From 330eac58488e2a2a279957477b0d20e814ac8580 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 12 2011 07:44:07 +0000 Subject: - A lot of users are running yum -y update while in /root which is causing ldc - Allow colord to interact with the users through the tmpfs file system - Since we changed the label on deferred, we need to allow postfix_qmgr_t to b - Add label for /var/log/mcelog - Allow asterisk to read /dev/random if it uses TLS - Allow colord to read ini files which are labeled as bin_t - Allow dirsrvadmin sys_resource and setrlimit to use ulimit - Systemd needs to be able to create sock_files for every label in /var/run di - Also lists /var and /var/spool directories - Add openl2tpd to l2tpd policy - qpidd is reading the sysfs file --- diff --git a/policy-F16.patch b/policy-F16.patch index d7e32b1..e2cd782 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -857,10 +857,18 @@ index 4f7bd3c..b5c346f 100644 + #unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..893ea9a 100644 +index 7090dae..ee8eaf6 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -116,17 +116,15 @@ miscfiles_read_localization(logrotate_t) +@@ -102,6 +102,7 @@ files_read_var_lib_files(logrotate_t) + files_manage_generic_spool(logrotate_t) + files_manage_generic_spool_dirs(logrotate_t) + files_getattr_generic_locks(logrotate_t) ++files_dontaudit_list_mnt(logrotate_t) + + # cjp: why is this needed? + init_domtrans_script(logrotate_t) +@@ -116,17 +117,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -883,7 +891,7 @@ index 7090dae..893ea9a 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -162,10 +160,20 @@ optional_policy(` +@@ -162,10 +161,20 @@ optional_policy(` ') optional_policy(` @@ -904,7 +912,7 @@ index 7090dae..893ea9a 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +211,6 @@ optional_policy(` +@@ -203,7 +212,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -912,7 +920,7 @@ index 7090dae..893ea9a 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +235,14 @@ optional_policy(` +@@ -228,3 +236,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -1027,19 +1035,20 @@ index 75ce30f..b48b383 100644 + cron_use_system_job_fds(logwatch_mail_t) +') diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc -index 56c43c0..de535e4 100644 +index 56c43c0..0641226 100644 --- a/policy/modules/admin/mcelog.fc +++ b/policy/modules/admin/mcelog.fc -@@ -1 +1,4 @@ +@@ -1 +1,5 @@ /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) + -+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) ++/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) + ++/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..24a6ad6 100644 +index 5671977..ef8bc09 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te -@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0) +@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0) type mcelog_t; type mcelog_exec_t; @@ -1049,13 +1058,20 @@ index 5671977..24a6ad6 100644 + +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) ++ ++type mcelog_log_t; ++logging_log_file(mcelog_log_t) ######################################## # -@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t) +@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t) allow mcelog_t self:capability sys_admin; ++manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) ++manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) ++logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir }) ++ +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) @@ -1071,7 +1087,7 @@ index 5671977..24a6ad6 100644 files_read_etc_files(mcelog_t) -@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t) +@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t) logging_send_syslog_msg(mcelog_t) miscfiles_read_localization(mcelog_t) @@ -3071,7 +3087,7 @@ index 441cf22..4e2205c 100644 optional_policy(` apache_manage_all_user_content(useradd_t) diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te -index ebf4b26..6dcf1da 100644 +index ebf4b26..453a827 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -21,7 +21,7 @@ files_pid_file(vpnc_var_run_t) @@ -3094,7 +3110,16 @@ index ebf4b26..6dcf1da 100644 corecmd_exec_all_executables(vpnc_t) -@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t) +@@ -89,6 +89,8 @@ files_dontaudit_search_home(vpnc_t) + + auth_use_nsswitch(vpnc_t) + ++init_dontaudit_use_fds(vpnc_t) ++ + libs_exec_ld_so(vpnc_t) + libs_exec_lib_files(vpnc_t) + +@@ -106,7 +108,8 @@ sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) @@ -3282,10 +3307,10 @@ index 0000000..7b1047f +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..0fbe8cc +index 0000000..9f6478c --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,115 @@ +@@ -0,0 +1,117 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3386,6 +3411,7 @@ index 0000000..0fbe8cc + fs_search_nfs(chrome_sandbox_t) + fs_exec_nfs_files(chrome_sandbox_t) + fs_read_nfs_files(chrome_sandbox_t) ++ fs_rw_inherited_nfs_files(chrome_sandbox_t) + fs_read_nfs_symlinks(chrome_sandbox_t) + fs_dontaudit_append_nfs_files(chrome_sandbox_t) +') @@ -3393,6 +3419,7 @@ index 0000000..0fbe8cc +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(chrome_sandbox_t) + fs_exec_cifs_files(chrome_sandbox_t) ++ fs_rw_inherited_cifs_files(chrome_sandbox_t) + fs_read_cifs_files(chrome_sandbox_t) + fs_read_cifs_symlinks(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) @@ -6155,7 +6182,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..90c34fa 100644 +index fbb5c5a..8f91e55 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -6193,12 +6220,13 @@ index fbb5c5a..90c34fa 100644 ') ######################################## -@@ -228,6 +238,29 @@ interface(`mozilla_run_plugin',` +@@ -228,6 +238,30 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; + + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; ++ allow $1 mozilla_plugin_t:fd use; + + allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; +') @@ -6223,7 +6251,7 @@ index fbb5c5a..90c34fa 100644 ') ######################################## -@@ -269,9 +302,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -269,9 +303,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -6252,7 +6280,7 @@ index fbb5c5a..90c34fa 100644 ## ## ## -@@ -279,28 +330,28 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -279,28 +331,28 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -8491,10 +8519,10 @@ index 0000000..6efdeca +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..61a5e86 +index 0000000..0b38d9d --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,493 @@ +@@ -0,0 +1,486 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8665,25 +8693,20 @@ index 0000000..61a5e86 +# +# sandbox_x_domain local policy +# ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; +allow sandbox_x_domain self:fifo_file manage_file_perms; +allow sandbox_x_domain self:sem create_sem_perms; +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:msgq create_msgq_perms; -+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; ++allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms; +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; -+allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms }; -+ -+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; ++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; + -+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; +dontaudit sandbox_x_domain sandbox_x_domain:process signal; +dontaudit sandbox_x_domain sandbox_xserver_t:process signal; ++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + -+allow sandbox_x_domain self:shm create_shm_perms; -+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; -+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; +term_create_pty(sandbox_x_domain,sandbox_devpts_t) @@ -8833,7 +8856,6 @@ index 0000000..61a5e86 +allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms; +allow sandbox_x_client_t self:udp_socket create_socket_perms; +allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; -+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; + +dev_read_rand(sandbox_x_client_t) + @@ -8862,7 +8884,6 @@ index 0000000..61a5e86 +allow sandbox_web_type self:tcp_socket create_stream_socket_perms; +allow sandbox_web_type self:udp_socket create_socket_perms; +allow sandbox_web_type self:dbus { acquire_svc send_msg }; -+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; + +kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) +kernel_request_load_module(sandbox_web_type) @@ -12946,7 +12967,7 @@ index c19518a..ba08cfe 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..5ce2d76 100644 +index ff006ea..c0e0b1e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -13709,7 +13730,7 @@ index ff006ea..5ce2d76 100644 ') ######################################## -@@ -5815,6 +6165,80 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,6 +6165,98 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13749,6 +13770,24 @@ index ff006ea..5ce2d76 100644 + +######################################## +## ++## Create all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## +## Delete all pid named pipes +## +## @@ -13790,7 +13829,7 @@ index ff006ea..5ce2d76 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6256,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6274,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -13835,7 +13874,7 @@ index ff006ea..5ce2d76 100644 ') ######################################## -@@ -6042,7 +6504,7 @@ interface(`files_spool_filetrans',` +@@ -6042,7 +6522,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13844,7 +13883,7 @@ index ff006ea..5ce2d76 100644 ') ######################################## -@@ -6117,3 +6579,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6597,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -16710,7 +16749,7 @@ index 2be17d2..1a6d9d1 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..bd304b2 100644 +index e14b961..a9aeb68 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,55 @@ ifndef(`enable_mls',` @@ -16962,18 +17001,16 @@ index e14b961..bd304b2 100644 ') optional_policy(` -@@ -332,10 +396,6 @@ optional_policy(` +@@ -332,7 +396,7 @@ optional_policy(` ') optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - tripwire_run_siggen(sysadm_t, sysadm_r) - tripwire_run_tripwire(sysadm_t, sysadm_r) - tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -343,19 +403,15 @@ optional_policy(` ++ systemd_passwd_agent_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +@@ -343,19 +407,15 @@ optional_policy(` ') optional_policy(` @@ -16995,7 +17032,7 @@ index e14b961..bd304b2 100644 ') optional_policy(` -@@ -367,45 +423,45 @@ optional_policy(` +@@ -367,45 +427,45 @@ optional_policy(` ') optional_policy(` @@ -17052,7 +17089,7 @@ index e14b961..bd304b2 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,6 +495,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +499,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -17060,20 +17097,20 @@ index e14b961..bd304b2 100644 ') optional_policy(` -@@ -446,11 +503,62 @@ ifndef(`distro_redhat',` +@@ -446,11 +507,62 @@ ifndef(`distro_redhat',` ') optional_policy(` - irc_role(sysadm_r, sysadm_t) + java_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ lockdev_role(sysadm_r, sysadm_t) ') optional_policy(` - java_role(sysadm_r, sysadm_t) ++ lockdev_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` + mozilla_role(sysadm_r, sysadm_t) + ') + @@ -18701,21 +18738,23 @@ index e88b95f..0eb55db 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..7112560 100644 +index 1bd5812..f7a7a96 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -3,8 +3,9 @@ +@@ -1,11 +1,9 @@ + /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) + /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) ++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -+/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -+/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) - +-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +- /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -@@ -15,6 +16,21 @@ + /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +@@ -15,6 +13,19 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -18735,8 +18774,6 @@ index 1bd5812..7112560 100644 +/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -+ -+ diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 0b827c5..7382308 100644 --- a/policy/modules/services/abrt.if @@ -18937,7 +18974,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..28604d3 100644 +index 30861ec..a7f44c9 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -18955,7 +18992,14 @@ index 30861ec..28604d3 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -43,14 +51,37 @@ ifdef(`enable_mcs',` +@@ -37,20 +45,44 @@ files_pid_file(abrt_var_run_t) + type abrt_helper_t; + type abrt_helper_exec_t; + application_domain(abrt_helper_t, abrt_helper_exec_t) ++init_system_domain(abrt_helper_t, abrt_helper_exec_t) + role system_r types abrt_helper_t; + + ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -18995,7 +19039,7 @@ index 30861ec..28604d3 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +91,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -19003,7 +19047,7 @@ index 30861ec..28604d3 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +102,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -19011,7 +19055,7 @@ index 30861ec..28604d3 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +116,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -19020,7 +19064,7 @@ index 30861ec..28604d3 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +138,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -19028,7 +19072,7 @@ index 30861ec..28604d3 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +148,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -19038,7 +19082,7 @@ index 30861ec..28604d3 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +157,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -19047,7 +19091,7 @@ index 30861ec..28604d3 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +169,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -19056,7 +19100,7 @@ index 30861ec..28604d3 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +178,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -19073,7 +19117,7 @@ index 30861ec..28604d3 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +197,11 @@ optional_policy(` +@@ -150,6 +198,11 @@ optional_policy(` ') optional_policy(` @@ -19085,7 +19129,7 @@ index 30861ec..28604d3 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +219,7 @@ optional_policy(` +@@ -167,6 +220,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -19093,7 +19137,7 @@ index 30861ec..28604d3 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +231,18 @@ optional_policy(` +@@ -178,12 +232,18 @@ optional_policy(` ') optional_policy(` @@ -19113,7 +19157,12 @@ index 30861ec..28604d3 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +@@ -200,9 +260,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) + read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) + ++corecmd_read_all_executables(abrt_helper_t) ++ domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) @@ -19121,7 +19170,7 @@ index 30861ec..28604d3 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +279,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -19131,7 +19180,7 @@ index 30861ec..28604d3 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +288,100 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -19610,10 +19659,18 @@ index d96fdfa..e07158f 100644 ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..841fa8f 100644 +index deca9d3..4556eb2 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te -@@ -153,24 +153,28 @@ sysnet_use_ldap(amavis_t) +@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t) + + dev_read_rand(amavis_t) + dev_read_urand(amavis_t) ++dev_read_sysfs(amavis_t) + + domain_use_interactive_fds(amavis_t) + +@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) @@ -21577,10 +21634,18 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..e343da3 100644 +index b3b0176..0e8a352 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te -@@ -39,7 +39,7 @@ files_pid_file(asterisk_var_run_t) +@@ -23,6 +23,7 @@ files_type(asterisk_spool_t) + + type asterisk_tmp_t; + files_tmp_file(asterisk_tmp_t) ++mta_system_content(asterisk_tmp_t) + + type asterisk_tmpfs_t; + files_tmpfs_file(asterisk_tmpfs_t) +@@ -39,7 +40,7 @@ files_pid_file(asterisk_var_run_t) # # dac_override for /var/run/asterisk @@ -21589,7 +21654,7 @@ index b3b0176..e343da3 100644 dontaudit asterisk_t self:capability sys_tty_config; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; -@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f +@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) @@ -21602,7 +21667,7 @@ index b3b0176..e343da3 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -108,6 +109,8 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) @@ -21611,7 +21676,15 @@ index b3b0176..e343da3 100644 corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) -@@ -125,6 +128,7 @@ files_search_spool(asterisk_t) +@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t) + dev_read_sysfs(asterisk_t) + dev_read_sound(asterisk_t) + dev_write_sound(asterisk_t) ++dev_read_rand(asterisk_t) + dev_read_urand(asterisk_t) + + domain_use_interactive_fds(asterisk_t) +@@ -125,6 +130,7 @@ files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -21619,7 +21692,7 @@ index b3b0176..e343da3 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -141,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -24578,10 +24651,10 @@ index 0258b48..8535cc6 100644 manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..a58903f 100644 +index 74505cc..07f38d7 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te -@@ -41,8 +41,9 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +@@ -41,8 +41,12 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) @@ -24589,10 +24662,13 @@ index 74505cc..a58903f 100644 +kernel_read_system_state(colord_t) kernel_read_device_sysctls(colord_t) +kernel_request_load_module(colord_t) ++ ++#reads *.ini files ++corecmd_read_bin_files(colord_t) corenet_all_recvfrom_unlabeled(colord_t) corenet_all_recvfrom_netlabel(colord_t) -@@ -50,6 +51,8 @@ corenet_udp_bind_generic_node(colord_t) +@@ -50,6 +54,8 @@ corenet_udp_bind_generic_node(colord_t) corenet_udp_bind_ipp_port(colord_t) corenet_tcp_connect_ipp_port(colord_t) @@ -24601,7 +24677,7 @@ index 74505cc..a58903f 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,8 +68,16 @@ files_list_mnt(colord_t) +@@ -65,19 +71,31 @@ files_list_mnt(colord_t) files_read_etc_files(colord_t) files_read_usr_files(colord_t) @@ -24618,9 +24694,11 @@ index 74505cc..a58903f 100644 logging_send_syslog_msg(colord_t) miscfiles_read_localization(colord_t) -@@ -74,10 +85,12 @@ miscfiles_read_localization(colord_t) + sysnet_dns_name_resolve(colord_t) ++userdom_rw_user_tmpfs_files(colord_t) ++ tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(colord_t) fs_read_nfs_files(colord_t) @@ -24631,7 +24709,7 @@ index 74505cc..a58903f 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +102,10 @@ optional_policy(` +@@ -89,6 +107,10 @@ optional_policy(` ') optional_policy(` @@ -25034,7 +25112,7 @@ index 13d2f63..a048c53 100644 type cpuspeed_t; type cpuspeed_exec_t; diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 2eefc08..6030f34 100644 +index 2eefc08..34ab5ce 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc @@ -14,9 +14,10 @@ @@ -25049,14 +25127,12 @@ index 2eefc08..6030f34 100644 /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) -@@ -45,3 +46,7 @@ ifdef(`distro_suse', ` +@@ -45,3 +46,5 @@ ifdef(`distro_suse', ` /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -+ -+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 35241ed..3a54286 100644 --- a/policy/modules/services/cron.if @@ -27496,10 +27572,10 @@ index 0000000..60c81d6 +') diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te new file mode 100644 -index 0000000..b7fc006 +index 0000000..5214120 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,101 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -27523,7 +27599,8 @@ index 0000000..b7fc006 +# Local policy for the daemon +# +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; -+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config }; ++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; ++allow dirsrvadmin_t self:process setrlimit; + +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) @@ -32743,6 +32820,208 @@ index ca5cfdf..554ad30 100644 auth_use_nsswitch(ktalkd_t) +diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc +new file mode 100644 +index 0000000..76d879e +--- /dev/null ++++ b/policy/modules/services/l2tpd.fc +@@ -0,0 +1,11 @@ ++ ++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) ++ ++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) ++ ++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++ ++/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++ +diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if +new file mode 100644 +index 0000000..5783d58 +--- /dev/null ++++ b/policy/modules/services/l2tpd.if +@@ -0,0 +1,115 @@ ++ ++## policy for l2tpd ++ ++######################################## ++## ++## Transition to l2tpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`l2tpd_domtrans',` ++ gen_require(` ++ type l2tpd_t, l2tpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) ++') ++ ++ ++######################################## ++## ++## Execute l2tpd server in the l2tpd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_initrc_domtrans',` ++ gen_require(` ++ type l2tpd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read l2tpd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_read_pid_files',` ++ gen_require(` ++ type l2tpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 l2tpd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read and write l2tpd unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_rw_pipes',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an l2tpd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`l2tpd_admin',` ++ gen_require(` ++ type l2tpd_t; ++ type l2tpd_initrc_exec_t; ++ type l2tpd_var_run_t; ++ ') ++ ++ allow $1 l2tpd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, l2tpd_t) ++ ++ l2tpd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 l2tpd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_pids($1) ++ admin_pattern($1, l2tpd_var_run_t) ++') ++ +diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te +new file mode 100644 +index 0000000..02359ec +--- /dev/null ++++ b/policy/modules/services/l2tpd.te +@@ -0,0 +1,58 @@ ++policy_module(l2tpd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type l2tpd_t; ++type l2tpd_exec_t; ++init_daemon_domain(l2tpd_t, l2tpd_exec_t) ++ ++permissive l2tpd_t; ++ ++type l2tpd_initrc_exec_t; ++init_script_file(l2tpd_initrc_exec_t) ++ ++type l2tpd_tmp_t; ++files_tmp_file(l2tpd_tmp_t) ++ ++type l2tpd_var_run_t; ++files_pid_file(l2tpd_var_run_t) ++ ++######################################## ++# ++# l2tpd local policy ++# ++allow l2tpd_t self:capability net_bind_service; ++allow l2tpd_t self:process signal; ++ ++allow l2tpd_t self:fifo_file rw_fifo_file_perms; ++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms; ++allow l2tpd_t self:tcp_socket create_stream_socket_perms; ++ ++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) ++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) ++ ++manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) ++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) ++ ++corenet_tcp_bind_generic_node(l2tpd_t) ++corenet_udp_bind_generic_node(l2tpd_t) ++corenet_udp_bind_generic_port(l2tpd_t) ++corenet_tcp_bind_all_rpc_ports(l2tpd_t) ++ ++dev_read_urand(l2tpd_t) ++ ++domain_use_interactive_fds(l2tpd_t) ++ ++files_read_etc_files(l2tpd_t) ++ ++logging_send_syslog_msg(l2tpd_t) ++ ++miscfiles_read_localization(l2tpd_t) ++ ++sysnet_dns_name_resolve(l2tpd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index c62f23e..92f3475 100644 --- a/policy/modules/services/ldap.fc @@ -39286,7 +39565,7 @@ index 69c331e..0555635 100644 auth_rw_login_records(portslave_t) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc -index a3e85c9..6b97fa5 100644 +index a3e85c9..c0e0959 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -1,5 +1,6 @@ @@ -39334,7 +39613,7 @@ index a3e85c9..6b97fa5 100644 /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -42,9 +44,10 @@ ifdef(`distro_redhat', ` +@@ -42,9 +44,11 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -39344,6 +39623,7 @@ index a3e85c9..6b97fa5 100644 -/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) +/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) +/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) ++/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) @@ -39689,7 +39969,7 @@ index 46bee12..c22af86 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..06be6b1 100644 +index a32c4b3..701607c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -39973,20 +40253,19 @@ index a32c4b3..06be6b1 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +579,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +579,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; + -+allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms; -+allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms; ++manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +603,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +602,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -39997,7 +40276,7 @@ index a32c4b3..06be6b1 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +631,10 @@ optional_policy(` +@@ -565,6 +630,10 @@ optional_policy(` ') optional_policy(` @@ -40008,7 +40287,7 @@ index a32c4b3..06be6b1 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +657,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -40025,7 +40304,7 @@ index a32c4b3..06be6b1 100644 ') optional_policy(` -@@ -611,8 +687,8 @@ optional_policy(` +@@ -611,8 +686,8 @@ optional_policy(` # Postfix virtual local policy # @@ -40035,7 +40314,7 @@ index a32c4b3..06be6b1 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +705,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -41074,7 +41353,7 @@ index 2855a44..c71fa1e 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..1f3974c 100644 +index 64c5f95..cb7c5e2 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0) @@ -41225,7 +41504,7 @@ index 64c5f95..1f3974c 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +279,45 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -41235,6 +41514,7 @@ index 64c5f95..1f3974c 100644 + dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) ++dev_search_sysfs(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t) +domain_obj_id_change_exemption(puppetmaster_t) @@ -41274,7 +41554,7 @@ index 64c5f95..1f3974c 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +328,9 @@ optional_policy(` +@@ -231,3 +329,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -41921,7 +42201,7 @@ index 5a9630c..c403abc 100644 + allow $1 qpidd_t:shm rw_shm_perms; ') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te -index cb7ecb5..ebf59f1 100644 +index cb7ecb5..dadd322 100644 --- a/policy/modules/services/qpid.te +++ b/policy/modules/services/qpid.te @@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -41940,7 +42220,7 @@ index cb7ecb5..ebf59f1 100644 ######################################## # # qpidd local policy -@@ -30,23 +30,24 @@ allow qpidd_t self:shm create_shm_perms; +@@ -30,24 +30,26 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket create_stream_socket_perms; allow qpidd_t self:unix_stream_socket create_stream_socket_perms; @@ -41968,9 +42248,11 @@ index cb7ecb5..ebf59f1 100644 corenet_tcp_bind_amqp_port(qpidd_t) +corenet_tcp_bind_matahari_port(qpidd_t) ++dev_read_sysfs(qpidd_t) dev_read_urand(qpidd_t) -@@ -61,3 +62,8 @@ sysnet_dns_name_resolve(qpidd_t) + files_read_etc_files(qpidd_t) +@@ -61,3 +63,8 @@ sysnet_dns_name_resolve(qpidd_t) optional_policy(` corosync_stream_connect(qpidd_t) ') @@ -46539,7 +46821,7 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..7e51d2b 100644 +index ec1eb1e..7573826 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0) @@ -46755,7 +47037,7 @@ index ec1eb1e..7e51d2b 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -254,27 +322,41 @@ seutil_read_config(spamc_t) +@@ -254,27 +322,46 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -46771,21 +47053,26 @@ index ec1eb1e..7e51d2b 100644 + fs_manage_cifs_symlinks(spamc_t) +') + ++ optional_policy(` - # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) +- # Allow connection to spamd socket above +- evolution_stream_connect(spamc_t) ++ abrt_stream_connect(spamc_t) ') optional_policy(` - # Needed for pyzor/razor called from spamd - milter_manage_spamass_state(spamc_t) +- milter_manage_spamass_state(spamc_t) ++ # Allow connection to spamd socket above ++ evolution_stream_connect(spamc_t) ') optional_policy(` - nis_use_ypbind(spamc_t) --') -- --optional_policy(` ++ milter_manage_spamass_state(spamc_t) + ') + + optional_policy(` - nscd_socket_use(spamc_t) + postfix_domtrans_postdrop(spamc_t) + postfix_search_spool(spamc_t) @@ -46803,7 +47090,7 @@ index ec1eb1e..7e51d2b 100644 ') ######################################## -@@ -286,7 +368,7 @@ optional_policy(` +@@ -286,7 +373,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -46812,7 +47099,7 @@ index ec1eb1e..7e51d2b 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -302,10 +384,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -302,10 +389,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -46831,7 +47118,7 @@ index ec1eb1e..7e51d2b 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,11 +403,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -314,11 +408,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -46849,7 +47136,7 @@ index ec1eb1e..7e51d2b 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +465,27 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -46881,7 +47168,7 @@ index ec1eb1e..7e51d2b 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +497,9 @@ optional_policy(` +@@ -399,7 +502,9 @@ optional_policy(` ') optional_policy(` @@ -46891,7 +47178,7 @@ index ec1eb1e..7e51d2b 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -408,25 +508,17 @@ optional_policy(` +@@ -408,25 +513,17 @@ optional_policy(` ') optional_policy(` @@ -46919,7 +47206,7 @@ index ec1eb1e..7e51d2b 100644 postgresql_stream_connect(spamd_t) ') -@@ -437,6 +529,10 @@ optional_policy(` +@@ -437,6 +534,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -51560,7 +51847,7 @@ index 130ced9..ea8077d 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..5774644 100644 +index 143c893..bc547bf 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -51766,7 +52053,7 @@ index 143c893..5774644 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -247,52 +301,112 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,52 +301,113 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') @@ -51796,12 +52083,13 @@ index 143c893..5774644 100644 allow xauth_t self:process signal; +allow xauth_t self:shm create_shm_perms; allow xauth_t self:unix_stream_socket create_stream_socket_perms; - ++allow xauth_t self:unix_dgram_socket create_socket_perms; ++ +allow xauth_t xdm_t:process sigchld; +allow xauth_t xserver_t:unix_stream_socket connectto; + +corenet_tcp_connect_xserver_port(xauth_t) -+ + allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) @@ -51816,9 +52104,9 @@ index 143c893..5774644 100644 -allow xdm_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -+ -+kernel_read_system_state(xauth_t) ++kernel_read_network_state(xauth_t) ++kernel_read_system_state(xauth_t) kernel_request_load_module(xauth_t) domain_use_interactive_fds(xauth_t) @@ -51885,7 +52173,7 @@ index 143c893..5774644 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -304,20 +418,36 @@ optional_policy(` +@@ -304,20 +419,36 @@ optional_policy(` # XDM Local policy # @@ -51926,7 +52214,7 @@ index 143c893..5774644 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +455,62 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +456,62 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -51995,7 +52283,7 @@ index 143c893..5774644 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +520,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -52023,7 +52311,7 @@ index 143c893..5774644 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -52077,7 +52365,7 @@ index 143c893..5774644 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +603,23 @@ files_list_mnt(xdm_t) +@@ -435,9 +604,23 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -52101,7 +52389,7 @@ index 143c893..5774644 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +628,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +629,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -52140,7 +52428,7 @@ index 143c893..5774644 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -52171,7 +52459,7 @@ index 143c893..5774644 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -52186,7 +52474,7 @@ index 143c893..5774644 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -52208,7 +52496,7 @@ index 143c893..5774644 100644 ') optional_policy(` -@@ -519,12 +748,62 @@ optional_policy(` +@@ -519,12 +749,62 @@ optional_policy(` ') optional_policy(` @@ -52271,7 +52559,7 @@ index 143c893..5774644 100644 hostname_exec(xdm_t) ') -@@ -542,28 +821,70 @@ optional_policy(` +@@ -542,28 +822,70 @@ optional_policy(` ') optional_policy(` @@ -52351,7 +52639,7 @@ index 143c893..5774644 100644 ') optional_policy(` -@@ -575,6 +896,14 @@ optional_policy(` +@@ -575,6 +897,14 @@ optional_policy(` ') optional_policy(` @@ -52366,7 +52654,7 @@ index 143c893..5774644 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -52375,7 +52663,7 @@ index 143c893..5774644 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -52391,7 +52679,7 @@ index 143c893..5774644 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -52413,7 +52701,7 @@ index 143c893..5774644 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -52421,7 +52709,7 @@ index 143c893..5774644 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -52429,7 +52717,7 @@ index 143c893..5774644 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t) +@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -52447,7 +52735,7 @@ index 143c893..5774644 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -52461,7 +52749,7 @@ index 143c893..5774644 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1065,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1066,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -52470,7 +52758,7 @@ index 143c893..5774644 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -52485,7 +52773,7 @@ index 143c893..5774644 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1131,36 @@ optional_policy(` +@@ -778,16 +1132,36 @@ optional_policy(` ') optional_policy(` @@ -52523,7 +52811,7 @@ index 143c893..5774644 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1169,10 @@ optional_policy(` +@@ -796,6 +1170,10 @@ optional_policy(` ') optional_policy(` @@ -52534,7 +52822,7 @@ index 143c893..5774644 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1188,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1189,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -52548,7 +52836,7 @@ index 143c893..5774644 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1199,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1200,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -52557,7 +52845,7 @@ index 143c893..5774644 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1212,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1213,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -52567,7 +52855,7 @@ index 143c893..5774644 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1222,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1223,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -52579,7 +52867,7 @@ index 143c893..5774644 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1235,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1236,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -52596,7 +52884,7 @@ index 143c893..5774644 100644 ') optional_policy(` -@@ -862,6 +1250,10 @@ optional_policy(` +@@ -862,6 +1251,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -52607,7 +52895,7 @@ index 143c893..5774644 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1298,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -52616,7 +52904,7 @@ index 143c893..5774644 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1351,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1352,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -52648,7 +52936,7 @@ index 143c893..5774644 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1397,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1398,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -53058,7 +53346,7 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..e053e7d 100644 +index 73554ec..4983a9b 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -53083,7 +53371,14 @@ index 73554ec..e053e7d 100644 domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -111,8 +116,10 @@ interface(`auth_login_pgm_domain',` +@@ -105,14 +110,17 @@ interface(`auth_login_pgm_domain',` + + # Needed for pam_selinux_permit to cleanup properly + domain_read_all_domains_state($1) ++ corecmd_getattr_all_executables($1) + domain_kill_all_domains($1) + + # pam_keyring allow $1 self:capability ipc_lock; allow $1 self:process setkeycreate; allow $1 self:key manage_key_perms; @@ -53094,7 +53389,7 @@ index 73554ec..e053e7d 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -123,13 +130,19 @@ interface(`auth_login_pgm_domain',` +@@ -123,13 +131,19 @@ interface(`auth_login_pgm_domain',` # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) @@ -53115,7 +53410,7 @@ index 73554ec..e053e7d 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +158,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +159,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -53124,7 +53419,7 @@ index 73554ec..e053e7d 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +170,68 @@ interface(`auth_login_pgm_domain',` +@@ -155,13 +171,68 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -53195,7 +53490,7 @@ index 73554ec..e053e7d 100644 ## Use the login program as an entry point program. ## ## -@@ -368,13 +438,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -368,13 +439,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -53212,7 +53507,7 @@ index 73554ec..e053e7d 100644 ') ######################################## -@@ -421,6 +493,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +494,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -53238,7 +53533,7 @@ index 73554ec..e053e7d 100644 ') ######################################## -@@ -736,7 +827,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +828,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -53287,7 +53582,7 @@ index 73554ec..e053e7d 100644 ') ####################################### -@@ -932,9 +1063,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1064,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -53321,7 +53616,7 @@ index 73554ec..e053e7d 100644 ') ######################################## -@@ -1387,6 +1539,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1540,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -53347,7 +53642,7 @@ index 73554ec..e053e7d 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1712,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1713,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -53372,7 +53667,7 @@ index 73554ec..e053e7d 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1579,28 +1732,36 @@ interface(`auth_relabel_login_records',` +@@ -1579,28 +1733,36 @@ interface(`auth_relabel_login_records',` # interface(`auth_use_nsswitch',` @@ -53416,7 +53711,7 @@ index 73554ec..e053e7d 100644 optional_policy(` kerberos_use($1) ') -@@ -1610,7 +1771,7 @@ interface(`auth_use_nsswitch',` +@@ -1610,7 +1772,7 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -54596,7 +54891,7 @@ index 94fd8dd..2ae760f 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..ad617a2 100644 +index 29a9565..e30550a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -54771,7 +55066,7 @@ index 29a9565..ad617a2 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,122 @@ tunable_policy(`init_upstart',` +@@ -186,12 +244,125 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -54822,9 +55117,12 @@ index 29a9565..ad617a2 100644 + files_manage_all_pid_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) ++ files_create_all_pid_sockets(init_t) + files_delete_all_pid_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) ++ files_list_spool(init_t) ++ files_list_var(init_t) + files_create_lock_dirs(init_t) + files_relabel_all_lock_dirs(init_t) + @@ -54894,7 +55192,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -199,10 +367,26 @@ optional_policy(` +@@ -199,10 +370,26 @@ optional_policy(` ') optional_policy(` @@ -54921,7 +55219,7 @@ index 29a9565..ad617a2 100644 unconfined_domain(init_t) ') -@@ -212,7 +396,7 @@ optional_policy(` +@@ -212,7 +399,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -54930,7 +55228,7 @@ index 29a9565..ad617a2 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +425,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +428,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -54946,7 +55244,7 @@ index 29a9565..ad617a2 100644 init_write_initctl(initrc_t) -@@ -258,20 +445,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +448,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -54983,7 +55281,7 @@ index 29a9565..ad617a2 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +478,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +481,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -54991,7 +55289,7 @@ index 29a9565..ad617a2 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +489,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +492,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -55002,7 +55300,7 @@ index 29a9565..ad617a2 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +500,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +503,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -55019,7 +55317,7 @@ index 29a9565..ad617a2 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +519,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +522,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -55027,7 +55325,7 @@ index 29a9565..ad617a2 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +527,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +530,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -55039,7 +55337,7 @@ index 29a9565..ad617a2 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +546,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +549,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -55053,7 +55351,7 @@ index 29a9565..ad617a2 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +561,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +564,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -55062,7 +55360,7 @@ index 29a9565..ad617a2 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +575,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +578,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -55070,7 +55368,7 @@ index 29a9565..ad617a2 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +587,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +590,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -55078,7 +55376,7 @@ index 29a9565..ad617a2 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +608,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +611,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -55100,7 +55398,7 @@ index 29a9565..ad617a2 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +671,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +674,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -55111,7 +55409,7 @@ index 29a9565..ad617a2 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +695,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +698,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -55120,7 +55418,7 @@ index 29a9565..ad617a2 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +710,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +713,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -55128,7 +55426,7 @@ index 29a9565..ad617a2 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +740,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +743,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -55162,7 +55460,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -531,10 +774,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +777,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -55185,7 +55483,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -549,6 +804,39 @@ ifdef(`distro_suse',` +@@ -549,6 +807,39 @@ ifdef(`distro_suse',` ') ') @@ -55225,7 +55523,7 @@ index 29a9565..ad617a2 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +849,8 @@ optional_policy(` +@@ -561,6 +852,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -55234,7 +55532,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -577,6 +867,7 @@ optional_policy(` +@@ -577,6 +870,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -55242,7 +55540,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -589,6 +880,11 @@ optional_policy(` +@@ -589,6 +883,11 @@ optional_policy(` ') optional_policy(` @@ -55254,7 +55552,7 @@ index 29a9565..ad617a2 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +901,13 @@ optional_policy(` +@@ -605,9 +904,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -55268,7 +55566,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -649,6 +949,11 @@ optional_policy(` +@@ -649,6 +952,11 @@ optional_policy(` ') optional_policy(` @@ -55280,7 +55578,7 @@ index 29a9565..ad617a2 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +1011,13 @@ optional_policy(` +@@ -706,7 +1014,13 @@ optional_policy(` ') optional_policy(` @@ -55294,7 +55592,7 @@ index 29a9565..ad617a2 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1040,10 @@ optional_policy(` +@@ -729,6 +1043,10 @@ optional_policy(` ') optional_policy(` @@ -55305,7 +55603,7 @@ index 29a9565..ad617a2 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1053,20 @@ optional_policy(` +@@ -738,10 +1056,20 @@ optional_policy(` ') optional_policy(` @@ -55326,7 +55624,7 @@ index 29a9565..ad617a2 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1075,10 @@ optional_policy(` +@@ -750,6 +1078,10 @@ optional_policy(` ') optional_policy(` @@ -55337,7 +55635,7 @@ index 29a9565..ad617a2 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1100,6 @@ optional_policy(` +@@ -771,8 +1103,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -55346,7 +55644,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -790,10 +1117,12 @@ optional_policy(` +@@ -790,10 +1120,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -55359,7 +55657,7 @@ index 29a9565..ad617a2 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1134,6 @@ optional_policy(` +@@ -805,7 +1137,6 @@ optional_policy(` ') optional_policy(` @@ -55367,7 +55665,7 @@ index 29a9565..ad617a2 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1143,24 @@ optional_policy(` +@@ -815,11 +1146,24 @@ optional_policy(` ') optional_policy(` @@ -55393,7 +55691,7 @@ index 29a9565..ad617a2 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1170,25 @@ optional_policy(` +@@ -829,6 +1173,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -55419,7 +55717,7 @@ index 29a9565..ad617a2 100644 ') optional_policy(` -@@ -844,6 +1204,10 @@ optional_policy(` +@@ -844,6 +1207,10 @@ optional_policy(` ') optional_policy(` @@ -55430,7 +55728,7 @@ index 29a9565..ad617a2 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1218,45 @@ optional_policy(` +@@ -854,3 +1221,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -56324,7 +56622,7 @@ index 808ba93..ed84884 100644 ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index e5836d3..1db2eab 100644 +index e5836d3..b32b945 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -56354,10 +56652,11 @@ index e5836d3..1db2eab 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +105,11 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +105,12 @@ ifdef(`distro_ubuntu',` ') ') ++userdom_dontaudit_list_admin_dir(ldconfig_t) +userdom_list_user_home_dirs(ldconfig_t) +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) @@ -56366,7 +56665,7 @@ index e5836d3..1db2eab 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -131,6 +138,10 @@ optional_policy(` +@@ -131,6 +139,10 @@ optional_policy(` ') optional_policy(` @@ -56377,7 +56676,7 @@ index e5836d3..1db2eab 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +152,7 @@ optional_policy(` +@@ -141,6 +153,7 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index f34ed44..b41e2be 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jul 12 2011 Miroslav Grepl 3.10.0-3 +- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit +- Allow colord to interact with the users through the tmpfs file system +- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files +- Add label for /var/log/mcelog +- Allow asterisk to read /dev/random if it uses TLS +- Allow colord to read ini files which are labeled as bin_t +- Allow dirsrvadmin sys_resource and setrlimit to use ulimit +- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. +- Also lists /var and /var/spool directories +- Add openl2tpd to l2tpd policy +- qpidd is reading the sysfs file + * Thu Jun 30 2011 Miroslav Grepl 3.10.0-2 - Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains to be able to start private mysql domains