From 33271177c62b51c1c3fa04b00687393865c1d6f3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 05 2012 20:29:36 +0000 Subject: - Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users - Allow ssh_t to connect to any port > 1023 - Add openvswitch domain - Pulseaudio tries to create directories in gnome_home_t directories - New ypbind pkg wants to search /var/run which is caused by sd_notify - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Allow sanlock to read /dev/random - Treat php-fpm with httpd_t - Allow domains that can read named_conf_t to be able to list the directories - Allow winbind to create sock files in /var/run/samba --- diff --git a/permissivedomains.pp b/permissivedomains.pp index 89b972c..f12210a 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 2c96387..50a27ea 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -116795,7 +116795,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..4a81c65 100644 +index cf04cb5..2cb854a 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.11.0) @@ -116820,7 +116820,7 @@ index cf04cb5..4a81c65 100644 ## ##

-@@ -86,23 +101,42 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +101,43 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -116828,6 +116828,7 @@ index cf04cb5..4a81c65 100644 + kernel_read_proc_symlinks(domain) +kernel_read_crypto_sysctls(domain) ++kernel_read_vm_overcommit_sysctls(domain) + # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates @@ -116864,7 +116865,7 @@ index cf04cb5..4a81c65 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +155,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +156,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -116883,7 +116884,7 @@ index cf04cb5..4a81c65 100644 ') optional_policy(` -@@ -133,6 +177,8 @@ optional_policy(` +@@ -133,6 +178,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -116892,7 +116893,7 @@ index cf04cb5..4a81c65 100644 ') ######################################## -@@ -147,12 +193,18 @@ optional_policy(` +@@ -147,12 +194,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -116912,7 +116913,7 @@ index cf04cb5..4a81c65 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +218,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +219,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -120815,7 +120816,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 4bf45cb..270fedd 100644 +index 4bf45cb..dc7f313 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -121106,7 +121107,7 @@ index 4bf45cb..270fedd 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2956,5 +3126,157 @@ interface(`kernel_unconfined',` +@@ -2956,5 +3126,315 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -121264,9 +121265,167 @@ index 4bf45cb..270fedd 100644 + dontaudit $1 kernel_t:dir search_dir_perms; + dontaudit $1 kernel_t:file read_file_perms; + dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++##

++## Allow searching of numa state directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_search_numa_state',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ search_dirs_pattern($1, proc_t, proc_numa_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the numa ++## state directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_search_numa_state',` ++ gen_require(` ++ type proc_numa_t; ++ ') ++ ++ dontaudit $1 proc_numa_t:dir search; ++') ++ ++######################################## ++## ++## Allow caller to read the numa state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_numa_state',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++ ++ list_dirs_pattern($1, proc_t, proc_numa_t) ++') ++ ++######################################## ++## ++## Allow caller to read the numa state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_numa_state_symlinks',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++ ++ list_dirs_pattern($1, proc_t, proc_numa_t) ++') ++ ++######################################## ++## ++## Allow caller to write numa state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_write_numa_state',` ++ gen_require(` ++ type proc_t, proc_numa_t; ++ ') ++ ++ write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) ++') ++ ++######################################## ++## ++## Allow caller to search virtual memory overcommit sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_search_vm_overcommit_sysctl',` ++ gen_require(` ++ type proc_t, sysctl_t, sysctl_vm_overcommit_t; ++ ') ++ ++ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) ++') ++ ++######################################## ++## ++## Allow caller to read virtual memory overcommit sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_vm_overcommit_sysctls',` ++ gen_require(` ++ type proc_t, sysctl_t, sysctl_vm_overcommit_t; ++ ') ++ ++ read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) ++') ++ ++######################################## ++## ++## Read and write virtual memory overcommit sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_vm_overcommit_sysctls',` ++ gen_require(` ++ type proc_t, sysctl_t, sysctl_vm_overcommit_t; ++ ') ++ ++ rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index ab9b6cd..4c699a3 100644 +index ab9b6cd..ccffb0f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -121296,7 +121455,29 @@ index ab9b6cd..4c699a3 100644 allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) -@@ -165,6 +171,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -95,6 +101,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) + type proc_mdstat_t, proc_type; + genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) + ++type proc_numa_t, proc_type; ++genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0) ++mls_trusted_object(proc_numa_t) ++ + type proc_net_t, proc_type; + genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) + +@@ -153,6 +163,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) + type sysctl_vm_t, sysctl_type; + genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) + ++# /proc/sys/vm/overcommit_memory ++type sysctl_vm_overcommit_t, sysctl_type; ++genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) ++ + # /proc/sys/dev directory and files + type sysctl_dev_t, sysctl_type; + genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +179,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -121304,7 +121485,7 @@ index ab9b6cd..4c699a3 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -233,7 +240,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -121312,7 +121493,7 @@ index ab9b6cd..4c699a3 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +250,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -121338,7 +121519,7 @@ index ab9b6cd..4c699a3 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +273,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -121348,7 +121529,7 @@ index ab9b6cd..4c699a3 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +288,48 @@ files_list_root(kernel_t) +@@ -277,25 +296,48 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -121397,7 +121578,7 @@ index ab9b6cd..4c699a3 100644 ') optional_policy(` -@@ -305,6 +339,19 @@ optional_policy(` +@@ -305,6 +347,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -121417,7 +121598,7 @@ index ab9b6cd..4c699a3 100644 ') optional_policy(` -@@ -334,7 +381,6 @@ optional_policy(` +@@ -334,7 +389,6 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) @@ -121425,7 +121606,7 @@ index ab9b6cd..4c699a3 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +389,7 @@ optional_policy(` +@@ -343,9 +397,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -121436,7 +121617,7 @@ index ab9b6cd..4c699a3 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +398,7 @@ optional_policy(` +@@ -354,7 +406,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -121445,7 +121626,7 @@ index ab9b6cd..4c699a3 100644 ') ') -@@ -367,6 +411,15 @@ optional_policy(` +@@ -367,6 +419,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -121461,7 +121642,7 @@ index ab9b6cd..4c699a3 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +462,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -123342,10 +123523,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index e5aee97..004711d 100644 +index e5aee97..d975d8a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,64 @@ policy_module(staff, 2.3.0) +@@ -8,12 +8,66 @@ policy_module(staff, 2.3.0) role staff_r; userdom_unpriv_user_template(staff) @@ -123368,6 +123549,8 @@ index e5aee97..004711d 100644 +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) +kernel_read_fs_sysctls(staff_t) ++kernel_read_numa_state(staff_t) ++kernel_write_numa_state(staff_t) + +fs_read_hugetlbfs_files(staff_t) + @@ -123410,7 +123593,7 @@ index e5aee97..004711d 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +75,106 @@ optional_policy(` +@@ -23,11 +77,106 @@ optional_policy(` ') optional_policy(` @@ -123518,7 +123701,7 @@ index e5aee97..004711d 100644 ') optional_policy(` -@@ -35,15 +182,31 @@ optional_policy(` +@@ -35,15 +184,31 @@ optional_policy(` ') optional_policy(` @@ -123552,7 +123735,7 @@ index e5aee97..004711d 100644 ') optional_policy(` -@@ -52,10 +215,59 @@ optional_policy(` +@@ -52,10 +217,59 @@ optional_policy(` ') optional_policy(` @@ -123612,7 +123795,7 @@ index e5aee97..004711d 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +277,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +279,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -123623,7 +123806,7 @@ index e5aee97..004711d 100644 cdrecord_role(staff_r, staff_t) ') -@@ -93,18 +301,10 @@ ifndef(`distro_redhat',` +@@ -93,18 +303,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -123642,7 +123825,7 @@ index e5aee97..004711d 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +325,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +327,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -123653,7 +123836,7 @@ index e5aee97..004711d 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +337,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +339,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -123664,7 +123847,7 @@ index e5aee97..004711d 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +368,20 @@ ifndef(`distro_redhat',` +@@ -176,3 +370,20 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -125322,7 +125505,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 9f6d4c3..1a113db 100644 +index 9f6d4c3..23a78b4 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -125338,10 +125521,13 @@ index 9f6d4c3..1a113db 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,94 @@ role user_r; +@@ -12,12 +19,97 @@ role user_r; userdom_unpriv_user_template(user) ++kernel_read_numa_state(user_t) ++kernel_write_numa_state(user_t) ++ +fs_exec_noxattr(user_t) +fs_read_hugetlbfs_files(user_t) + @@ -125434,7 +125620,7 @@ index 9f6d4c3..1a113db 100644 ') optional_policy(` -@@ -25,6 +114,18 @@ optional_policy(` +@@ -25,6 +117,18 @@ optional_policy(` ') optional_policy(` @@ -125453,7 +125639,7 @@ index 9f6d4c3..1a113db 100644 vlock_run(user_t, user_r) ') -@@ -66,10 +167,6 @@ ifndef(`distro_redhat',` +@@ -66,10 +170,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -125464,7 +125650,7 @@ index 9f6d4c3..1a113db 100644 gpg_role(user_r, user_t) ') -@@ -102,10 +199,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +202,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -125475,7 +125661,7 @@ index 9f6d4c3..1a113db 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +221,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +224,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -125483,7 +125669,7 @@ index 9f6d4c3..1a113db 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +253,15 @@ ifndef(`distro_redhat',` +@@ -161,3 +256,15 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -126501,7 +126687,7 @@ index fe0c682..6395fe1 100644 + allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl }; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..2b179bb 100644 +index b17e27a..b027591 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) @@ -126608,7 +126794,7 @@ index b17e27a..2b179bb 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -108,32 +117,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -108,32 +117,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -126645,6 +126831,7 @@ index b17e27a..2b179bb 100644 corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) ++corenet_tcp_connect_all_unreserved_ports(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) +corenet_tcp_bind_generic_node(ssh_t) +#corenet_tcp_bind_all_unreserved_ports(ssh_t) @@ -126654,7 +126841,7 @@ index b17e27a..2b179bb 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -156,38 +174,42 @@ logging_read_generic_logs(ssh_t) +@@ -156,38 +175,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) @@ -126716,7 +126903,7 @@ index b17e27a..2b179bb 100644 ') optional_policy(` -@@ -195,28 +217,24 @@ optional_policy(` +@@ -195,28 +218,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -126749,7 +126936,7 @@ index b17e27a..2b179bb 100644 ################################# # # sshd local policy -@@ -227,33 +245,50 @@ optional_policy(` +@@ -227,33 +246,50 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -126809,7 +126996,7 @@ index b17e27a..2b179bb 100644 ') optional_policy(` -@@ -261,11 +296,24 @@ optional_policy(` +@@ -261,11 +297,24 @@ optional_policy(` ') optional_policy(` @@ -126835,7 +127022,7 @@ index b17e27a..2b179bb 100644 ') optional_policy(` -@@ -283,6 +331,28 @@ optional_policy(` +@@ -283,6 +332,28 @@ optional_policy(` ') optional_policy(` @@ -126864,7 +127051,7 @@ index b17e27a..2b179bb 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -290,6 +360,29 @@ optional_policy(` +@@ -290,6 +361,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -126894,7 +127081,7 @@ index b17e27a..2b179bb 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +391,26 @@ optional_policy(` +@@ -298,19 +392,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -126922,7 +127109,7 @@ index b17e27a..2b179bb 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +427,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -327,9 +428,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -126936,7 +127123,7 @@ index b17e27a..2b179bb 100644 ') optional_policy(` -@@ -339,3 +441,121 @@ optional_policy(` +@@ -339,3 +442,121 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 2bc3b9d..446d3bd 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -2072,10 +2072,10 @@ index 0000000..feabdf3 + files_getattr_all_sockets(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index fd9fa07..9ac41bc 100644 +index fd9fa07..ff0883d 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,39 +1,57 @@ +@@ -1,41 +1,61 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) @@ -2106,6 +2106,7 @@ index fd9fa07..9ac41bc 100644 +/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) ++/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) + +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) + @@ -2140,8 +2141,11 @@ index fd9fa07..9ac41bc 100644 +/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -@@ -43,8 +61,9 @@ ifdef(`distro_suse', ` + /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + +@@ -43,8 +63,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -2153,7 +2157,7 @@ index fd9fa07..9ac41bc 100644 /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -54,9 +73,12 @@ ifdef(`distro_suse', ` +@@ -54,9 +75,12 @@ ifdef(`distro_suse', ` /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -2166,7 +2170,7 @@ index fd9fa07..9ac41bc 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,31 +95,46 @@ ifdef(`distro_suse', ` +@@ -73,31 +97,48 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -2196,6 +2200,7 @@ index fd9fa07..9ac41bc 100644 +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -2212,12 +2217,13 @@ index fd9fa07..9ac41bc 100644 /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -@@ -109,3 +146,26 @@ ifdef(`distro_debian', ` +@@ -109,3 +150,26 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -3005,7 +3011,7 @@ index 6480167..e77ad76 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..c1e855c 100644 +index 0833afb..55e40e0 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3230,7 +3236,18 @@ index 0833afb..c1e855c 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -173,7 +304,7 @@ files_type(httpd_cache_t) +@@ -163,6 +294,10 @@ attribute httpd_script_domains; + + type httpd_t; + type httpd_exec_t; ++ifdef(`distro_redhat',` ++ typealias httpd_t alias phpfpm_t; ++ typealias httpd_exec_t alias phpfpm_exec_t; ++') + init_daemon_domain(httpd_t, httpd_exec_t) + role system_r types httpd_t; + +@@ -173,7 +308,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -3239,17 +3256,27 @@ index 0833afb..c1e855c 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -184,6 +315,9 @@ role system_r types httpd_helper_t; +@@ -184,10 +319,19 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) +type httpd_unit_file_t; ++ifdef(`distro_redhat',` ++ typealias httpd_unit_file_t alias phpfpm_unit_file_t; ++') +systemd_unit_file(httpd_unit_file_t) + type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -223,7 +357,21 @@ files_tmp_file(httpd_suexec_tmp_t) + type httpd_log_t; ++ifdef(`distro_redhat',` ++ typealias httpd_log_t alias phpfpm_log_t; ++') + logging_log_file(httpd_log_t) + + # httpd_modules_t is the type given to module files (libraries) +@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -3272,7 +3299,7 @@ index 0833afb..c1e855c 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -233,6 +381,11 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -3284,7 +3311,7 @@ index 0833afb..c1e855c 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -240,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -3292,8 +3319,13 @@ index 0833afb..c1e855c 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -261,14 +415,23 @@ files_type(httpd_var_lib_t) +@@ -259,16 +423,28 @@ type httpd_var_lib_t; + files_type(httpd_var_lib_t) + type httpd_var_run_t; ++ifdef(`distro_redhat',` ++ typealias httpd_var_run_t alias phpfpm_var_run_t; ++') files_pid_file(httpd_var_run_t) +# Removal of fastcgi, will cause problems without the following @@ -3316,7 +3348,7 @@ index 0833afb..c1e855c 100644 ######################################## # # Apache server local policy -@@ -288,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -3330,7 +3362,7 @@ index 0833afb..c1e855c 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -336,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -336,8 +514,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -3342,7 +3374,7 @@ index 0833afb..c1e855c 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -346,8 +526,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -3353,7 +3385,7 @@ index 0833afb..c1e855c 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +530,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +543,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3365,7 +3397,7 @@ index 0833afb..c1e855c 100644 corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +542,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -3386,7 +3418,7 @@ index 0833afb..c1e855c 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +563,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3401,7 +3433,7 @@ index 0833afb..c1e855c 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +579,112 @@ domain_use_interactive_fds(httpd_t) +@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3522,7 +3554,7 @@ index 0833afb..c1e855c 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3586,7 +3618,7 @@ index 0833afb..c1e855c 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3609,7 +3641,7 @@ index 0833afb..c1e855c 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +794,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3630,7 +3662,7 @@ index 0833afb..c1e855c 100644 ') optional_policy(` -@@ -525,6 +818,9 @@ optional_policy(` +@@ -525,6 +831,9 @@ optional_policy(` ') optional_policy(` @@ -3640,7 +3672,7 @@ index 0833afb..c1e855c 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +836,24 @@ optional_policy(` +@@ -540,6 +849,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3665,7 +3697,7 @@ index 0833afb..c1e855c 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +863,24 @@ optional_policy(` +@@ -549,13 +876,24 @@ optional_policy(` ') optional_policy(` @@ -3691,7 +3723,7 @@ index 0833afb..c1e855c 100644 ') optional_policy(` -@@ -573,7 +898,21 @@ optional_policy(` +@@ -573,7 +911,21 @@ optional_policy(` ') optional_policy(` @@ -3713,7 +3745,7 @@ index 0833afb..c1e855c 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +923,7 @@ optional_policy(` +@@ -584,6 +936,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3721,7 +3753,7 @@ index 0833afb..c1e855c 100644 ') optional_policy(` -@@ -594,6 +934,36 @@ optional_policy(` +@@ -594,6 +947,40 @@ optional_policy(` ') optional_policy(` @@ -3734,6 +3766,10 @@ index 0833afb..c1e855c 100644 +') + +optional_policy(` ++ pcscd_read_pub_files(httpd_t) ++') ++ ++optional_policy(` + pki_apache_domain_signal(httpd_t) + pki_apache_domain_signal(httpd_t) + pki_manage_apache_run(httpd_t) @@ -3758,7 +3794,7 @@ index 0833afb..c1e855c 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +978,11 @@ optional_policy(` +@@ -608,6 +995,11 @@ optional_policy(` ') optional_policy(` @@ -3770,7 +3806,7 @@ index 0833afb..c1e855c 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +995,12 @@ optional_policy(` +@@ -620,6 +1012,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3783,7 +3819,7 @@ index 0833afb..c1e855c 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1014,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1031,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3827,7 +3863,7 @@ index 0833afb..c1e855c 100644 ######################################## # -@@ -671,28 +1087,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1104,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3871,7 +3907,7 @@ index 0833afb..c1e855c 100644 ') ######################################## -@@ -702,6 +1120,7 @@ optional_policy(` +@@ -702,6 +1137,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3879,7 +3915,7 @@ index 0833afb..c1e855c 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1135,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1152,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3908,7 +3944,7 @@ index 0833afb..c1e855c 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1165,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1182,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -3926,7 +3962,7 @@ index 0833afb..c1e855c 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1183,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1200,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3959,7 +3995,7 @@ index 0833afb..c1e855c 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1230,25 @@ optional_policy(` +@@ -786,6 +1247,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3985,7 +4021,7 @@ index 0833afb..c1e855c 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1269,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1286,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4003,7 +4039,7 @@ index 0833afb..c1e855c 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1288,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1305,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4062,7 +4098,7 @@ index 0833afb..c1e855c 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1339,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1356,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4103,7 +4139,7 @@ index 0833afb..c1e855c 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -859,10 +1384,20 @@ optional_policy(` +@@ -859,10 +1401,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -4124,7 +4160,7 @@ index 0833afb..c1e855c 100644 ') ######################################## -@@ -878,11 +1413,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1430,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4136,7 +4172,7 @@ index 0833afb..c1e855c 100644 ######################################## # -@@ -908,11 +1441,138 @@ optional_policy(` +@@ -908,11 +1458,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -5596,7 +5632,7 @@ index 59aa54f..b01072c 100644 /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) diff --git a/bind.if b/bind.if -index 44a1e3d..9b50c13 100644 +index 44a1e3d..bc50fd6 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` @@ -5629,7 +5665,15 @@ index 44a1e3d..9b50c13 100644 ## Execute ndc in the ndc domain. ## ## -@@ -186,7 +209,7 @@ interface(`bind_write_config',` +@@ -167,6 +190,7 @@ interface(`bind_read_config',` + type named_conf_t; + ') + ++ allow $1 named_conf_t:dir list_dir_perms; + read_files_pattern($1, named_conf_t, named_conf_t) + ') + +@@ -186,7 +210,7 @@ interface(`bind_write_config',` ') write_files_pattern($1, named_conf_t, named_conf_t) @@ -5638,7 +5682,7 @@ index 44a1e3d..9b50c13 100644 ') ######################################## -@@ -210,6 +233,25 @@ interface(`bind_manage_config_dirs',` +@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',` ######################################## ## @@ -5664,7 +5708,7 @@ index 44a1e3d..9b50c13 100644 ## Search the BIND cache directory. ## ## -@@ -266,7 +308,7 @@ interface(`bind_setattr_pid_dirs',` +@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',` type named_var_run_t; ') @@ -5673,7 +5717,7 @@ index 44a1e3d..9b50c13 100644 ') ######################################## -@@ -284,7 +326,7 @@ interface(`bind_setattr_zone_dirs',` +@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',` type named_zone_t; ') @@ -5682,7 +5726,7 @@ index 44a1e3d..9b50c13 100644 ') ######################################## -@@ -308,6 +350,27 @@ interface(`bind_read_zone',` +@@ -308,6 +351,27 @@ interface(`bind_read_zone',` ######################################## ## @@ -5710,7 +5754,7 @@ index 44a1e3d..9b50c13 100644 ## Manage BIND zone files. ## ## -@@ -359,18 +422,26 @@ interface(`bind_udp_chat_named',` +@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -5743,7 +5787,7 @@ index 44a1e3d..9b50c13 100644 bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) -@@ -391,9 +462,12 @@ interface(`bind_admin',` +@@ -391,9 +463,12 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -23100,7 +23144,7 @@ index 00a19e3..17006fc 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..de320a0 100644 +index f5afe78..d7b3c70 100644 --- a/gnome.if +++ b/gnome.if @@ -1,44 +1,1003 @@ @@ -24228,7 +24272,7 @@ index f5afe78..de320a0 100644 ## ## ## -@@ -84,37 +1097,100 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +1097,101 @@ template(`gnome_read_gconf_config',` ## ## # @@ -24265,6 +24309,7 @@ index f5afe78..de320a0 100644 - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; ++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) + manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) + gnome_filetrans_gstreamer_home_content($1) +') @@ -24340,7 +24385,7 @@ index f5afe78..de320a0 100644 ## ## ## -@@ -122,17 +1198,36 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1199,36 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -24381,7 +24426,7 @@ index f5afe78..de320a0 100644 ## ## ## -@@ -140,51 +1235,274 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1236,274 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -30926,7 +30971,7 @@ index 572b5db..1e55f43 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.te b/logrotate.te -index 7090dae..1f475e6 100644 +index 7090dae..82749b5 100644 --- a/logrotate.te +++ b/logrotate.te @@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) @@ -31091,7 +31136,19 @@ index 7090dae..1f475e6 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +250,14 @@ optional_policy(` +@@ -217,6 +239,11 @@ optional_policy(` + ') + + optional_policy(` ++ openvswitch_read_pid_files(logrotate_t) ++ openvswitch_domtrans(logrotate_t) ++') ++ ++optional_policy(` + squid_domtrans(logrotate_t) + ') + +@@ -228,3 +255,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -37796,7 +37853,7 @@ index 2324d9e..7ccb55f 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..f84c1e1 100644 +index 0619395..2fda066 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -37904,7 +37961,7 @@ index 0619395..f84c1e1 100644 files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -128,35 +160,43 @@ init_domtrans_script(NetworkManager_t) +@@ -128,35 +160,51 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -37941,6 +37998,14 @@ index 0619395..f84c1e1 100644 +userdom_read_home_certs(NetworkManager_t) userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(NetworkManager_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(NetworkManager_t) ++') optional_policy(` avahi_domtrans(NetworkManager_t) @@ -37951,7 +38016,7 @@ index 0619395..f84c1e1 100644 ') optional_policy(` -@@ -176,10 +216,17 @@ optional_policy(` +@@ -176,10 +224,17 @@ optional_policy(` ') optional_policy(` @@ -37969,7 +38034,7 @@ index 0619395..f84c1e1 100644 ') ') -@@ -191,6 +238,7 @@ optional_policy(` +@@ -191,6 +246,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -37977,7 +38042,7 @@ index 0619395..f84c1e1 100644 ') optional_policy(` -@@ -202,23 +250,45 @@ optional_policy(` +@@ -202,23 +258,45 @@ optional_policy(` ') optional_policy(` @@ -38023,7 +38088,7 @@ index 0619395..f84c1e1 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +304,10 @@ optional_policy(` +@@ -234,6 +312,10 @@ optional_policy(` ') optional_policy(` @@ -38034,7 +38099,7 @@ index 0619395..f84c1e1 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +315,7 @@ optional_policy(` +@@ -241,6 +323,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -38042,7 +38107,7 @@ index 0619395..f84c1e1 100644 ') optional_policy(` -@@ -254,6 +329,10 @@ optional_policy(` +@@ -254,6 +337,10 @@ optional_policy(` ') optional_policy(` @@ -38053,7 +38118,7 @@ index 0619395..f84c1e1 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +342,7 @@ optional_policy(` +@@ -263,6 +350,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -38061,7 +38126,7 @@ index 0619395..f84c1e1 100644 ') ######################################## -@@ -284,6 +364,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -284,6 +372,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -38299,7 +38364,7 @@ index abe3f7f..1112fae 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index f27899c..0536e65 100644 +index f27899c..f1dd1fa 100644 --- a/nis.te +++ b/nis.te @@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -38346,15 +38411,19 @@ index f27899c..0536e65 100644 corenet_all_recvfrom_netlabel(ypbind_t) corenet_tcp_sendrecv_generic_if(ypbind_t) corenet_udp_sendrecv_generic_if(ypbind_t) -@@ -110,7 +115,6 @@ files_list_var(ypbind_t) +@@ -108,9 +113,9 @@ domain_use_interactive_fds(ypbind_t) + files_read_etc_files(ypbind_t) + files_list_var(ypbind_t) - logging_send_syslog_msg(ypbind_t) +-logging_send_syslog_msg(ypbind_t) ++init_search_pid_dirs(ypbind_t) -miscfiles_read_localization(ypbind_t) ++logging_send_syslog_msg(ypbind_t) sysnet_read_config(ypbind_t) -@@ -156,12 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +@@ -156,12 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) @@ -38369,7 +38438,7 @@ index f27899c..0536e65 100644 corenet_all_recvfrom_netlabel(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) corenet_udp_sendrecv_generic_if(yppasswdd_t) -@@ -186,6 +191,7 @@ selinux_get_fs_mount(yppasswdd_t) +@@ -186,6 +192,7 @@ selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) @@ -38377,7 +38446,7 @@ index f27899c..0536e65 100644 auth_etc_filetrans_shadow(yppasswdd_t) corecmd_exec_bin(yppasswdd_t) -@@ -199,7 +205,6 @@ files_relabel_etc_files(yppasswdd_t) +@@ -199,7 +206,6 @@ files_relabel_etc_files(yppasswdd_t) logging_send_syslog_msg(yppasswdd_t) @@ -38385,7 +38454,7 @@ index f27899c..0536e65 100644 sysnet_read_config(yppasswdd_t) -@@ -211,6 +216,10 @@ optional_policy(` +@@ -211,6 +217,10 @@ optional_policy(` ') optional_policy(` @@ -38396,7 +38465,7 @@ index f27899c..0536e65 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -247,7 +256,6 @@ kernel_read_kernel_sysctls(ypserv_t) +@@ -247,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) @@ -38404,7 +38473,7 @@ index f27899c..0536e65 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -279,7 +287,6 @@ files_read_etc_files(ypserv_t) +@@ -279,7 +288,6 @@ files_read_etc_files(ypserv_t) logging_send_syslog_msg(ypserv_t) @@ -38412,7 +38481,7 @@ index f27899c..0536e65 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -317,7 +324,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -317,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -38420,7 +38489,7 @@ index f27899c..0536e65 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -342,6 +348,5 @@ files_search_usr(ypxfr_t) +@@ -342,6 +349,5 @@ files_search_usr(ypxfr_t) logging_send_syslog_msg(ypxfr_t) @@ -42424,6 +42493,370 @@ index 66a52ee..2f2e069 100644 +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') +diff --git a/openvswitch.fc b/openvswitch.fc +new file mode 100644 +index 0000000..baf8d21 +--- /dev/null ++++ b/openvswitch.fc +@@ -0,0 +1,15 @@ ++/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0) ++ ++/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0) ++ ++/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) ++ ++/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) ++ ++/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) ++ ++/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) +diff --git a/openvswitch.if b/openvswitch.if +new file mode 100644 +index 0000000..e2c300a +--- /dev/null ++++ b/openvswitch.if +@@ -0,0 +1,247 @@ ++ ++## policy for openvswitch ++ ++######################################## ++## ++## Execute TEMPLATE in the openvswitch domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openvswitch_domtrans',` ++ gen_require(` ++ type openvswitch_t, openvswitch_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) ++') ++######################################## ++## ++## Read openvswitch's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`openvswitch_read_log',` ++ gen_require(` ++ type openvswitch_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++') ++ ++######################################## ++## ++## Append to openvswitch log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_append_log',` ++ gen_require(` ++ type openvswitch_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++') ++ ++######################################## ++## ++## Manage openvswitch log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_manage_log',` ++ gen_require(` ++ type openvswitch_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t) ++ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t) ++') ++ ++######################################## ++## ++## Search openvswitch lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_search_lib',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ allow $1 openvswitch_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read openvswitch lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_read_lib_files',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openvswitch lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_manage_lib_files',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) ++') ++ ++######################################## ++## ++## Manage openvswitch lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_manage_lib_dirs',` ++ gen_require(` ++ type openvswitch_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) ++') ++ ++######################################## ++## ++## Read openvswitch PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openvswitch_read_pid_files',` ++ gen_require(` ++ type openvswitch_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t) ++') ++ ++######################################## ++## ++## Execute openvswitch server in the openvswitch domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openvswitch_systemctl',` ++ gen_require(` ++ type openvswitch_t; ++ type openvswitch_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 openvswitch_unit_file_t:file read_file_perms; ++ allow $1 openvswitch_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, openvswitch_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an openvswitch environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`openvswitch_admin',` ++ gen_require(` ++ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t; ++ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t; ++ ') ++ ++ allow $1 openvswitch_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, openvswitch_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, openvswitch_rw_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, openvswitch_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, openvswitch_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, openvswitch_var_run_t) ++ ++ openvswitch_systemctl($1) ++ admin_pattern($1, openvswitch_unit_file_t) ++ allow $1 openvswitch_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/openvswitch.te b/openvswitch.te +new file mode 100644 +index 0000000..40ef82b +--- /dev/null ++++ b/openvswitch.te +@@ -0,0 +1,84 @@ ++policy_module(openvswitch, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type openvswitch_t; ++type openvswitch_exec_t; ++init_daemon_domain(openvswitch_t, openvswitch_exec_t) ++ ++type openvswitch_rw_t; ++files_config_file(openvswitch_rw_t) ++ ++type openvswitch_var_lib_t; ++files_type(openvswitch_var_lib_t) ++ ++type openvswitch_log_t; ++logging_log_file(openvswitch_log_t) ++ ++type openvswitch_var_run_t; ++files_pid_file(openvswitch_var_run_t) ++ ++type openvswitch_unit_file_t; ++systemd_unit_file(openvswitch_unit_file_t) ++ ++######################################## ++# ++# openvswitch local policy ++# ++ ++allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource }; ++allow openvswitch_t self:process { fork setsched setrlimit signal }; ++allow openvswitch_t self:fifo_file rw_fifo_file_perms; ++allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow openvswitch_t self:netlink_socket create_socket_perms; ++ ++can_exec(openvswitch_t, openvswitch_exec_t) ++ ++manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) ++manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) ++ ++manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) ++manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) ++files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) ++manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) ++logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) ++manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) ++manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) ++files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) ++ ++kernel_read_network_state(openvswitch_t) ++kernel_read_system_state(openvswitch_t) ++ ++corecmd_exec_bin(openvswitch_t) ++ ++dev_read_urand(openvswitch_t) ++ ++domain_use_interactive_fds(openvswitch_t) ++ ++files_read_etc_files(openvswitch_t) ++ ++fs_getattr_all_fs(openvswitch_t) ++ ++auth_read_passwd(openvswitch_t) ++ ++logging_send_syslog_msg(openvswitch_t) ++ ++miscfiles_read_localization(openvswitch_t) ++ ++sysnet_dns_name_resolve(openvswitch_t) ++ ++optional_policy(` ++ iptables_domtrans(openvswitch_t) ++') ++ diff --git a/pacemaker.fc b/pacemaker.fc new file mode 100644 index 0000000..4e915ab @@ -49076,7 +49509,7 @@ index f40c64d..d676e96 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 901ac9b..53a9509 100644 +index 901ac9b..bef43f7 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -49087,7 +49520,7 @@ index 901ac9b..53a9509 100644 userdom_search_user_home_dirs(pulseaudio_t) +pulseaudio_filetrans_home_content(pulseaudio_t) + -+# ~/.esd_auth - maybe we should label this pulseaudit_home_t? ++# ~/.esd_auth - maybe we should label this pulseaudio_home_t? +userdom_read_user_home_content_files(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) @@ -57182,7 +57615,7 @@ index 82cb169..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 905883f..88c12b7 100644 +index 905883f..674ca82 100644 --- a/samba.te +++ b/samba.te @@ -12,7 +12,7 @@ policy_module(samba, 1.15.0) @@ -57713,7 +58146,7 @@ index 905883f..88c12b7 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -813,21 +862,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -813,21 +862,25 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -57733,6 +58166,7 @@ index 905883f..88c12b7 100644 +filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) +# /run/samba/krb5cc_samba +manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) ++manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) @@ -57744,7 +58178,7 @@ index 905883f..88c12b7 100644 corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) corenet_udp_sendrecv_generic_if(winbind_t) -@@ -840,12 +892,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -840,12 +893,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -57760,7 +58194,7 @@ index 905883f..88c12b7 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -855,12 +910,14 @@ auth_manage_cache(winbind_t) +@@ -855,12 +911,14 @@ auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) @@ -57777,7 +58211,7 @@ index 905883f..88c12b7 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -871,6 +928,15 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -871,6 +929,15 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -57793,7 +58227,7 @@ index 905883f..88c12b7 100644 kerberos_use(winbind_t) ') -@@ -909,9 +975,7 @@ auth_use_nsswitch(winbind_helper_t) +@@ -909,9 +976,7 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -57804,7 +58238,7 @@ index 905883f..88c12b7 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -929,19 +993,34 @@ optional_policy(` +@@ -929,19 +994,34 @@ optional_policy(` # optional_policy(` @@ -59060,7 +59494,7 @@ index cfe3172..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index e02eb6c..10958ba 100644 +index e02eb6c..4f4eaf4 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -59122,7 +59556,7 @@ index e02eb6c..10958ba 100644 allow sanlock_t self:fifo_file rw_fifo_file_perms; allow sanlock_t self:unix_stream_socket create_stream_socket_perms; -@@ -58,36 +69,50 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +@@ -58,36 +69,51 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) @@ -59135,6 +59569,7 @@ index e02eb6c..10958ba 100644 storage_raw_rw_fixed_disk(sanlock_t) ++dev_read_rand(sanlock_t) dev_read_urand(sanlock_t) +auth_use_nsswitch(sanlock_t) @@ -67194,7 +67629,7 @@ index 53792d3..823ac94 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 4440aa6..bfa8770 100644 +index 4440aa6..8c94194 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -7,12 +7,15 @@ policy_module(usbmuxd, 1.1.0) @@ -67214,7 +67649,7 @@ index 4440aa6..bfa8770 100644 ######################################## # # usbmuxd local policy -@@ -33,10 +36,10 @@ kernel_read_system_state(usbmuxd_t) +@@ -33,10 +36,12 @@ kernel_read_system_state(usbmuxd_t) dev_read_sysfs(usbmuxd_t) dev_rw_generic_usb_dev(usbmuxd_t) @@ -67226,6 +67661,8 @@ index 4440aa6..bfa8770 100644 logging_send_syslog_msg(usbmuxd_t) + ++seutil_dontaudit_read_file_contexts(usbmuxd_t) ++ +optional_policy(` + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8020aed..b1e249d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 49%{?dist} +Release: 50%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -523,6 +523,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 5 2012 Miroslav Grepl 3.11.1-50 +- Allow all domains to read /proc/sys/vm/overcommit_memory +- Make proc_numa_t an MLS Trusted Object +- Add /proc/numactl support for confined users +- Allow ssh_t to connect to any port > 1023 +- Add openvswitch domain +- Pulseaudio tries to create directories in gnome_home_t directories +- New ypbind pkg wants to search /var/run which is caused by sd_notify +- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans +- Allow sanlock to read /dev/random +- Treat php-fpm with httpd_t +- Allow domains that can read named_conf_t to be able to list the directories +- Allow winbind to create sock files in /var/run/samba + * Thu Nov 1 2012 Miroslav Grepl 3.11.1-49 - Add smsd policy - Add support for OpenShift sbin labelin