,10 +81217,18 @@ index 703efa3..de313d7 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t) +@@ -79,11 +81,18 @@ files_manage_etc_runtime_files(sosreport_t) + files_etc_filetrans_etc_runtime(sosreport_t, file) + + fs_getattr_all_fs(sosreport_t) ++fs_getattr_all_dirs(sosreport_t) + fs_list_inotifyfs(sosreport_t) + storage_dontaudit_read_fixed_disk(sosreport_t) storage_dontaudit_read_removable_device(sosreport_t) ++term_getattr_pty_fs(sosreport_t) ++ +# some config files do not have configfile attribute +# sosreport needs to read various files on system +files_read_non_security_files(sosreport_t) @@ -81090,7 +81236,7 @@ index 703efa3..de313d7 100644 auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) -@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t) +@@ -93,9 +102,8 @@ libs_domtrans_ldconfig(sosreport_t) logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) @@ -81101,7 +81247,7 @@ index 703efa3..de313d7 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -111,6 +113,11 @@ optional_policy(` +@@ -111,6 +119,11 @@ optional_policy(` ') optional_policy(` @@ -84016,7 +84162,7 @@ index c9824cb..1973f71 100644 userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te -index c8b80b2..f041061 100644 +index c8b80b2..c81d332 100644 --- a/sysstat.te +++ b/sysstat.te @@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co @@ -84038,8 +84184,12 @@ index c8b80b2..f041061 100644 corecmd_exec_bin(sysstat_t) dev_read_sysfs(sysstat_t) -@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t) - fs_getattr_xattr_fs(sysstat_t) +@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t) + files_search_var(sysstat_t) + files_read_etc_runtime_files(sysstat_t) + +-fs_getattr_xattr_fs(sysstat_t) ++fs_getattr_all_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) +storage_getattr_fixed_disk_dev(sysstat_t) @@ -84356,7 +84506,7 @@ index c7de0cf..9813503 100644 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index 42946bc..3d30062 100644 +index 42946bc..741f2f4 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ @@ -84436,7 +84586,7 @@ index 42946bc..3d30062 100644 type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; -@@ -63,91 +62,79 @@ template(`telepathy_role_template',` +@@ -63,91 +62,84 @@ template(`telepathy_role_template',` type telepathy_mission_control_exec_t, telepathy_salut_exec_t; type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; type telepathy_msn_exec_t; @@ -84542,11 +84692,15 @@ index 42946bc..3d30062 100644 ## -## +## - ## Domain allowed access. - ## - ## - # --interface(`telepathy_gabble_dbus_chat',` ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`telepathy_gabble_stream_connect_to', ` + gen_require(` + type telepathy_gabble_t; @@ -84562,15 +84716,16 @@ index 42946bc..3d30062 100644 +## +## +## -+## Domain allowed access. -+## -+## -+# + ## Domain allowed access. + ## + ## + # +-interface(`telepathy_gabble_dbus_chat',` +interface(`telepathy_gabble_dbus_chat', ` gen_require(` type telepathy_gabble_t; class dbus send_msg; -@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',` +@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',` ######################################## ## @@ -84583,7 +84738,7 @@ index 42946bc..3d30062 100644 ## Domain allowed access. ## ## -@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',` +@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',` ') kernel_search_proc($1) @@ -84601,7 +84756,7 @@ index 42946bc..3d30062 100644 ## ## ## -@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',` +@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',` ## ## # @@ -84624,7 +84779,7 @@ index 42946bc..3d30062 100644 ## ## ## -@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',` +@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',` ## ## # @@ -87789,7 +87944,7 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 8840be6..285680c 100644 +index 8840be6..d2c7596 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; @@ -87809,7 +87964,15 @@ index 8840be6..285680c 100644 ######################################## # # Local policy -@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) +@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t) + allow usbmuxd_t self:capability { kill setgid setuid }; + allow usbmuxd_t self:process { signal signull }; + allow usbmuxd_t self:fifo_file rw_fifo_file_perms; ++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) + manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) auth_use_nsswitch(usbmuxd_t) @@ -88909,10 +89072,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..898ce74 100644 +index c30da4c..b81eaa0 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,87 @@ +@@ -1,52 +1,86 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -88965,7 +89128,6 @@ index c30da4c..898ce74 100644 /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) @@ -88981,14 +89143,14 @@ index c30da4c..898ce74 100644 -/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +- +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -- -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -90727,10 +90889,10 @@ index 9dec06c..bdba959 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..2757963 100644 +index 1f22fba..4ed8171 100644 --- a/virt.te +++ b/virt.te -@@ -1,94 +1,97 @@ +@@ -1,94 +1,104 @@ -policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) @@ -90853,9 +91015,6 @@ index 1f22fba..2757963 100644 -attribute virt_tmpfs_type; - -attribute svirt_lxc_domain; -- --attribute_role virt_domain_roles; --roleattribute system_r virt_domain_roles; +## +##

+## Allow confined virtual guests to use usb devices @@ -90863,6 +91022,15 @@ index 1f22fba..2757963 100644 +## +gen_tunable(virt_use_usb, true) +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; ++## ++##

++## Allow virtual processes to run as userdomains ++##

++## ++gen_tunable(virt_transition_userdomain, false) + -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; +virt_domain_template(svirt) @@ -90880,7 +91048,7 @@ index 1f22fba..2757963 100644 type virt_cache_t alias svirt_cache_t; files_type(virt_cache_t) -@@ -105,27 +108,25 @@ userdom_user_home_content(virt_home_t) +@@ -105,27 +115,25 @@ userdom_user_home_content(virt_home_t) type svirt_home_t; userdom_user_home_content(svirt_home_t) @@ -90914,7 +91082,7 @@ index 1f22fba..2757963 100644 type virt_var_run_t; files_pid_file(virt_var_run_t) -@@ -139,9 +140,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) +@@ -139,9 +147,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) domain_obj_id_change_exemption(virtd_t) domain_subj_id_change_exemption(virtd_t) @@ -90932,7 +91100,7 @@ index 1f22fba..2757963 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -155,290 +164,134 @@ type virt_qmf_exec_t; +@@ -155,290 +171,134 @@ type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) type virt_bridgehelper_t; @@ -91110,16 +91278,19 @@ index 1f22fba..2757963 100644 - fs_manage_fusefs_files(virt_domain) - fs_read_fusefs_symlinks(virt_domain) -') -- ++type virtd_lxc_t; ++type virtd_lxc_exec_t; ++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virt_domain) - fs_manage_nfs_files(virt_domain) - fs_manage_nfs_named_sockets(virt_domain) - fs_read_nfs_symlinks(virt_domain) -') -+type virtd_lxc_t; -+type virtd_lxc_exec_t; -+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) ++type virt_lxc_var_run_t; ++files_pid_file(virt_lxc_var_run_t) ++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(virt_domain) @@ -91127,10 +91298,7 @@ index 1f22fba..2757963 100644 - fs_manage_cifs_named_sockets(virt_domain) - fs_read_cifs_symlinks(virt_domain) -') -+type virt_lxc_var_run_t; -+files_pid_file(virt_lxc_var_run_t) -+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; - +- -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(virt_domain) -') @@ -91303,7 +91471,7 @@ index 1f22fba..2757963 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +301,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -91349,7 +91517,7 @@ index 1f22fba..2757963 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +335,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -91359,18 +91527,18 @@ index 1f22fba..2757963 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +347,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -91378,7 +91546,7 @@ index 1f22fba..2757963 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +355,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -91406,7 +91574,7 @@ index 1f22fba..2757963 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +375,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -91435,7 +91603,7 @@ index 1f22fba..2757963 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +422,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -91455,20 +91623,20 @@ index 1f22fba..2757963 100644 selinux_validate_context(virtd_t) -@@ -613,18 +444,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -+systemd_dbus_chat_logind(virtd_t) -+systemd_write_inhibit_pipes(virtd_t) - +- -ifdef(`hide_broken_symptoms',` - dontaudit virtd_t self:capability { sys_module sys_ptrace }; -') -- ++systemd_dbus_chat_logind(virtd_t) ++systemd_write_inhibit_pipes(virtd_t) + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -91492,7 +91660,7 @@ index 1f22fba..2757963 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +472,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -91501,17 +91669,19 @@ index 1f22fba..2757963 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +497,326 @@ optional_policy(` +@@ -658,95 +504,326 @@ optional_policy(` ') optional_policy(` - firewalld_dbus_chat(virtd_t) -+ hal_dbus_chat(virtd_t) +- ') +- +- optional_policy(` + hal_dbus_chat(virtd_t) ') optional_policy(` -- hal_dbus_chat(virtd_t) -+ networkmanager_dbus_chat(virtd_t) + networkmanager_dbus_chat(virtd_t) ') +') + @@ -91711,10 +91881,7 @@ index 1f22fba..2757963 100644 +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - -- optional_policy(` -- networkmanager_dbus_chat(virtd_t) -- ') ++ +sysnet_read_config(virt_domain) - optional_policy(` @@ -91874,7 +92041,7 @@ index 1f22fba..2757963 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +828,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91885,27 +92052,27 @@ index 1f22fba..2757963 100644 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") - -dontaudit virsh_t virt_var_lib_t:file read_file_perms; -- --allow virsh_t svirt_lxc_domain:process transition; +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +-allow virsh_t svirt_lxc_domain:process transition; ++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; + -can_exec(virsh_t, virsh_exec_t) - -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) -virt_stream_connect(virsh_t) -+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; - +- -kernel_read_crypto_sysctls(virsh_t) +kernel_write_proc_files(virsh_t) kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +848,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -91932,7 +92099,7 @@ index 1f22fba..2757963 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +868,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -91964,7 +92131,7 @@ index 1f22fba..2757963 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +901,20 @@ optional_policy(` +@@ -847,14 +908,20 @@ optional_policy(` ') optional_policy(` @@ -91986,7 +92153,7 @@ index 1f22fba..2757963 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +939,45 @@ optional_policy(` +@@ -879,34 +946,45 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -92041,7 +92208,7 @@ index 1f22fba..2757963 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +987,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -92059,7 +92226,7 @@ index 1f22fba..2757963 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +1009,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -92070,7 +92237,7 @@ index 1f22fba..2757963 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1018,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -92078,7 +92245,7 @@ index 1f22fba..2757963 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1030,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -92086,48 +92253,53 @@ index 1f22fba..2757963 100644 + selinux_mount_fs(virtd_lxc_t) selinux_unmount_fs(virtd_lxc_t) --selinux_get_enforce_mode(virtd_lxc_t) --selinux_get_fs_mount(virtd_lxc_t) --selinux_validate_context(virtd_lxc_t) --selinux_compute_access_vector(virtd_lxc_t) --selinux_compute_create_context(virtd_lxc_t) --selinux_compute_relabel_context(virtd_lxc_t) --selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) ++ ++term_use_generic_ptys(virtd_lxc_t) ++term_use_ptmx(virtd_lxc_t) ++term_relabel_pty_fs(virtd_lxc_t) ++ ++auth_use_nsswitch(virtd_lxc_t) ++ ++logging_send_syslog_msg(virtd_lxc_t) ++ ++seutil_domtrans_setfiles(virtd_lxc_t) ++seutil_read_default_contexts(virtd_lxc_t) ++ + selinux_get_enforce_mode(virtd_lxc_t) + selinux_get_fs_mount(virtd_lxc_t) + selinux_validate_context(virtd_lxc_t) +@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t) + selinux_compute_relabel_context(virtd_lxc_t) + selinux_compute_user_contexts(virtd_lxc_t) - term_use_generic_ptys(virtd_lxc_t) - term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1044,39 @@ auth_use_nsswitch(virtd_lxc_t) +-term_use_generic_ptys(virtd_lxc_t) +-term_use_ptmx(virtd_lxc_t) +-term_relabel_pty_fs(virtd_lxc_t) ++sysnet_exec_ifconfig(virtd_lxc_t) - logging_send_syslog_msg(virtd_lxc_t) +-auth_use_nsswitch(virtd_lxc_t) ++userdom_read_admin_home_files(virtd_lxc_t) --miscfiles_read_localization(virtd_lxc_t) -- - seutil_domtrans_setfiles(virtd_lxc_t) --seutil_read_config(virtd_lxc_t) - seutil_read_default_contexts(virtd_lxc_t) +-logging_send_syslog_msg(virtd_lxc_t) ++optional_policy(` ++ dbus_system_bus_client(virtd_lxc_t) ++ init_dbus_chat(virtd_lxc_t) ++') --sysnet_domtrans_ifconfig(virtd_lxc_t) -+selinux_get_enforce_mode(virtd_lxc_t) -+selinux_get_fs_mount(virtd_lxc_t) -+selinux_validate_context(virtd_lxc_t) -+selinux_compute_access_vector(virtd_lxc_t) -+selinux_compute_create_context(virtd_lxc_t) -+selinux_compute_relabel_context(virtd_lxc_t) -+selinux_compute_user_contexts(virtd_lxc_t) -+ -+sysnet_exec_ifconfig(virtd_lxc_t) -+ -+userdom_read_admin_home_files(virtd_lxc_t) -+ +-miscfiles_read_localization(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) +-seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -92141,11 +92313,11 @@ index 1f22fba..2757963 100644 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit }; ++allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1084,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -92172,7 +92344,7 @@ index 1f22fba..2757963 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1102,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -92192,7 +92364,7 @@ index 1f22fba..2757963 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1121,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -92219,11 +92391,12 @@ index 1f22fba..2757963 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1146,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -miscfiles_read_localization(svirt_lxc_domain) ++miscfiles_dontaudit_access_check_cert(svirt_lxc_domain) miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) miscfiles_read_fonts(svirt_lxc_domain) +miscfiles_read_hwdata(svirt_lxc_domain) @@ -92238,12 +92411,12 @@ index 1f22fba..2757963 100644 + apache_exec_modules(svirt_lxc_domain) + apache_read_sys_content(svirt_lxc_domain) +') - --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +') -+ + +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + ssh_use_ptys(svirt_lxc_net_t) +') @@ -92359,7 +92532,7 @@ index 1f22fba..2757963 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1245,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -92374,7 +92547,7 @@ index 1f22fba..2757963 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1263,8 @@ optional_policy(` +@@ -1183,9 +1276,8 @@ optional_policy(` ######################################## # @@ -92385,7 +92558,7 @@ index 1f22fba..2757963 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1277,115 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -92503,6 +92676,11 @@ index 1f22fba..2757963 100644 +role system_r types svirt_socket_t; +allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; ++ ++tunable_policy(`virt_transition_userdomain',` ++ userdom_transition(virtd_t) ++ userdom_transition(virtd_lxc_t) ++') diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -92925,10 +93103,20 @@ index 9329eae..824e86f 100644 - seutil_use_newrole_fds(vpnc_t) -') diff --git a/watchdog.te b/watchdog.te -index 29f79e8..c58abd5 100644 +index 29f79e8..9e403ee 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t) +@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms; + allow watchdog_t self:tcp_socket { accept listen }; + + allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(watchdog_t, watchdog_log_t, file) ++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) ++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file}) + + manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) + files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) +@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t) domain_signal_all_domains(watchdog_t) domain_kill_all_domains(watchdog_t) @@ -92936,7 +93124,7 @@ index 29f79e8..c58abd5 100644 files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) -@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t) +@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index cbdeaac..ba44369 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,44 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 20 2013 Miroslav Grepl 3.12.1-71 +- Allow boinc to connect to @/tmp/.X11-unix/X0 +- Allow beam.smp to connect to tcp/5984 +- Allow named to manage own log files +- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t +- Add virt_transition_userdomain boolean decl +- Allow httpd_t to sendto unix_dgram sockets on its children +- Allow nova domains to execute ifconfig +- bluetooth wants to create fifo_files in /tmp +- exim needs to be able to manage mailman data +- Allow sysstat to getattr on all file systems +- Looks like bluetoothd has moved +- Allow collectd to send ping packets +- Allow svirt_lxc domains to getpgid +- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff +- Allow frpintd_t to read /dev/urandom +- Allow asterisk_t to create sock_file in /var/run +- Allow usbmuxd to use netlink_kobject +- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket +- More cleanup of svirt_lxc policy +- virtd_lxc_t now talks to dbus +- Dontaudit leaked ptmx_t +- Allow processes to use inherited fifo files +- Allow openvpn_t to connect to squid ports +- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() +- Allow ssh_t to use /dev/ptmx +- Make sure /run/pluto dir is created with correct labeling +- Allow syslog to run shell and bin_t commands +- Allow ip to relabel tun_sockets +- Allow mount to create directories in files under /run +- Allow processes to use inherited fifo files +- Allow user roles to connect to the journal socket +- xauth_t should be allowed to create xauth_home_t +- selinux_set_enforce_mode needs to be used with type +- Add append to the dontaudit for unix_stream_socket of xdm_t leak +- Allow xdm_t to create symlinks in log direcotries +- Allow login programs to read afs config + * Thu Aug 8 2013 Miroslav Grepl 3.12.1-70 - Add label for /var/crash - Allow fenced to domtrans to sanclok_t