From 2d3bd4410330acd2d507351f44fdd748e6957f26 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 22 2013 10:08:40 +0000 Subject: - Allow sshd_t to read openshift content, needs backport to RHEL6.5 - Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t - Make sur kdump lock is created with correct label if kdumpctl is executed - gnome interface calls should always be made within an optional_block - Allow syslogd_t to connect to the syslog_tls port - Add labeling for /var/run/charon.ctl socket - Add kdump_filetrans_named_content() - Allo setpgid for fenced_t - Allow setpgid and r/w cluster tmpfs for fenced_t - gnome calls should always be within optional blocks - wicd.pid should be labeled as networkmanager_var_run_t - Allow sys_resource for lldpad --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4cc0f25..c23bf3e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8756,7 +8756,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..c8fc903 100644 +index cf04cb5..40f0157 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8893,7 +8893,7 @@ index cf04cb5..c8fc903 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,298 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,302 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8910,6 +8910,10 @@ index cf04cb5..c8fc903 100644 +dev_config_null_dev_service(unconfined_domain_type) + +optional_policy(` ++ kdump_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + locallogin_filetrans_home_content(named_filetrans_domain) +') + @@ -20607,7 +20611,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..f06e006 100644 +index 5fc0391..1386603 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3) @@ -20981,7 +20985,7 @@ index 5fc0391..f06e006 100644 + openshift_manage_tmp_files(sshd_t) + openshift_manage_tmp_sockets(sshd_t) + openshift_mounton_tmp(sshd_t) -+ openshift_search_lib(sshd_t) ++ openshift_read_lib_files(sshd_t) +') + +optional_policy(` @@ -27927,7 +27931,7 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..4d15ea1 100644 +index dd3be8d..d9b6a37 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -28067,7 +28071,7 @@ index dd3be8d..4d15ea1 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +181,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -28079,6 +28083,7 @@ index dd3be8d..4d15ea1 100644 -dev_read_sysfs(init_t) +dev_rw_sysfs(init_t) +dev_read_urand(init_t) ++dev_read_raw_memory(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) +dev_filetrans_all_named_dev(init_t) @@ -28086,7 +28091,7 @@ index dd3be8d..4d15ea1 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -28107,7 +28112,7 @@ index dd3be8d..4d15ea1 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +222,51 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +223,51 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -28162,7 +28167,7 @@ index dd3be8d..4d15ea1 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +275,204 @@ ifdef(`distro_gentoo',` +@@ -186,29 +276,204 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28375,7 +28380,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -216,7 +480,30 @@ optional_policy(` +@@ -216,7 +481,30 @@ optional_policy(` ') optional_policy(` @@ -28406,7 +28411,7 @@ index dd3be8d..4d15ea1 100644 ') ######################################## -@@ -225,8 +512,9 @@ optional_policy(` +@@ -225,8 +513,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28418,7 +28423,7 @@ index dd3be8d..4d15ea1 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +545,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +546,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28435,7 +28440,7 @@ index dd3be8d..4d15ea1 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +570,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +571,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28478,7 +28483,7 @@ index dd3be8d..4d15ea1 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +607,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +608,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28490,7 +28495,7 @@ index dd3be8d..4d15ea1 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +619,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +620,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28501,7 +28506,7 @@ index dd3be8d..4d15ea1 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +630,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +631,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28511,7 +28516,7 @@ index dd3be8d..4d15ea1 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +639,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +640,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28519,7 +28524,7 @@ index dd3be8d..4d15ea1 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +646,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +647,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28527,7 +28532,7 @@ index dd3be8d..4d15ea1 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +654,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +655,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28545,7 +28550,7 @@ index dd3be8d..4d15ea1 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +672,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +673,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28559,7 +28564,7 @@ index dd3be8d..4d15ea1 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +687,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +688,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28573,7 +28578,7 @@ index dd3be8d..4d15ea1 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +700,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +701,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28581,7 +28586,7 @@ index dd3be8d..4d15ea1 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +712,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +713,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28589,7 +28594,7 @@ index dd3be8d..4d15ea1 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +731,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +732,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28613,7 +28618,7 @@ index dd3be8d..4d15ea1 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +764,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +765,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28621,7 +28626,7 @@ index dd3be8d..4d15ea1 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +798,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +799,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28632,7 +28637,7 @@ index dd3be8d..4d15ea1 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +822,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +823,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28641,7 +28646,7 @@ index dd3be8d..4d15ea1 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +837,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +838,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28649,7 +28654,7 @@ index dd3be8d..4d15ea1 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +858,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +859,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28657,7 +28662,7 @@ index dd3be8d..4d15ea1 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +868,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +869,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28702,7 +28707,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -558,14 +913,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +914,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28734,7 +28739,7 @@ index dd3be8d..4d15ea1 100644 ') ') -@@ -576,6 +948,39 @@ ifdef(`distro_suse',` +@@ -576,6 +949,39 @@ ifdef(`distro_suse',` ') ') @@ -28774,7 +28779,7 @@ index dd3be8d..4d15ea1 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +993,8 @@ optional_policy(` +@@ -588,6 +994,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28783,7 +28788,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -609,6 +1016,7 @@ optional_policy(` +@@ -609,6 +1017,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28791,7 +28796,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -625,6 +1033,17 @@ optional_policy(` +@@ -625,6 +1034,17 @@ optional_policy(` ') optional_policy(` @@ -28809,7 +28814,7 @@ index dd3be8d..4d15ea1 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1060,13 @@ optional_policy(` +@@ -641,9 +1061,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28823,7 +28828,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -656,15 +1079,11 @@ optional_policy(` +@@ -656,15 +1080,11 @@ optional_policy(` ') optional_policy(` @@ -28841,7 +28846,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -685,6 +1104,15 @@ optional_policy(` +@@ -685,6 +1105,15 @@ optional_policy(` ') optional_policy(` @@ -28857,7 +28862,7 @@ index dd3be8d..4d15ea1 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1153,7 @@ optional_policy(` +@@ -725,6 +1154,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28865,7 +28870,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -742,7 +1171,13 @@ optional_policy(` +@@ -742,7 +1172,13 @@ optional_policy(` ') optional_policy(` @@ -28880,7 +28885,7 @@ index dd3be8d..4d15ea1 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1200,10 @@ optional_policy(` +@@ -765,6 +1201,10 @@ optional_policy(` ') optional_policy(` @@ -28891,7 +28896,7 @@ index dd3be8d..4d15ea1 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1213,20 @@ optional_policy(` +@@ -774,10 +1214,20 @@ optional_policy(` ') optional_policy(` @@ -28912,7 +28917,7 @@ index dd3be8d..4d15ea1 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1235,10 @@ optional_policy(` +@@ -786,6 +1236,10 @@ optional_policy(` ') optional_policy(` @@ -28923,7 +28928,7 @@ index dd3be8d..4d15ea1 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1260,6 @@ optional_policy(` +@@ -807,8 +1261,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28932,7 +28937,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -817,6 +1268,10 @@ optional_policy(` +@@ -817,6 +1269,10 @@ optional_policy(` ') optional_policy(` @@ -28943,7 +28948,7 @@ index dd3be8d..4d15ea1 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1281,12 @@ optional_policy(` +@@ -826,10 +1282,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28956,7 +28961,7 @@ index dd3be8d..4d15ea1 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1313,28 @@ optional_policy(` +@@ -856,12 +1314,28 @@ optional_policy(` ') optional_policy(` @@ -28986,7 +28991,7 @@ index dd3be8d..4d15ea1 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1344,18 @@ optional_policy(` +@@ -871,6 +1345,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29005,7 +29010,7 @@ index dd3be8d..4d15ea1 100644 ') optional_policy(` -@@ -886,6 +1371,10 @@ optional_policy(` +@@ -886,6 +1372,10 @@ optional_policy(` ') optional_policy(` @@ -29016,7 +29021,7 @@ index dd3be8d..4d15ea1 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1385,196 @@ optional_policy(` +@@ -896,3 +1386,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -29214,7 +29219,7 @@ index dd3be8d..4d15ea1 100644 + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..ae5a411 100644 +index 662e79b..a199ffd 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,14 +1,22 @@ @@ -29241,7 +29246,7 @@ index 662e79b..ae5a411 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +34,22 @@ +@@ -26,16 +34,23 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -29259,6 +29264,7 @@ index 662e79b..ae5a411 100644 /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -29951,7 +29957,7 @@ index 5dfa44b..cafb28e 100644 optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..6e848de 100644 +index 73bb3c0..5b9420f 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -30017,7 +30023,12 @@ index 73bb3c0..6e848de 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -129,6 +138,7 @@ ifdef(`distro_redhat',` +@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` + /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30025,7 +30036,7 @@ index 73bb3c0..6e848de 100644 /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +151,21 @@ ifdef(`distro_redhat',` +@@ -141,19 +152,21 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30052,7 +30063,7 @@ index 73bb3c0..6e848de 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -182,11 +194,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +195,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30066,7 +30077,7 @@ index 73bb3c0..6e848de 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +255,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30082,7 +30093,7 @@ index 73bb3c0..6e848de 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +281,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30113,7 +30124,7 @@ index 73bb3c0..6e848de 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -31322,7 +31333,7 @@ index 4e94884..9b82ed0 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..0c383ca 100644 +index 39ea221..616d6a8 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -31583,15 +31594,16 @@ index 39ea221..0c383ca 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) +corenet_tcp_bind_syslog_tls_port(syslogd_t) ++corenet_tcp_connect_syslog_tls_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -31619,7 +31631,7 @@ index 39ea221..0c383ca 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -31639,7 +31651,7 @@ index 39ea221..0c383ca 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +537,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +538,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -31654,7 +31666,7 @@ index 39ea221..0c383ca 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +578,40 @@ optional_policy(` +@@ -502,15 +579,40 @@ optional_policy(` ') optional_policy(` @@ -31695,7 +31707,7 @@ index 39ea221..0c383ca 100644 ') optional_policy(` -@@ -521,3 +622,26 @@ optional_policy(` +@@ -521,3 +623,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -35342,7 +35354,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..1f23aab 100644 +index 6944526..b82ccf1 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -35481,7 +35493,48 @@ index 6944526..1f23aab 100644 read_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',` +@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',` + files_etc_filetrans($1, net_conf_t, file, $2) + ') + ++######################################## ++## ++## Transition content to the type used for ++## the network config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the directory to which the object will be created. ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`sysnet_filetrans_config_fromdir',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ filetrans_pattern($1, $2, net_conf_t, $3, $4) ++') ++ + ####################################### + ## + ## Create, read, write, and delete network config files. +@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -35489,7 +35542,7 @@ index 6944526..1f23aab 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -35497,7 +35550,7 @@ index 6944526..1f23aab 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -35523,7 +35576,7 @@ index 6944526..1f23aab 100644 ## Read the DHCP configuration files. ## ## -@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -35531,7 +35584,7 @@ index 6944526..1f23aab 100644 ') ######################################## -@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -35540,7 +35593,7 @@ index 6944526..1f23aab 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -35549,7 +35602,7 @@ index 6944526..1f23aab 100644 sysnet_read_config($1) optional_policy(` -@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',` +@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -35558,7 +35611,7 @@ index 6944526..1f23aab 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',` +@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -35568,7 +35621,7 @@ index 6944526..1f23aab 100644 ') ######################################## -@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -35576,7 +35629,7 @@ index 6944526..1f23aab 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -36086,10 +36139,10 @@ index 0000000..e9f1096 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..f0fe449 +index 0000000..35b4178 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1394 @@ +@@ -0,0 +1,1400 @@ +## SELinux policy for systemd components + +###################################### @@ -37148,7 +37201,9 @@ index 0000000..f0fe449 + type systemd_home_t; + ') + -+ gnome_search_gconf_data_dir($1) ++ optional_policy(` ++ gnome_search_gconf_data_dir($1) ++ ') + read_files_pattern($1, systemd_home_t, systemd_home_t) + read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) +') @@ -37168,7 +37223,9 @@ index 0000000..f0fe449 + type systemd_home_t; + ') + -+ gnome_search_gconf_data_dir($1) ++ optional_policy(` ++ gnome_search_gconf_data_dir($1) ++ ') + manage_dirs_pattern($1, systemd_home_t, systemd_home_t) + manage_files_pattern($1, systemd_home_t, systemd_home_t) + manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t) @@ -37191,7 +37248,9 @@ index 0000000..f0fe449 + type systemd_home_t; + ') + -+ gnome_data_filetrans($1, systemd_home_t, dir, "systemd") ++ optional_policy(` ++ gnome_data_filetrans($1, systemd_home_t, dir, "systemd") ++ ') +') + +######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index a454f43..19aeacc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..19bd545 100644 +index 1a82e29..e84c56d 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5395,7 +5395,7 @@ index 1a82e29..19bd545 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5508,6 +5508,8 @@ index 1a82e29..19bd545 100644 logging_send_syslog_msg(httpd_t) -miscfiles_read_localization(httpd_t) ++init_dontaudit_read_utmp(httpd_t) ++ miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) @@ -5626,7 +5628,7 @@ index 1a82e29..19bd545 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5686,7 +5688,7 @@ index 1a82e29..19bd545 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5777,7 +5779,7 @@ index 1a82e29..19bd545 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5858,7 +5860,7 @@ index 1a82e29..19bd545 100644 ') optional_policy(` -@@ -743,14 +871,6 @@ optional_policy(` +@@ -743,14 +873,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5873,7 +5875,7 @@ index 1a82e29..19bd545 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +885,23 @@ optional_policy(` +@@ -765,6 +887,23 @@ optional_policy(` ') optional_policy(` @@ -5897,7 +5899,7 @@ index 1a82e29..19bd545 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +918,46 @@ optional_policy(` +@@ -781,34 +920,46 @@ optional_policy(` ') optional_policy(` @@ -5955,7 +5957,7 @@ index 1a82e29..19bd545 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +965,18 @@ optional_policy(` +@@ -816,8 +967,18 @@ optional_policy(` ') optional_policy(` @@ -5974,7 +5976,7 @@ index 1a82e29..19bd545 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +985,7 @@ optional_policy(` +@@ -826,6 +987,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5982,7 +5984,7 @@ index 1a82e29..19bd545 100644 ') optional_policy(` -@@ -836,20 +996,39 @@ optional_policy(` +@@ -836,20 +998,39 @@ optional_policy(` ') optional_policy(` @@ -6028,7 +6030,7 @@ index 1a82e29..19bd545 100644 ') optional_policy(` -@@ -857,19 +1036,35 @@ optional_policy(` +@@ -857,19 +1038,35 @@ optional_policy(` ') optional_policy(` @@ -6064,7 +6066,7 @@ index 1a82e29..19bd545 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1072,170 @@ optional_policy(` +@@ -877,65 +1074,172 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6077,6 +6079,8 @@ index 1a82e29..19bd545 100644 +optional_policy(` + zoneminder_manage_lib_dirs(httpd_t) + zoneminder_manage_lib_files(httpd_t) ++ zoneminder_stream_connect(httpd_t) ++ zoneminder_exec(httpd_t) +') + ######################################## @@ -6257,7 +6261,7 @@ index 1a82e29..19bd545 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6412,7 +6416,7 @@ index 1a82e29..19bd545 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1328,104 @@ optional_policy(` +@@ -1077,172 +1332,104 @@ optional_policy(` ') ') @@ -6648,7 +6652,7 @@ index 1a82e29..19bd545 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1437,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6745,7 +6749,7 @@ index 1a82e29..19bd545 100644 ######################################## # -@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1512,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6762,7 +6766,7 @@ index 1a82e29..19bd545 100644 ') ######################################## -@@ -1324,49 +1524,38 @@ optional_policy(` +@@ -1324,49 +1528,38 @@ optional_policy(` # User content local policy # @@ -6827,7 +6831,7 @@ index 1a82e29..19bd545 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1569,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -32133,7 +32137,7 @@ index a49ae4e..0c0e987 100644 + +/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..a60cc05 100644 +index 3a00b3a..21efcc4 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -32204,7 +32208,7 @@ index 3a00b3a..a60cc05 100644 ## ## ## -@@ -56,10 +100,68 @@ interface(`kdump_read_config',` +@@ -56,10 +100,67 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -32228,7 +32232,6 @@ index 3a00b3a..a60cc05 100644 + list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) +') + -+ +##################################### +## +## Read kdump crash files. @@ -32275,7 +32278,7 @@ index 3a00b3a..a60cc05 100644 ## ## ## -@@ -76,10 +178,51 @@ interface(`kdump_manage_config',` +@@ -76,10 +177,69 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -32320,6 +32323,24 @@ index 3a00b3a..a60cc05 100644 + manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) +') + ++####################################### ++## ++## Transition content labels to kdump named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_filetrans_named_content',` ++ gen_require(` ++ type kdump_lock_t; ++ ') ++ ++ files_lock_filetrans($1, kdump_lock_t, file, "kdump") ++') ++ ###################################### ## -## All of the rules required to @@ -32329,7 +32350,7 @@ index 3a00b3a..a60cc05 100644 ## ## ## -@@ -88,19 +231,24 @@ interface(`kdump_manage_config',` +@@ -88,19 +248,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -32359,7 +32380,7 @@ index 3a00b3a..a60cc05 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +258,10 @@ interface(`kdump_admin',` +@@ -110,6 +275,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -35163,7 +35184,7 @@ index ee0c7cc..c54e3d2 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index d7d9b09..b93f460 100644 +index d7d9b09..562c288 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -35176,15 +35197,6 @@ index d7d9b09..b93f460 100644 type slapd_lock_t; files_lock_file(slapd_lock_t) -@@ -44,7 +47,7 @@ files_pid_file(slapd_var_run_t) - # Local policy - # - --allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; -+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search sys_resource }; - dontaudit slapd_t self:capability sys_tty_config; - allow slapd_t self:process setsched; - allow slapd_t self:fifo_file rw_fifo_file_perms; @@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -35614,9 +35626,18 @@ index d18c960..fb5b674 100644 domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; diff --git a/lldpad.te b/lldpad.te -index 648def0..0b6281d 100644 +index 648def0..b17392a 100644 --- a/lldpad.te +++ b/lldpad.te +@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) + # Local policy + # + +-allow lldpad_t self:capability { net_admin net_raw }; ++allow lldpad_t self:capability { net_admin net_raw sys_resource }; + allow lldpad_t self:shm create_shm_perms; + allow lldpad_t self:fifo_file rw_fifo_file_perms; + allow lldpad_t self:unix_stream_socket { accept listen }; @@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t) dev_read_sysfs(lldpad_t) @@ -39749,7 +39770,7 @@ index 6ffaba2..2c1c0e0 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..1e67988 100644 +index 6194b80..d54c5ba 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -40440,7 +40461,7 @@ index 6194b80..1e67988 100644 ## ## ## -@@ -530,45 +499,55 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +499,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -40517,7 +40538,9 @@ index 6194b80..1e67988 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") + userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") -+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ++ optional_policy(` ++ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ++ ') ') + diff --git a/mozilla.te b/mozilla.te @@ -46208,10 +46231,10 @@ index 56c0fbd..173a2c0 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index a1fb3c3..82f8ae6 100644 +index a1fb3c3..2b818b9 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,43 +1,44 @@ +@@ -1,43 +1,45 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -46277,10 +46300,11 @@ index a1fb3c3..82f8ae6 100644 /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..f8893f8 100644 +index 0e8508c..ee2e3de 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -46557,7 +46581,7 @@ index 0e8508c..f8893f8 100644 ## ## ## -@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',` +@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -46705,6 +46729,7 @@ index 0e8508c..f8893f8 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") @@ -49132,10 +49157,10 @@ index 0000000..22e6c96 +/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/nsplugin.if b/nsplugin.if new file mode 100644 -index 0000000..fce899a +index 0000000..16f4789 --- /dev/null +++ b/nsplugin.if -@@ -0,0 +1,472 @@ +@@ -0,0 +1,474 @@ + +## policy for nsplugin + @@ -49236,7 +49261,9 @@ index 0000000..fce899a + + # Connect to pulseaudit server + stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) -+ gnome_stream_connect(nsplugin_t, $2) ++ optional_policy(` ++ gnome_stream_connect(nsplugin_t, $2) ++ ') + + userdom_use_inherited_user_terminals(nsplugin_t) + userdom_use_inherited_user_terminals(nsplugin_config_t) @@ -61239,7 +61266,7 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..7b8a7d1 100644 +index b2b5dba..9bc465c 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -61424,7 +61451,7 @@ index b2b5dba..7b8a7d1 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t) +@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) @@ -61458,6 +61485,7 @@ index b2b5dba..7b8a7d1 100644 sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) ++sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf") -userdom_use_user_terminals(pppd_t) +userdom_use_inherited_user_terminals(pppd_t) @@ -61469,7 +61497,7 @@ index b2b5dba..7b8a7d1 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +202,13 @@ optional_policy(` +@@ -186,11 +203,13 @@ optional_policy(` l2tpd_dgram_send(pppd_t) l2tpd_rw_socket(pppd_t) l2tpd_stream_connect(pppd_t) @@ -61484,7 +61512,7 @@ index b2b5dba..7b8a7d1 100644 ') ') -@@ -218,16 +236,19 @@ optional_policy(` +@@ -218,16 +237,19 @@ optional_policy(` ######################################## # @@ -61507,7 +61535,7 @@ index b2b5dba..7b8a7d1 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -61564,7 +61592,7 @@ index b2b5dba..7b8a7d1 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -61579,7 +61607,7 @@ index b2b5dba..7b8a7d1 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +318,10 @@ optional_policy(` +@@ -299,6 +319,10 @@ optional_policy(` ') optional_policy(` @@ -71377,7 +71405,7 @@ index 56bc01f..b8d154e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..6b7a0f6 100644 +index 2c2de9a..b978814 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -71703,7 +71731,7 @@ index 2c2de9a..6b7a0f6 100644 allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,6 +366,16 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -71720,11 +71748,12 @@ index 2c2de9a..6b7a0f6 100644 ####################################### # # fenced local policy -@@ -105,9 +383,13 @@ init_rw_script_tmp_files(dlm_controld_t) + # allow fenced_t self:capability { sys_rawio sys_resource }; - allow fenced_t self:process { getsched signal_perms }; +-allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; ++allow fenced_t self:process { getsched setpgid signal_perms }; + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; @@ -71766,16 +71795,17 @@ index 2c2de9a..6b7a0f6 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +461,7 @@ optional_policy(` +@@ -182,7 +461,8 @@ optional_policy(` ') optional_policy(` - corosync_exec(fenced_t) + rhcs_exec_cluster(fenced_t) ++ rhcs_rw_cluster_tmpfs(fenced_t) ') optional_policy(` -@@ -190,12 +469,12 @@ optional_policy(` +@@ -190,12 +470,12 @@ optional_policy(` ') optional_policy(` @@ -71791,7 +71821,7 @@ index 2c2de9a..6b7a0f6 100644 ') optional_policy(` -@@ -203,6 +482,13 @@ optional_policy(` +@@ -203,6 +483,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -71805,7 +71835,7 @@ index 2c2de9a..6b7a0f6 100644 ####################################### # # foghorn local policy -@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -71826,7 +71856,7 @@ index 2c2de9a..6b7a0f6 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -71835,7 +71865,7 @@ index 2c2de9a..6b7a0f6 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -71877,7 +71907,7 @@ index 2c2de9a..6b7a0f6 100644 ###################################### # # qdiskd local policy -@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -87123,7 +87153,7 @@ index c7de0cf..03fc880 100644 +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index 42946bc..741f2f4 100644 +index 42946bc..9f70e4c 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ @@ -87396,7 +87426,7 @@ index 42946bc..741f2f4 100644 ## ## ## -@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',` +@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',` ## ## # @@ -87510,13 +87540,15 @@ index 42946bc..741f2f4 100644 + userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control") + userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") + -+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections") -+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") -+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky") -+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy") ++ optional_policy(` ++ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections") ++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") ++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky") ++ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy") + -+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger") -+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") ++ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger") ++ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") ++ ') +') + +###################################### @@ -88761,10 +88793,10 @@ index 0000000..5e3637e +') diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..ff282dc +index 0000000..39d17b7 --- /dev/null +++ b/thin.te -@@ -0,0 +1,114 @@ +@@ -0,0 +1,115 @@ +policy_module(thin, 1.0) + +######################################## @@ -88841,6 +88873,7 @@ index 0000000..ff282dc +# + +allow thin_t self:capability { setuid kill setgid dac_override }; ++allow thin_t self:capability2 block_suspend; + +allow thin_t self:netlink_route_socket r_netlink_socket_perms; +allow thin_t self:udp_socket create_socket_perms; @@ -88905,10 +88938,10 @@ index 0000000..92b6843 +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..8b2dfff +index 0000000..c1fd8b4 --- /dev/null +++ b/thumb.if -@@ -0,0 +1,130 @@ +@@ -0,0 +1,133 @@ + +## policy for thumb + @@ -89015,7 +89048,7 @@ index 0000000..8b2dfff + + allow $1 thumb_t:dbus send_msg; + allow thumb_t $1:dbus send_msg; -+ ps_process_pattern(thumb_t, $1) ++ ps_process_pattern(thumb_t, $1) +') + +######################################## @@ -89037,7 +89070,10 @@ index 0000000..8b2dfff + + userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails") + userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log") -+ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails") ++ ++ optional_policy(` ++ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails") ++ ') +') diff --git a/thumb.te b/thumb.te new file mode 100644 @@ -99337,10 +99373,10 @@ index 0000000..8c61505 +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..614a979 +index 0000000..d02a6f4 --- /dev/null +++ b/zoneminder.if -@@ -0,0 +1,354 @@ +@@ -0,0 +1,374 @@ +## policy for zoneminder + +######################################## @@ -99362,6 +99398,26 @@ index 0000000..614a979 + domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) +') + ++######################################## ++## ++## Allow the specified domain to execute zoneminder ++## in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`zoneminder_exec',` ++ gen_require(` ++ type zoneminder_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, zoneminder_exec_t) ++') ++ + +######################################## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 7651965..cb66d04 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 91%{?dist} +Release: 92%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -572,6 +572,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 22 2013 Miroslav Grepl 3.12.1-92 +- Allow sshd_t to read openshift content, needs backport to RHEL6.5 +- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t +- Make sur kdump lock is created with correct label if kdumpctl is executed +- gnome interface calls should always be made within an optional_block +- Allow syslogd_t to connect to the syslog_tls port +- Add labeling for /var/run/charon.ctl socket +- Add kdump_filetrans_named_content() +- Allo setpgid for fenced_t +- Allow setpgid and r/w cluster tmpfs for fenced_t +- gnome calls should always be within optional blocks +- wicd.pid should be labeled as networkmanager_var_run_t +- Allow sys_resource for lldpad + * Thu Oct 17 2013 Miroslav Grepl 3.12.1-91 - Add rtas policy