From 3abd55373f27f95f3b1c7ddfd4bce89ff1666dd6 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 22 2013 10:54:49 +0000 Subject: * Tue Oct 22 2013 Lukas Vrabec 3.12.1-74.11 - Back port piranha tmpfs fixes from RHEL6 - Fix piranha_domain_template() - Allow mozilla_plugin to bind to the vnc port if running with spice - Allow svirt_domains to read sysctl_net_t - Update ppp_manage_pid_files interface - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow dovecot-auth to read nologin - Allow mailserver_domains to manage and transition to mailman data - Allow thin_t to block suspend - Create resolv.conf in the pppd_var_run_t with the net_conf_t label - wicd.pid should be labeled as networkmanager_var_run_t - Label /sbin/xfs_growfs as fsadm_exec_t - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Create resolv.conf in the pppd_var_run_t with the net_conf_t label - Fix labeling for /etc/strongswan/ipsec.d - Add labeling for /var/run/charon.ctl socket - Allow syslogd_t to connect to the syslog_tls port --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index b91046c..e12252e 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -24521,7 +24521,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..362b3af 100644 +index 3efd5b6..a2ab7c9 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -24710,7 +24710,32 @@ index 3efd5b6..362b3af 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -322,6 +358,24 @@ interface(`auth_rw_cache',` + + ######################################## + ## ++## Create authentication cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_create_cache',` ++ gen_require(` ++ type auth_cache_t; ++ ') ++ ++ create_files_pattern($1, auth_cache_t, auth_cache_t) ++') ++ ++######################################## ++## + ## Manage authentication cache + ## + ## +@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -24719,7 +24744,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -24745,7 +24770,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -24753,7 +24778,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -24764,7 +24789,7 @@ index 3efd5b6..362b3af 100644 ') ####################################### -@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -24816,7 +24841,7 @@ index 3efd5b6..362b3af 100644 ') ####################################### -@@ -824,9 +927,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -24847,7 +24872,7 @@ index 3efd5b6..362b3af 100644 ## ## ## -@@ -834,12 +957,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -24878,7 +24903,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -854,15 +992,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -24897,7 +24922,7 @@ index 3efd5b6..362b3af 100644 ## ## ## -@@ -875,13 +1013,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',` ## ## # @@ -24935,7 +24960,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -959,9 +1117,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -24969,7 +24994,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -1040,6 +1219,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -24980,7 +25005,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -1176,6 +1359,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -24988,7 +25013,7 @@ index 3efd5b6..362b3af 100644 ') ####################################### -@@ -1576,6 +1760,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -25014,7 +25039,7 @@ index 3efd5b6..362b3af 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1929,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -25040,7 +25065,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -1767,11 +1953,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -25057,7 +25082,7 @@ index 3efd5b6..362b3af 100644 ') ######################################## -@@ -1805,3 +1993,241 @@ interface(`auth_unconfined',` +@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -25834,7 +25859,7 @@ index 3694bfe..7fcd27a 100644 ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index a97a096..f65892c 100644 +index a97a096..bf726c3 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ @@ -25850,7 +25875,14 @@ index a97a096..f65892c 100644 /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -41,7 +39,46 @@ +@@ -35,13 +33,53 @@ + /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -27683,7 +27715,7 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..478d262 100644 +index dd3be8d..273132b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27915,10 +27947,10 @@ index dd3be8d..478d262 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) ++ ++userdom_use_user_ttys(init_t) -miscfiles_read_localization(init_t) -+userdom_use_user_ttys(init_t) -+ +allow init_t self:process setsched; ifdef(`distro_gentoo',` @@ -27953,24 +27985,24 @@ index dd3be8d..478d262 100644 + +optional_policy(` + kdump_read_crash(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + iscsi_read_lib_files(init_t) +') + +optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_aliases(init_t) @@ -28094,9 +28126,9 @@ index dd3be8d..478d262 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -28758,7 +28790,7 @@ index dd3be8d..478d262 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1366,196 @@ optional_policy(` +@@ -896,3 +1366,198 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28955,11 +28987,13 @@ index dd3be8d..478d262 100644 + allow daemon direct_run_init:process sigchld; + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') ++ ++ diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..3cbc35d 100644 +index 662e79b..a199ffd 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,21 @@ +@@ -1,14 +1,22 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) @@ -28976,14 +29010,14 @@ index 662e79b..3cbc35d 100644 /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) --/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + -+/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,12 +33,15 @@ +@@ -26,16 +34,23 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -28999,8 +29033,10 @@ index 662e79b..3cbc35d 100644 /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) -@@ -39,3 +49,5 @@ + /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) @@ -31061,7 +31097,7 @@ index 4e94884..9b82ed0 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..0c383ca 100644 +index 39ea221..616d6a8 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -31322,15 +31358,16 @@ index 39ea221..0c383ca 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) +corenet_tcp_bind_syslog_tls_port(syslogd_t) ++corenet_tcp_connect_syslog_tls_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -31358,7 +31395,7 @@ index 39ea221..0c383ca 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -31378,7 +31415,7 @@ index 39ea221..0c383ca 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +537,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +538,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -31393,7 +31430,7 @@ index 39ea221..0c383ca 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +578,40 @@ optional_policy(` +@@ -502,15 +579,40 @@ optional_policy(` ') optional_policy(` @@ -31434,7 +31471,7 @@ index 39ea221..0c383ca 100644 ') optional_policy(` -@@ -521,3 +622,26 @@ optional_policy(` +@@ -521,3 +623,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -35067,7 +35104,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..1f23aab 100644 +index 6944526..b82ccf1 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -35206,7 +35243,48 @@ index 6944526..1f23aab 100644 read_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',` +@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',` + files_etc_filetrans($1, net_conf_t, file, $2) + ') + ++######################################## ++## ++## Transition content to the type used for ++## the network config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the directory to which the object will be created. ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`sysnet_filetrans_config_fromdir',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ filetrans_pattern($1, $2, net_conf_t, $3, $4) ++') ++ + ####################################### + ## + ## Create, read, write, and delete network config files. +@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -35214,7 +35292,7 @@ index 6944526..1f23aab 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -35222,7 +35300,7 @@ index 6944526..1f23aab 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -35248,7 +35326,7 @@ index 6944526..1f23aab 100644 ## Read the DHCP configuration files. ## ## -@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -35256,7 +35334,7 @@ index 6944526..1f23aab 100644 ') ######################################## -@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -35265,7 +35343,7 @@ index 6944526..1f23aab 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -35274,7 +35352,7 @@ index 6944526..1f23aab 100644 sysnet_read_config($1) optional_policy(` -@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',` +@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -35283,7 +35361,7 @@ index 6944526..1f23aab 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',` +@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -35293,7 +35371,7 @@ index 6944526..1f23aab 100644 ') ######################################## -@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -35301,7 +35379,7 @@ index 6944526..1f23aab 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -39173,7 +39251,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..bce11fd 100644 +index 3c5dba7..db184a5 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40105,7 +40183,7 @@ index 3c5dba7..bce11fd 100644 userdom_change_password_template($1) -@@ -761,82 +946,100 @@ template(`userdom_login_user_template', ` +@@ -761,82 +946,101 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -40164,6 +40242,7 @@ index 3c5dba7..bce11fd 100644 + fs_rw_anon_inodefs_files($1_usertype) + auth_role($1_r, $1_t) ++ auth_create_cache($1_t) + auth_rw_cache($1_t) + auth_search_pam_console_data($1_t) + auth_dontaudit_read_login_records($1_t) @@ -40242,7 +40321,7 @@ index 3c5dba7..bce11fd 100644 ') ') -@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1072,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -40255,7 +40334,7 @@ index 3c5dba7..bce11fd 100644 ############################## # # Local policy -@@ -907,42 +1116,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1117,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -40368,7 +40447,7 @@ index 3c5dba7..bce11fd 100644 ') optional_policy(` -@@ -951,12 +1217,29 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1218,29 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -40399,7 +40478,7 @@ index 3c5dba7..bce11fd 100644 ') ####################################### -@@ -990,27 +1273,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1274,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -40437,7 +40516,7 @@ index 3c5dba7..bce11fd 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1310,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1311,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -40508,7 +40587,7 @@ index 3c5dba7..bce11fd 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -40519,7 +40598,7 @@ index 3c5dba7..bce11fd 100644 ') ') -@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -40528,7 +40607,7 @@ index 3c5dba7..bce11fd 100644 ') ############################## -@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -40536,7 +40615,7 @@ index 3c5dba7..bce11fd 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -40546,7 +40625,7 @@ index 3c5dba7..bce11fd 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -40554,7 +40633,7 @@ index 3c5dba7..bce11fd 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -40569,7 +40648,7 @@ index 3c5dba7..bce11fd 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1499,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1500,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -40612,7 +40691,7 @@ index 3c5dba7..bce11fd 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -40621,7 +40700,7 @@ index 3c5dba7..bce11fd 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40640,7 +40719,7 @@ index 3c5dba7..bce11fd 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40649,7 +40728,7 @@ index 3c5dba7..bce11fd 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40661,7 +40740,7 @@ index 3c5dba7..bce11fd 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40704,7 +40783,7 @@ index 3c5dba7..bce11fd 100644 ') optional_policy(` -@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40723,7 +40802,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40775,7 +40854,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40807,7 +40886,7 @@ index 3c5dba7..bce11fd 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40822,7 +40901,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40834,7 +40913,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40877,7 +40956,7 @@ index 3c5dba7..bce11fd 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40886,7 +40965,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40901,7 +40980,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1772,7 +2248,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2249,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40928,7 +41007,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -1782,49 +2276,67 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,49 +2277,67 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -41008,7 +41087,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1848,6 +2360,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2361,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -41034,7 +41113,7 @@ index 3c5dba7..bce11fd 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2409,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2410,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -41072,7 +41151,7 @@ index 3c5dba7..bce11fd 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2449,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2450,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -41090,7 +41169,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -1941,7 +2497,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2498,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -41117,7 +41196,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -1951,17 +2525,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2526,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -41138,7 +41217,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -1969,12 +2541,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2542,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -41189,7 +41268,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2010,8 +2618,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2619,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -41199,7 +41278,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2027,20 +2634,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2635,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -41224,7 +41303,7 @@ index 3c5dba7..bce11fd 100644 ######################################## ## -@@ -2123,7 +2724,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2725,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -41233,7 +41312,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -2131,19 +2732,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2733,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -41257,7 +41336,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -2151,12 +2750,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2751,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -41273,7 +41352,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2393,11 +2992,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2993,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -41288,7 +41367,7 @@ index 3c5dba7..bce11fd 100644 files_search_tmp($1) ') -@@ -2417,7 +3016,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3017,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -41297,7 +41376,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2664,6 +3263,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3264,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -41323,7 +41402,7 @@ index 3c5dba7..bce11fd 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3298,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3299,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -41339,7 +41418,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -2707,7 +3326,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3327,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -41348,7 +41427,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -2715,14 +3334,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3335,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -41383,7 +41462,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2817,6 +3452,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3453,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -41408,7 +41487,7 @@ index 3c5dba7..bce11fd 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3488,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3489,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -41451,7 +41530,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -2859,14 +3524,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3525,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -41489,7 +41568,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2885,8 +3569,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3570,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -41519,7 +41598,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -2958,69 +3661,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3662,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41620,7 +41699,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -3028,12 +3730,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3731,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41635,7 +41714,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -3097,7 +3799,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3800,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41644,7 +41723,7 @@ index 3c5dba7..bce11fd 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3815,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3816,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41678,7 +41757,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -3217,7 +3903,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3904,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41705,7 +41784,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -3272,7 +3976,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3977,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41771,7 +41850,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -3290,7 +4051,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4052,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41780,7 +41859,7 @@ index 3c5dba7..bce11fd 100644 ') ######################################## -@@ -3309,6 +4070,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4071,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41788,7 +41867,7 @@ index 3c5dba7..bce11fd 100644 kernel_search_proc($1) ') -@@ -3385,6 +4147,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4148,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41831,7 +41910,7 @@ index 3c5dba7..bce11fd 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,7 +4203,7 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,7 +4204,7 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -41840,7 +41919,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -3413,17 +4211,17 @@ interface(`userdom_sigchld_all_users',` +@@ -3413,17 +4212,17 @@ interface(`userdom_sigchld_all_users',` ## ## # @@ -41861,7 +41940,7 @@ index 3c5dba7..bce11fd 100644 ## ## ## -@@ -3431,11 +4229,1516 @@ interface(`userdom_create_all_users_keys',` +@@ -3431,11 +4230,1516 @@ interface(`userdom_create_all_users_keys',` ## ## # diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 26085ce..dc594fa 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -16887,7 +16887,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 6ce66e7..f8e9ecc 100644 +index 6ce66e7..03bc338 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -16900,7 +16900,7 @@ index 6ce66e7..f8e9ecc 100644 type ctdbd_var_run_t; files_pid_file(ctdbd_var_run_t) -@@ -33,6 +36,7 @@ files_pid_file(ctdbd_var_run_t) +@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t) # allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; @@ -16908,7 +16908,14 @@ index 6ce66e7..f8e9ecc 100644 allow ctdbd_t self:process { setpgid signal_perms setsched }; allow ctdbd_t self:fifo_file rw_fifo_file_perms; allow ctdbd_t self:unix_stream_socket { accept connectto listen }; -@@ -59,6 +63,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) + allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; + allow ctdbd_t self:packet_socket create_socket_perms; + allow ctdbd_t self:tcp_socket create_stream_socket_perms; ++allow ctdbd_t self:udp_socket create_socket_perms; + + append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) + create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) @@ -16920,7 +16927,7 @@ index 6ce66e7..f8e9ecc 100644 manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) -@@ -72,9 +81,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -16932,7 +16939,7 @@ index 6ce66e7..f8e9ecc 100644 corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +96,12 @@ dev_read_urand(ctdbd_t) +@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -16947,7 +16954,7 @@ index 6ce66e7..f8e9ecc 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +120,7 @@ optional_policy(` +@@ -109,6 +121,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -22136,7 +22143,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..9a6a36e 100644 +index a7bfaf0..5c00621 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -22390,7 +22397,7 @@ index a7bfaf0..9a6a36e 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +214,63 @@ optional_policy(` +@@ -221,46 +214,65 @@ optional_policy(` ######################################## # @@ -22447,6 +22454,8 @@ index a7bfaf0..9a6a36e 100644 sysnet_use_ldap(dovecot_auth_t) ++systemd_login_read_pid_files(dovecot_auth_t) ++ +userdom_getattr_user_home_dirs(dovecot_auth_t) + optional_policy(` @@ -22463,7 +22472,7 @@ index a7bfaf0..9a6a36e 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -271,15 +281,30 @@ optional_policy(` +@@ -271,15 +283,30 @@ optional_policy(` ') optional_policy(` @@ -22495,7 +22504,7 @@ index a7bfaf0..9a6a36e 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +314,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +316,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22555,7 +22564,7 @@ index a7bfaf0..9a6a36e 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +358,6 @@ optional_policy(` +@@ -326,5 +360,6 @@ optional_policy(` ') optional_policy(` @@ -39930,7 +39939,7 @@ index 6194b80..2ab36ff 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..937a608 100644 +index 6a306ee..e3036c4 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -40766,7 +40775,7 @@ index 6a306ee..937a608 100644 ') optional_policy(` -@@ -568,108 +564,128 @@ optional_policy(` +@@ -568,108 +564,129 @@ optional_policy(` ') optional_policy(` @@ -40944,6 +40953,7 @@ index 6a306ee..937a608 100644 - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_spice',` + dev_rw_generic_usb_dev(mozilla_plugin_t) ++ corenet_tcp_bind_vnc_port(mozilla_plugin_t) ') -optional_policy(` @@ -45606,10 +45616,10 @@ index 56c0fbd..173a2c0 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index a1fb3c3..82f8ae6 100644 +index a1fb3c3..2b818b9 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,43 +1,44 @@ +@@ -1,43 +1,45 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -45675,10 +45685,11 @@ index a1fb3c3..82f8ae6 100644 /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..f8893f8 100644 +index 0e8508c..ee2e3de 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -45955,7 +45966,7 @@ index 0e8508c..f8893f8 100644 ## ## ## -@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',` +@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -46103,6 +46114,7 @@ index 0e8508c..f8893f8 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") @@ -54618,10 +54630,10 @@ index 0000000..20ea9f5 + diff --git a/piranha.if b/piranha.if new file mode 100644 -index 0000000..8d681d1 +index 0000000..cf54103 --- /dev/null +++ b/piranha.if -@@ -0,0 +1,179 @@ +@@ -0,0 +1,187 @@ +## policy for piranha + +####################################### @@ -54649,6 +54661,10 @@ index 0000000..8d681d1 + type piranha_$1_exec_t; + init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) + ++ # tmpfs files ++ type piranha_$1_tmpfs_t, piranha_tmpfs; ++ files_tmpfs_file(piranha_$1_tmpfs_t) ++ + # pid files + type piranha_$1_var_run_t; + files_pid_file(piranha_$1_var_run_t) @@ -54658,6 +54674,10 @@ index 0000000..8d681d1 + # piranha_$1_t local policy + # + ++ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) ++ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) ++ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file }) ++ + manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) @@ -54803,10 +54823,10 @@ index 0000000..8d681d1 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..34e591f +index 0000000..a989aea --- /dev/null +++ b/piranha.te -@@ -0,0 +1,293 @@ +@@ -0,0 +1,292 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -54822,6 +54842,7 @@ index 0000000..34e591f +gen_tunable(piranha_lvs_can_network_connect, false) + +attribute piranha_domain; ++attribute piranha_tmpfs; + +piranha_domain_template(fos) + @@ -54834,9 +54855,6 @@ index 0000000..34e591f + +piranha_domain_template(web) + -+type piranha_web_tmpfs_t; -+files_tmpfs_file(piranha_web_tmpfs_t) -+ +type piranha_web_conf_t; +files_config_file(piranha_web_conf_t) + @@ -54898,10 +54916,6 @@ index 0000000..34e591f +manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t) +files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir }) + -+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) -+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) -+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file }) -+ +piranha_pulse_initrc_domtrans(piranha_web_t) + +kernel_read_kernel_sysctls(piranha_web_t) @@ -54951,6 +54965,9 @@ index 0000000..34e591f +allow piranha_lvs_t self:unix_dgram_socket create_socket_perms; +allow piranha_lvs_t self:rawip_socket create_socket_perms; + ++manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) ++manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t) ++ +kernel_read_kernel_sysctls(piranha_lvs_t) + +# needed by nanny @@ -55084,6 +55101,9 @@ index 0000000..34e591f + +read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t) + ++manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs) ++manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs) ++ +kernel_read_network_state(piranha_domain) + +corenet_tcp_sendrecv_generic_if(piranha_domain) @@ -55095,7 +55115,6 @@ index 0000000..34e591f +corenet_tcp_bind_generic_node(piranha_domain) +corenet_udp_bind_generic_node(piranha_domain) + -+ +corecmd_exec_bin(piranha_domain) +corecmd_exec_shell(piranha_domain) + @@ -58864,7 +58883,7 @@ index 2e23946..0b76d72 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..2177e93 100644 +index 191a66f..f19bca4 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -59046,8 +59065,9 @@ index 191a66f..2177e93 100644 -######################################## -# -# Common postfix user domain local policy --# -- ++# Postfix master process local policy + # + -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -59055,9 +59075,8 @@ index 191a66f..2177e93 100644 -######################################## -# -# Master local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -59081,10 +59100,10 @@ index 191a66f..2177e93 100644 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; ++ ++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; -+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -+ +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; + +manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -59125,29 +59144,29 @@ index 191a66f..2177e93 100644 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") ++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") -- --can_exec(postfix_master_t, postfix_exec_t) -+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++kernel_read_all_sysctls(postfix_master_t) +-can_exec(postfix_master_t, postfix_exec_t) +- -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -+kernel_read_all_sysctls(postfix_master_t) - +- -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -59207,32 +59226,30 @@ index 191a66f..2177e93 100644 mta_read_sendmail_bin(postfix_master_t) mta_getattr_spool(postfix_master_t) +-optional_policy(` +- cyrus_stream_connect(postfix_master_t) +-') +- +-optional_policy(` +- kerberos_keytab_template(postfix, postfix_t) +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) + mta_etc_filetrans_aliases(postfix_master_t) -+') -+ - optional_policy(` - cyrus_stream_connect(postfix_master_t) - ') -@@ -316,14 +212,11 @@ optional_policy(` ') optional_policy(` -+# for postalias - mailman_manage_data_files(postfix_master_t) +- mailman_manage_data_files(postfix_master_t) ++ cyrus_stream_connect(postfix_master_t) ') optional_policy(` - mysql_stream_connect(postfix_master_t) --') -- --optional_policy(` - postgrey_search_spool(postfix_master_t) ++ kerberos_keytab_template(postfix, postfix_t) ') -@@ -333,12 +226,14 @@ optional_policy(` + optional_policy(` +@@ -333,12 +221,14 @@ optional_policy(` ######################################## # @@ -59249,7 +59266,7 @@ index 191a66f..2177e93 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -59296,7 +59313,7 @@ index 191a66f..2177e93 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -393,36 +285,50 @@ optional_policy(` +@@ -393,36 +280,50 @@ optional_policy(` ######################################## # @@ -59356,7 +59373,7 @@ index 191a66f..2177e93 100644 ') optional_policy(` -@@ -434,6 +340,7 @@ optional_policy(` +@@ -434,6 +335,7 @@ optional_policy(` ') optional_policy(` @@ -59364,7 +59381,7 @@ index 191a66f..2177e93 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -444,6 +351,10 @@ optional_policy(` +@@ -444,6 +346,10 @@ optional_policy(` ') optional_policy(` @@ -59375,7 +59392,7 @@ index 191a66f..2177e93 100644 procmail_domtrans(postfix_local_t) ') -@@ -458,15 +369,17 @@ optional_policy(` +@@ -458,15 +364,17 @@ optional_policy(` ######################################## # @@ -59399,7 +59416,7 @@ index 191a66f..2177e93 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -59419,7 +59436,7 @@ index 191a66f..2177e93 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -59427,7 +59444,7 @@ index 191a66f..2177e93 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -59453,7 +59470,7 @@ index 191a66f..2177e93 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -59473,7 +59490,7 @@ index 191a66f..2177e93 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +489,26 @@ optional_policy(` +@@ -576,19 +484,26 @@ optional_policy(` ######################################## # @@ -59505,7 +59522,7 @@ index 191a66f..2177e93 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +523,7 @@ optional_policy(` +@@ -603,10 +518,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -59517,7 +59534,7 @@ index 191a66f..2177e93 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +538,24 @@ optional_policy(` +@@ -621,17 +533,24 @@ optional_policy(` ####################################### # @@ -59545,7 +59562,7 @@ index 191a66f..2177e93 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +571,77 @@ optional_policy(` +@@ -647,67 +566,77 @@ optional_policy(` ######################################## # @@ -59641,7 +59658,7 @@ index 191a66f..2177e93 100644 ') optional_policy(` -@@ -720,29 +654,30 @@ optional_policy(` +@@ -720,29 +649,30 @@ optional_policy(` ######################################## # @@ -59680,7 +59697,7 @@ index 191a66f..2177e93 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +689,7 @@ optional_policy(` +@@ -754,6 +684,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -59688,7 +59705,7 @@ index 191a66f..2177e93 100644 ') optional_policy(` -@@ -764,31 +700,99 @@ optional_policy(` +@@ -764,31 +695,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -59994,7 +60011,7 @@ index efcb653..ff2c96a 100644 +/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/ppp.if b/ppp.if -index cd8b8b9..cde0d62 100644 +index cd8b8b9..6c73980 100644 --- a/ppp.if +++ b/ppp.if @@ -1,110 +1,91 @@ @@ -60334,7 +60351,13 @@ index cd8b8b9..cde0d62 100644 ## ## ## -@@ -413,37 +388,25 @@ interface(`ppp_manage_pid_files',` +@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',` + ') + + files_search_pids($1) +- allow $1 pppd_var_run_t:file manage_file_perms; ++ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) + ') ######################################## ## @@ -60478,7 +60501,7 @@ index cd8b8b9..cde0d62 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..7b8a7d1 100644 +index b2b5dba..9bc465c 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -60663,7 +60686,7 @@ index b2b5dba..7b8a7d1 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t) +@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) @@ -60697,6 +60720,7 @@ index b2b5dba..7b8a7d1 100644 sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) ++sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf") -userdom_use_user_terminals(pppd_t) +userdom_use_inherited_user_terminals(pppd_t) @@ -60708,7 +60732,7 @@ index b2b5dba..7b8a7d1 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +202,13 @@ optional_policy(` +@@ -186,11 +203,13 @@ optional_policy(` l2tpd_dgram_send(pppd_t) l2tpd_rw_socket(pppd_t) l2tpd_stream_connect(pppd_t) @@ -60723,7 +60747,7 @@ index b2b5dba..7b8a7d1 100644 ') ') -@@ -218,16 +236,19 @@ optional_policy(` +@@ -218,16 +237,19 @@ optional_policy(` ######################################## # @@ -60746,7 +60770,7 @@ index b2b5dba..7b8a7d1 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -60803,7 +60827,7 @@ index b2b5dba..7b8a7d1 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -60818,7 +60842,7 @@ index b2b5dba..7b8a7d1 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +318,10 @@ optional_policy(` +@@ -299,6 +319,10 @@ optional_policy(` ') optional_policy(` @@ -76092,7 +76116,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..8854093 100644 +index 57c034b..f177430 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -76722,7 +76746,7 @@ index 57c034b..8854093 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +555,40 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -76784,10 +76808,11 @@ index 57c034b..8854093 100644 - files_manage_non_auth_files(nmbd_t) +optional_policy(` + ctdbd_stream_connect(nmbd_t) ++ ctdbd_manage_var_files(nmbd_t) ') optional_policy(` -@@ -600,17 +601,24 @@ optional_policy(` +@@ -600,17 +602,24 @@ optional_policy(` ######################################## # @@ -76816,7 +76841,7 @@ index 57c034b..8854093 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -620,16 +628,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -76834,7 +76859,7 @@ index 57c034b..8854093 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +641,23 @@ optional_policy(` +@@ -637,22 +642,23 @@ optional_policy(` ######################################## # @@ -76866,7 +76891,7 @@ index 57c034b..8854093 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +666,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -76902,7 +76927,7 @@ index 57c034b..8854093 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +693,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -76994,7 +77019,7 @@ index 57c034b..8854093 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +772,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -77018,7 +77043,7 @@ index 57c034b..8854093 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +786,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -77061,7 +77086,7 @@ index 57c034b..8854093 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +816,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -77075,7 +77100,7 @@ index 57c034b..8854093 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -834,16 +840,19 @@ optional_policy(` +@@ -834,16 +841,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -77099,7 +77124,7 @@ index 57c034b..8854093 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +862,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -77110,7 +77135,7 @@ index 57c034b..8854093 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +873,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -77140,7 +77165,7 @@ index 57c034b..8854093 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +896,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -77161,7 +77186,7 @@ index 57c034b..8854093 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +914,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -77172,7 +77197,7 @@ index 57c034b..8854093 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,26 +922,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -77214,7 +77239,7 @@ index 57c034b..8854093 100644 ') optional_policy(` -@@ -952,31 +970,29 @@ optional_policy(` +@@ -952,31 +971,29 @@ optional_policy(` # Winbind helper local policy # @@ -77252,7 +77277,7 @@ index 57c034b..8854093 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1006,38 @@ optional_policy(` +@@ -990,25 +1007,38 @@ optional_policy(` ######################################## # @@ -87322,10 +87347,10 @@ index 0000000..5e3637e +') diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..ff282dc +index 0000000..39d17b7 --- /dev/null +++ b/thin.te -@@ -0,0 +1,114 @@ +@@ -0,0 +1,115 @@ +policy_module(thin, 1.0) + +######################################## @@ -87402,6 +87427,7 @@ index 0000000..ff282dc +# + +allow thin_t self:capability { setuid kill setgid dac_override }; ++allow thin_t self:capability2 block_suspend; + +allow thin_t self:netlink_route_socket r_netlink_socket_perms; +allow thin_t self:udp_socket create_socket_perms; @@ -92089,7 +92115,7 @@ index 9dec06c..73549fd 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..43fdcbe 100644 +index 1f22fba..9c0c607 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,166 @@ @@ -92988,7 +93014,7 @@ index 1f22fba..43fdcbe 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +597,262 @@ optional_policy(` +@@ -737,44 +597,264 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -93024,6 +93050,14 @@ index 1f22fba..43fdcbe 100644 -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++kernel_read_net_sysctls(virt_domain) + +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -93034,19 +93068,14 @@ index 1f22fba..43fdcbe 100644 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -93078,13 +93107,12 @@ index 1f22fba..43fdcbe 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +-allow virsh_t svirt_lxc_domain:process transition; +dontaudit virt_domain virt_tmpfs_type:file { read write }; --allow virsh_t svirt_lxc_domain:process transition; +-can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_log_t, virt_log_t) --can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) @@ -93150,7 +93178,7 @@ index 1f22fba..43fdcbe 100644 +optional_policy(` + ptchown_domtrans(virt_domain) +') - ++ +optional_policy(` + pulseaudio_dontaudit_exec(virt_domain) +') @@ -93273,7 +93301,7 @@ index 1f22fba..43fdcbe 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +865,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -93300,7 +93328,7 @@ index 1f22fba..43fdcbe 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +885,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -93332,7 +93360,7 @@ index 1f22fba..43fdcbe 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +916,20 @@ optional_policy(` +@@ -847,14 +918,20 @@ optional_policy(` ') optional_policy(` @@ -93354,7 +93382,7 @@ index 1f22fba..43fdcbe 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +954,65 @@ optional_policy(` +@@ -879,49 +956,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -93438,7 +93466,7 @@ index 1f22fba..43fdcbe 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1026,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -93458,7 +93486,7 @@ index 1f22fba..43fdcbe 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1047,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -93482,7 +93510,7 @@ index 1f22fba..43fdcbe 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1070,254 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1072,254 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -93867,7 +93895,7 @@ index 1f22fba..43fdcbe 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1330,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1332,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -93882,7 +93910,7 @@ index 1f22fba..43fdcbe 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1348,8 @@ optional_policy(` +@@ -1183,9 +1350,8 @@ optional_policy(` ######################################## # @@ -93893,7 +93921,7 @@ index 1f22fba..43fdcbe 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1362,124 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1364,124 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2e6b511..a3fbca8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.10%{?dist} +Release: 74.11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 22 2013 Lukas Vrabec 3.12.1-74.11 +- Back port piranha tmpfs fixes from RHEL6 +- Fix piranha_domain_template() +- Allow mozilla_plugin to bind to the vnc port if running with spice +- Allow svirt_domains to read sysctl_net_t +- Update ppp_manage_pid_files interface +- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. +- Allow dovecot-auth to read nologin +- Allow mailserver_domains to manage and transition to mailman data +- Allow thin_t to block suspend +- Create resolv.conf in the pppd_var_run_t with the net_conf_t label +- wicd.pid should be labeled as networkmanager_var_run_t +- Label /sbin/xfs_growfs as fsadm_exec_t +- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey +- Create resolv.conf in the pppd_var_run_t with the net_conf_t label +- Fix labeling for /etc/strongswan/ipsec.d +- Add labeling for /var/run/charon.ctl socket +- Allow syslogd_t to connect to the syslog_tls port + * Tue Oct 15 2013 Lukas Vrabec 3.12.1-74.10 - Add kill capability in glusterfs policy - Add postfix_rw_spool_maildrop_files interface