From 4657f88c825c78facb823a7ca7a3234a1cdc356d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 08 2013 13:48:05 +0000 Subject: - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Add fixes for rabbit to fix ##992920,#99293 - Make NFS home, NIS authentication and dbus-daemon working - Fix thumb_run() - winbind wants block_suspend - Fix typo in smokeping.te - Fix rabbit.te - Remove dup rule for dovecot.te - Fix abrt.te - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Fix rules for creating pluto pid files - Fix userdom_relabel_user_tmp_files() - Label 10933 as a pop port, for dovecot --- diff --git a/booleans.subs_dist b/booleans.subs_dist index 95704b1..d39b6c0 100644 --- a/booleans.subs_dist +++ b/booleans.subs_dist @@ -50,3 +50,6 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm clamd_use_jit antivirus_use_jit amavis_use_jit antivirus_use_jit condor_domain_can_network_connect condor_tcp_network_connect +icecast_connect_any icecast_use_any_tcp_ports +named_bind_http_port named_tcp_bind_http_port +user_rw_noexattrfile selinuxuser_rw_noexattrfile diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 6be89de..551beda 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -5182,7 +5182,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..6f8cc7f 100644 +index 4edc40d..17a4eab 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5384,7 +5384,7 @@ index 4edc40d..6f8cc7f 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,24 +220,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +220,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5418,8 +5418,11 @@ index 4edc40d..6f8cc7f 100644 +network_port(pki_ra, tcp,12888-12889,s0) +network_port(pki_tps, tcp,7888-7889,s0) network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) - network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) +-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) ++network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0) network_port(portmap, udp,111,s0, tcp,111,s0) + network_port(postfix_policyd, tcp,10031,s0) + network_port(postgresql, tcp,5432,s0) @@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) @@ -20907,7 +20910,7 @@ index d1f64a0..8f50bb9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..266289c 100644 +index 6bf0ecc..188613e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21792,7 +21795,7 @@ index 6bf0ecc..266289c 100644 + type xdm_t; + ') + -+ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write }; ++ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write }; +') + +######################################## @@ -22487,7 +22490,7 @@ index 6bf0ecc..266289c 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..7e081fb 100644 +index 2696452..7d6fc31 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22950,17 +22953,19 @@ index 2696452..7e081fb 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +517,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) +manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) ++manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +logging_log_filetrans(xdm_t, xdm_log_t, { dir file }) + manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t) ++manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) @@ -22980,7 +22985,7 @@ index 2696452..7e081fb 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23033,7 +23038,7 @@ index 2696452..7e081fb 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +599,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +601,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23062,7 +23067,7 @@ index 2696452..7e081fb 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +631,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23109,7 +23114,7 @@ index 2696452..7e081fb 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +676,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23260,7 +23265,7 @@ index 2696452..7e081fb 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +827,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23287,7 +23292,7 @@ index 2696452..7e081fb 100644 ') optional_policy(` -@@ -514,12 +852,72 @@ optional_policy(` +@@ -514,12 +854,72 @@ optional_policy(` ') optional_policy(` @@ -23360,7 +23365,7 @@ index 2696452..7e081fb 100644 hostname_exec(xdm_t) ') -@@ -537,28 +935,78 @@ optional_policy(` +@@ -537,28 +937,78 @@ optional_policy(` ') optional_policy(` @@ -23448,7 +23453,7 @@ index 2696452..7e081fb 100644 ') optional_policy(` -@@ -570,6 +1018,14 @@ optional_policy(` +@@ -570,6 +1020,14 @@ optional_policy(` ') optional_policy(` @@ -23463,7 +23468,7 @@ index 2696452..7e081fb 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23476,7 +23481,7 @@ index 2696452..7e081fb 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23492,7 +23497,7 @@ index 2696452..7e081fb 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23503,7 +23508,7 @@ index 2696452..7e081fb 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1100,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23525,7 +23530,7 @@ index 2696452..7e081fb 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1120,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23539,7 +23544,7 @@ index 2696452..7e081fb 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1146,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23571,7 +23576,7 @@ index 2696452..7e081fb 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23589,7 +23594,7 @@ index 2696452..7e081fb 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1199,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1201,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23613,7 +23618,7 @@ index 2696452..7e081fb 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23622,7 +23627,7 @@ index 2696452..7e081fb 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1262,44 @@ optional_policy(` +@@ -775,16 +1264,44 @@ optional_policy(` ') optional_policy(` @@ -23668,7 +23673,7 @@ index 2696452..7e081fb 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1308,10 @@ optional_policy(` +@@ -793,6 +1310,10 @@ optional_policy(` ') optional_policy(` @@ -23679,7 +23684,7 @@ index 2696452..7e081fb 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23693,7 +23698,7 @@ index 2696452..7e081fb 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23702,7 +23707,7 @@ index 2696452..7e081fb 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1351,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1353,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23737,7 +23742,7 @@ index 2696452..7e081fb 100644 ') optional_policy(` -@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23746,7 +23751,7 @@ index 2696452..7e081fb 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1472,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23778,7 +23783,7 @@ index 2696452..7e081fb 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -24951,7 +24956,7 @@ index 3efd5b6..2f6ba05 100644 +') + diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 104037e..28dbe0b 100644 +index 104037e..f263075 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) @@ -25257,7 +25262,7 @@ index 104037e..28dbe0b 100644 ') optional_policy(` -@@ -463,3 +502,132 @@ optional_policy(` +@@ -463,3 +502,133 @@ optional_policy(` samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -25348,6 +25353,7 @@ index 104037e..28dbe0b 100644 +userdom_manage_user_tmp_files(login_pgm) + +optional_policy(` ++ afs_read_config(login_pgm) + afs_rw_udp_sockets(login_pgm) +') + @@ -28779,7 +28785,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..a0ba260 100644 +index 9e54bf9..b63b6d3 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28891,8 +28897,14 @@ index 9e54bf9..a0ba260 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; - files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) +@@ -206,10 +219,11 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) + manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) + logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + +-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +-files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) ++manage_files_pattern(ipsec_mgmt_t, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t) ++files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, { file }) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -32945,19 +32957,45 @@ index 6a50270..fa545e7 100644 + +auth_use_nsswitch(mount_ecryptfs_t) diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc -index b263a8a..9348c8c 100644 +index b263a8a..15576ab 100644 --- a/policy/modules/system/netlabel.fc +++ b/policy/modules/system/netlabel.fc -@@ -1 +1,3 @@ +@@ -1 +1,6 @@ /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) + ++/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0) ++ +/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) ++/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te -index cbbda4a..8dcc346 100644 +index cbbda4a..1136c7b 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te -@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t) +@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) + + type netlabel_mgmt_t; + type netlabel_mgmt_exec_t; ++init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) + application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) + role system_r types netlabel_mgmt_t; + ++type netlabel_mgmt_unit_file_t; ++systemd_unit_file(netlabel_mgmt_unit_file_t) ++ + ######################################## + # + # NetLabel Management Tools Local policy +@@ -19,10 +23,20 @@ role system_r types netlabel_mgmt_t; + allow netlabel_mgmt_t self:capability net_admin; + allow netlabel_mgmt_t self:netlink_socket create_socket_perms; ++can_exec(netlabel_mgmt_t, netlabel_mgmt_t) ++ + kernel_read_network_state(netlabel_mgmt_t) + ++corecmd_exec_bin(netlabel_mgmt_t) ++corecmd_exec_shell(netlabel_mgmt_t) ++ files_read_etc_files(netlabel_mgmt_t) +term_use_all_inherited_terms(netlabel_mgmt_t) @@ -38579,7 +38617,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..e59f458 100644 +index 3c5dba7..29b497d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40304,58 +40342,73 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## -## Delete all user home content directories. +## Delete directories in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_home_content_dirs',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:dir delete_dir_perms; ++') ++ ++######################################## ++## ++## Delete all directories in a user home subdirectory. ## ## ## -@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',` - ## - ## +@@ -1782,49 +2274,67 @@ interface(`userdom_manage_user_home_content_dirs',` # --interface(`userdom_delete_all_user_home_content_dirs',` -+interface(`userdom_delete_user_home_content_dirs',` + interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` - attribute user_home_content_type; - type user_home_dir_t; -+ type user_home_t; ++ attribute user_home_type; ') - userdom_search_user_home_dirs($1) - delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) -+ allow $1 user_home_t:dir delete_dir_perms; ++ allow $1 user_home_type:dir delete_dir_perms; ') ######################################## ## -## Delete directories in a user home subdirectory. -+## Delete all directories in a user home subdirectory. ++## Set the attributes of user home files. ## ## ## -@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` + ## Domain allowed access. ## ## ++## # -interface(`userdom_delete_user_home_content_dirs',` -+interface(`userdom_delete_all_user_home_content_dirs',` ++interface(`userdom_setattr_user_home_content_files',` gen_require(` -- type user_home_t; -+ attribute user_home_type; + type user_home_t; ') - allow $1 user_home_t:dir delete_dir_perms; -+ allow $1 user_home_type:dir delete_dir_perms; ++ allow $1 user_home_t:file setattr; ') ######################################## ## -## Set attributes of all user home content directories. -+## Set the attributes of user home files. ++## Set the attributes of user tmp files. ## ## ## @@ -40365,19 +40418,38 @@ index 3c5dba7..e59f458 100644 +## # -interface(`userdom_setattr_all_user_home_content_dirs',` -+interface(`userdom_setattr_user_home_content_files',` ++interface(`userdom_setattr_user_tmp_files',` gen_require(` - attribute user_home_content_type; -+ type user_home_t; ++ type user_tmp_t; ') - userdom_search_user_home_dirs($1) - allow $1 user_home_content_type:dir setattr_dir_perms; -+ allow $1 user_home_t:file setattr; ++ allow $1 user_tmp_t:file setattr; ++') ++ ++######################################## ++## ++## Relabel user tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_relabel_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file relabel_file_perms; ') ######################################## -@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -40403,7 +40475,7 @@ index 3c5dba7..e59f458 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -40441,7 +40513,7 @@ index 3c5dba7..e59f458 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -40459,7 +40531,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -40486,7 +40558,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -40507,7 +40579,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -40558,7 +40630,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -40568,7 +40640,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -40593,7 +40665,7 @@ index 3c5dba7..e59f458 100644 ######################################## ## -@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -40602,7 +40674,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -40626,7 +40698,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -40642,7 +40714,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -40657,7 +40729,7 @@ index 3c5dba7..e59f458 100644 files_search_tmp($1) ') -@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -40666,7 +40738,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -40692,7 +40764,7 @@ index 3c5dba7..e59f458 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -40708,7 +40780,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -40717,7 +40789,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -40731,66 +40803,28 @@ index 3c5dba7..e59f458 100644 - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmpfs_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Get the attributes of a user domain tty. -+## Execute user tmpfs files. - ## - ## - ## -@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',` - ## - ## - # --interface(`userdom_getattr_user_ttys',` -+interface(`userdom_execute_user_tmpfs_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmpfs_t; - ') - -- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; -+ allow $1 user_tmpfs_t:file execute; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of a user domain tty. -+## Get the attributes of a user domain tty. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`userdom_dontaudit_getattr_user_ttys',` -+interface(`userdom_getattr_user_ttys',` -+ gen_require(` -+ type user_tty_device_t; -+ ') -+ -+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; +') + +######################################## +## -+## Do not audit attempts to get the attributes of a user domain tty. ++## Execute user tmpfs files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`userdom_dontaudit_getattr_user_ttys',` - gen_require(` - type user_tty_device_t; - ') -@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',` ++interface(`userdom_execute_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file execute; + ') + + ######################################## +@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -40815,7 +40849,7 @@ index 3c5dba7..e59f458 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -40858,7 +40892,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -40896,7 +40930,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -40926,7 +40960,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41027,7 +41061,7 @@ index 3c5dba7..e59f458 100644 ## ## ## -@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41042,7 +41076,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41051,7 +41085,7 @@ index 3c5dba7..e59f458 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41085,7 +41119,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -3217,7 +3863,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41112,7 +41146,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -3272,7 +3936,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41178,7 +41212,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -3290,7 +4011,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41187,7 +41221,7 @@ index 3c5dba7..e59f458 100644 ') ######################################## -@@ -3309,6 +4030,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41195,7 +41229,7 @@ index 3c5dba7..e59f458 100644 kernel_search_proc($1) ') -@@ -3385,6 +4107,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41238,11 +41272,54 @@ index 3c5dba7..e59f458 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4163,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',` ######################################## ## +-## Create keys for all user domains. +## Read keys for all user domains. + ## + ## + ## +@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',` + ## + ## + # +-interface(`userdom_create_all_users_keys',` ++interface(`userdom_read_all_users_keys',` + gen_require(` + attribute userdomain; + ') + +- allow $1 userdomain:key create; ++ allow $1 userdomain:key read; + ') + + ######################################## + ## +-## Send a dbus message to all user domains. ++## Create keys for all user domains. + ## + ## + ## +@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',` + ## + ## + # +-interface(`userdom_dbus_send_all_users',` ++interface(`userdom_create_all_users_keys',` + gen_require(` + attribute userdomain; +- class dbus send_msg; + ') + +- allow $1 userdomain:dbus send_msg; ++ allow $1 userdomain:key create; ++') ++ ++######################################## ++## ++## Send a dbus message to all user domains. +## +## +## @@ -41250,23 +41327,13 @@ index 3c5dba7..e59f458 100644 +## +## +# -+interface(`userdom_read_all_users_keys',` ++interface(`userdom_dbus_send_all_users',` + gen_require(` + attribute userdomain; ++ class dbus send_msg; + ') + -+ allow $1 userdomain:key read; -+') -+ -+######################################## -+## - ## Create keys for all user domains. - ## - ## -@@ -3438,4 +4214,1491 @@ interface(`userdom_dbus_send_all_users',` - ') - - allow $1 userdomain:dbus send_msg; ++ allow $1 userdomain:dbus send_msg; + ps_process_pattern($1, userdomain) +') + diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 33aaaa1..6e928a5 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -518,7 +518,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..b4c749b 100644 +index cc43d25..da5b191 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -630,12 +630,12 @@ index cc43d25..b4c749b 100644 + +# +# Support for ABRT retrace server -+# -type abrt_retrace_worker_t, abrt_domain; -type abrt_retrace_worker_exec_t; -domain_type(abrt_retrace_worker_t) -domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) ++# +abrt_basic_types_template(abrt_retrace_worker) +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) role system_r types abrt_retrace_worker_t; @@ -795,10 +795,14 @@ index cc43d25..b4c749b 100644 ') optional_policy(` -@@ -209,6 +224,12 @@ optional_policy(` +@@ -209,6 +224,16 @@ optional_policy(` ') optional_policy(` ++ kdump_read_crash(abrt_t) ++') ++ ++optional_policy(` + mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) + mozilla_plugin_read_rw_files(abrt_t) +') @@ -808,7 +812,7 @@ index cc43d25..b4c749b 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +241,7 @@ optional_policy(` +@@ -220,6 +245,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -816,7 +820,7 @@ index cc43d25..b4c749b 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +252,7 @@ optional_policy(` +@@ -230,6 +256,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -824,7 +828,7 @@ index cc43d25..b4c749b 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +263,17 @@ optional_policy(` +@@ -240,9 +267,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -843,7 +847,7 @@ index cc43d25..b4c749b 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -858,7 +862,7 @@ index cc43d25..b4c749b 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -866,7 +870,7 @@ index cc43d25..b4c749b 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -887,7 +891,7 @@ index cc43d25..b4c749b 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -914,7 +918,7 @@ index cc43d25..b4c749b 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -928,7 +932,7 @@ index cc43d25..b4c749b 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +387,11 @@ optional_policy(` +@@ -330,10 +391,11 @@ optional_policy(` ####################################### # @@ -942,7 +946,7 @@ index cc43d25..b4c749b 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1004,7 +1008,7 @@ index cc43d25..b4c749b 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1021,8 +1025,10 @@ index cc43d25..b4c749b 100644 # -kernel_read_system_state(abrt_domain) -- --files_read_etc_files(abrt_domain) ++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; ++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; + + files_read_etc_files(abrt_domain) - -logging_send_syslog_msg(abrt_domain) - @@ -1253,10 +1259,35 @@ index 8b5ad06..8ce8f26 100644 optional_policy(` unconfined_domain(ada_t) diff --git a/afs.if b/afs.if -index 3b41be6..188db36 100644 +index 3b41be6..97d99f9 100644 --- a/afs.if +++ b/afs.if -@@ -95,13 +95,17 @@ interface(`afs_initrc_domtrans',` +@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',` + + ######################################## + ## ++## Read AFS config data ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`afs_read_config',` ++ gen_require(` ++ type afs_config_t; ++ ') ++ ++ read_files_pattern($1, afs_config_t, afs_config_t) ++') ++ ++######################################## ++## + ## Read and write afs cache files. + ## + ## +@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',` interface(`afs_admin',` gen_require(` attribute afs_domain; @@ -1278,7 +1309,7 @@ index 3b41be6..188db36 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 6690cdf..baf390f 100644 +index 6690cdf..7726644 100644 --- a/afs.te +++ b/afs.te @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) @@ -1328,7 +1359,17 @@ index 6690cdf..baf390f 100644 seutil_read_config(afs_bosserver_t) -@@ -175,12 +187,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) +@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms }; + allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; + allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; + +-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) +-allow afs_fsserver_t afs_config_t:dir list_dir_perms; +- + manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) + manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) + +@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) corenet_all_recvfrom_unlabeled(afs_fsserver_t) corenet_all_recvfrom_netlabel(afs_fsserver_t) @@ -1345,7 +1386,7 @@ index 6690cdf..baf390f 100644 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) corenet_tcp_bind_afs_fs_port(afs_fsserver_t) -@@ -190,7 +204,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) +@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) files_read_etc_runtime_files(afs_fsserver_t) files_list_home(afs_fsserver_t) @@ -1353,7 +1394,7 @@ index 6690cdf..baf390f 100644 files_list_pids(afs_fsserver_t) files_dontaudit_search_mnt(afs_fsserver_t) -@@ -224,7 +237,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) +@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) kernel_read_kernel_sysctls(afs_kaserver_t) @@ -1361,7 +1402,7 @@ index 6690cdf..baf390f 100644 corenet_all_recvfrom_netlabel(afs_kaserver_t) corenet_udp_sendrecv_generic_if(afs_kaserver_t) corenet_udp_sendrecv_generic_node(afs_kaserver_t) -@@ -239,7 +251,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) +@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) files_list_home(afs_kaserver_t) @@ -1369,7 +1410,16 @@ index 6690cdf..baf390f 100644 seutil_read_config(afs_kaserver_t) -@@ -262,7 +273,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) +@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t) + allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; + allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; + +-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) +-allow afs_ptserver_t afs_config_t:dir list_dir_perms; +- + manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) @@ -1377,7 +1427,7 @@ index 6690cdf..baf390f 100644 corenet_all_recvfrom_netlabel(afs_ptserver_t) corenet_tcp_sendrecv_generic_if(afs_ptserver_t) corenet_udp_sendrecv_generic_if(afs_ptserver_t) -@@ -274,6 +284,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) +@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) corenet_udp_bind_afs_pt_port(afs_ptserver_t) corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) @@ -1386,7 +1436,16 @@ index 6690cdf..baf390f 100644 userdom_dontaudit_use_user_terminals(afs_ptserver_t) ######################################## -@@ -293,7 +305,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) +@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t) + allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; + allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; + +-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) +-allow afs_vlserver_t afs_config_t:dir list_dir_perms; +- + manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) @@ -1394,15 +1453,18 @@ index 6690cdf..baf390f 100644 corenet_all_recvfrom_netlabel(afs_vlserver_t) corenet_tcp_sendrecv_generic_if(afs_vlserver_t) corenet_udp_sendrecv_generic_if(afs_vlserver_t) -@@ -314,8 +325,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) +@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) allow afs_domain self:udp_socket create_socket_perms; -files_read_etc_files(afs_domain) - -miscfiles_read_localization(afs_domain) -- ++read_files_pattern(afs_domain, afs_config_t, afs_config_t) ++allow afs_domain afs_config_t:dir list_dir_perms; + sysnet_read_config(afs_domain) ++ diff --git a/aiccu.if b/aiccu.if index 3b5dcb9..fbe187f 100644 --- a/aiccu.if @@ -4533,7 +4595,7 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..a68bd53 100644 +index 1a82e29..40e2876 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5511,33 +5573,38 @@ index 1a82e29..a68bd53 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +771,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +tunable_policy(`httpd_use_nfs',` -+ fs_list_auto_mountpoints(httpd_t) + fs_list_auto_mountpoints(httpd_t) +- fs_read_cifs_files(httpd_t) +- fs_read_cifs_symlinks(httpd_t) + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) ') - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -- fs_list_auto_mountpoints(httpd_t) - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) - ') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) --') -- ++ ++tunable_policy(`httpd_use_nfs',` ++ automount_search_tmp_dirs(httpd_t) + ') + -tunable_policy(`httpd_execmem',` - allow httpd_t self:process { execmem execstack }; --') -- ++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(httpd_t) ++ fs_read_cifs_symlinks(httpd_t) + ') + tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_t) + # allow httpd to connect to mail servers @@ -5557,12 +5624,8 @@ index 1a82e29..a68bd53 100644 - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_t) -+ fs_manage_cifs_files(httpd_t) -+ fs_manage_cifs_symlinks(httpd_t) - ') - +-') +- -optional_policy(` - tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` - spamassassin_domtrans_client(httpd_t) @@ -5585,8 +5648,12 @@ index 1a82e29..a68bd53 100644 - tunable_policy(`httpd_mod_auth_ntlm_winbind',` - samba_domtrans_winbind_helper(httpd_t) - ') --') -- ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_t) ++ fs_manage_cifs_files(httpd_t) ++ fs_manage_cifs_symlinks(httpd_t) + ') + -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_t) +tunable_policy(`httpd_use_fusefs',` @@ -5596,7 +5663,7 @@ index 1a82e29..a68bd53 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +817,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5677,7 +5744,7 @@ index 1a82e29..a68bd53 100644 ') optional_policy(` -@@ -743,14 +864,6 @@ optional_policy(` +@@ -743,14 +869,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5692,7 +5759,7 @@ index 1a82e29..a68bd53 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +878,23 @@ optional_policy(` +@@ -765,6 +883,23 @@ optional_policy(` ') optional_policy(` @@ -5716,7 +5783,7 @@ index 1a82e29..a68bd53 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +911,42 @@ optional_policy(` +@@ -781,34 +916,42 @@ optional_policy(` ') optional_policy(` @@ -5770,7 +5837,7 @@ index 1a82e29..a68bd53 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +954,18 @@ optional_policy(` +@@ -816,8 +959,18 @@ optional_policy(` ') optional_policy(` @@ -5789,7 +5856,7 @@ index 1a82e29..a68bd53 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +974,7 @@ optional_policy(` +@@ -826,6 +979,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5797,7 +5864,7 @@ index 1a82e29..a68bd53 100644 ') optional_policy(` -@@ -836,20 +985,39 @@ optional_policy(` +@@ -836,20 +990,39 @@ optional_policy(` ') optional_policy(` @@ -5831,19 +5898,19 @@ index 1a82e29..a68bd53 100644 - ') +optional_policy(` + puppet_read_lib(httpd_t) -+') -+ -+optional_policy(` -+ pwauth_domtrans(httpd_t) ') optional_policy(` - puppet_read_lib_files(httpd_t) ++ pwauth_domtrans(httpd_t) ++') ++ ++optional_policy(` + rpm_dontaudit_read_db(httpd_t) ') optional_policy(` -@@ -857,19 +1025,35 @@ optional_policy(` +@@ -857,19 +1030,35 @@ optional_policy(` ') optional_policy(` @@ -5879,7 +5946,7 @@ index 1a82e29..a68bd53 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1061,170 @@ optional_policy(` +@@ -877,65 +1066,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5949,10 +6016,11 @@ index 1a82e29..a68bd53 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -6011,11 +6079,10 @@ index 1a82e29..a68bd53 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6072,7 +6139,7 @@ index 1a82e29..a68bd53 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1238,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6227,7 +6294,7 @@ index 1a82e29..a68bd53 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1317,104 @@ optional_policy(` +@@ -1077,172 +1322,104 @@ optional_policy(` ') ') @@ -6252,7 +6319,8 @@ index 1a82e29..a68bd53 100644 - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6260,8 +6328,7 @@ index 1a82e29..a68bd53 100644 -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) -corenet_tcp_sendrecv_generic_node(httpd_script_domains) -+allow httpd_sys_script_t self:process getsched; - +- -corecmd_exec_all_executables(httpd_script_domains) +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; @@ -6463,7 +6530,7 @@ index 1a82e29..a68bd53 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1427,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6560,7 +6627,7 @@ index 1a82e29..a68bd53 100644 ######################################## # -@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1502,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6577,14 +6644,15 @@ index 1a82e29..a68bd53 100644 ') ######################################## -@@ -1324,49 +1513,36 @@ optional_policy(` +@@ -1324,49 +1518,38 @@ optional_policy(` # User content local policy # -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') -- ++auth_use_nsswitch(httpd_user_script_t) + -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_cifs_files(httpd_user_script_t) @@ -6641,7 +6709,7 @@ index 1a82e29..a68bd53 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1559,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7560,7 +7628,7 @@ index 92adb37..0a2ffc6 100644 /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) diff --git a/automount.if b/automount.if -index 089430a..7cd037b 100644 +index 089430a..b0bed70 100644 --- a/automount.if +++ b/automount.if @@ -29,7 +29,6 @@ interface(`automount_domtrans',` @@ -7571,7 +7639,33 @@ index 089430a..7cd037b 100644 interface(`automount_signal',` gen_require(` type automount_t; -@@ -134,6 +133,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` +@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',` + + ######################################## + ## ++## Allow domain to search of automount temporary ++## directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`automount_search_tmp_dirs',` ++ gen_require(` ++ type automount_tmp_t; ++ ') ++ ++ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to get + ## attributes of automount temporary + ## directories. +@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` ######################################## ## @@ -7601,7 +7695,7 @@ index 089430a..7cd037b 100644 ## All of the rules required to ## administrate an automount environment. ## -@@ -153,11 +175,16 @@ interface(`automount_admin',` +@@ -153,11 +194,16 @@ interface(`automount_admin',` gen_require(` type automount_t, automount_lock_t, automount_tmp_t; type automount_var_run_t, automount_initrc_exec_t; @@ -7619,7 +7713,7 @@ index 089430a..7cd037b 100644 init_labeled_script_domtrans($1, automount_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; -@@ -171,4 +198,8 @@ interface(`automount_admin',` +@@ -171,4 +217,8 @@ interface(`automount_admin',` files_list_pids($1) admin_pattern($1, automount_var_run_t) @@ -8266,7 +8360,7 @@ index 866a1e2..6c2dbe4 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..9977c4d 100644 +index 076ffee..d4fb2a4 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -8315,7 +8409,7 @@ index 076ffee..9977c4d 100644 domain_use_interactive_fds(named_t) -@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',` +@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -8324,10 +8418,14 @@ index 076ffee..9977c4d 100644 +') + +optional_policy(` ++ cron_system_entry(named_t, named_exec_t) ++') ++ ++optional_policy(` dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -183,6 +192,7 @@ optional_policy(` +@@ -183,6 +196,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(named, named_t) @@ -8335,7 +8433,7 @@ index 076ffee..9977c4d 100644 ') optional_policy(` -@@ -209,7 +219,8 @@ optional_policy(` +@@ -209,7 +223,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -8345,7 +8443,7 @@ index 076ffee..9977c4d 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -8357,7 +8455,7 @@ index 076ffee..9977c4d 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t) +@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -15293,7 +15391,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..bf91ba9 100644 +index 28e1b86..9436993 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -15637,7 +15735,7 @@ index 28e1b86..bf91ba9 100644 auth_use_nsswitch(crond_t) logging_send_audit_msgs(crond_t) -@@ -311,41 +249,42 @@ logging_set_loginuid(crond_t) +@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -15674,6 +15772,10 @@ index 28e1b86..bf91ba9 100644 + +optional_policy(` + logwatch_search_cache_dir(crond_t) ++') ++ ++optional_policy(` ++ bind_read_config(crond_t) ') ifdef(`distro_redhat',` @@ -15696,7 +15798,7 @@ index 28e1b86..bf91ba9 100644 ') optional_policy(` -@@ -353,102 +292,136 @@ optional_policy(` +@@ -353,102 +296,136 @@ optional_policy(` ') optional_policy(` @@ -15864,7 +15966,7 @@ index 28e1b86..bf91ba9 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -15877,7 +15979,7 @@ index 28e1b86..bf91ba9 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -15885,7 +15987,7 @@ index 28e1b86..bf91ba9 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t) +@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -15908,7 +16010,7 @@ index 28e1b86..bf91ba9 100644 init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -15938,7 +16040,7 @@ index 28e1b86..bf91ba9 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -15956,7 +16058,7 @@ index 28e1b86..bf91ba9 100644 ') optional_policy(` -@@ -546,10 +537,6 @@ optional_policy(` +@@ -546,10 +541,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -15967,7 +16069,7 @@ index 28e1b86..bf91ba9 100644 ') optional_policy(` -@@ -581,6 +568,7 @@ optional_policy(` +@@ -581,6 +572,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -15975,7 +16077,7 @@ index 28e1b86..bf91ba9 100644 ') optional_policy(` -@@ -588,15 +576,19 @@ optional_policy(` +@@ -588,15 +580,19 @@ optional_policy(` ') optional_policy(` @@ -15997,7 +16099,7 @@ index 28e1b86..bf91ba9 100644 ') optional_policy(` -@@ -606,6 +598,7 @@ optional_policy(` +@@ -606,6 +602,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -16005,7 +16107,7 @@ index 28e1b86..bf91ba9 100644 ') optional_policy(` -@@ -613,12 +606,24 @@ optional_policy(` +@@ -613,12 +610,24 @@ optional_policy(` ') optional_policy(` @@ -16032,7 +16134,7 @@ index 28e1b86..bf91ba9 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -16066,7 +16168,7 @@ index 28e1b86..bf91ba9 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -17920,7 +18022,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..0730306 100644 +index afcf3a2..8c49f40 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -18162,7 +18264,7 @@ index afcf3a2..0730306 100644 - allow $1 session_bus_type:unix_stream_socket connectto; - allow $1 session_bus_type:fd use; -') -- + -####################################### -## -## Creating connections to specified @@ -18188,7 +18290,7 @@ index afcf3a2..0730306 100644 - ') - - typeattribute $2 dbusd_session_bus_client; - +- - allow $2 { $1_dbusd_t self }:dbus send_msg; - allow $1_dbusd_t $2:dbus send_msg; + # For connecting to the bus @@ -18476,7 +18578,7 @@ index afcf3a2..0730306 100644 ## ## ## -@@ -614,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -614,10 +448,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -18494,6 +18596,25 @@ index afcf3a2..0730306 100644 + +######################################## +## ++## Read all dbus pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_read_pid_files',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## +## Do not audit attempts to connect to +## session bus types with a unix +## stream socket. @@ -18553,7 +18674,7 @@ index afcf3a2..0730306 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 2c2e7e1..78bbb7d 100644 +index 2c2e7e1..493ab48 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ @@ -18678,7 +18799,7 @@ index 2c2e7e1..78bbb7d 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -18736,6 +18857,11 @@ index 2c2e7e1..78bbb7d 100644 +optional_policy(` + gnome_exec_gconf(system_dbusd_t) + gnome_read_inherited_home_icc_data_files(system_dbusd_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) ++ nis_use_ypbind(system_dbusd_t) +') + +optional_policy(` @@ -18751,10 +18877,9 @@ index 2c2e7e1..78bbb7d 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -18792,7 +18917,7 @@ index 2c2e7e1..78bbb7d 100644 +init_rw_stream_sockets(system_bus_type) + +ps_process_pattern(system_dbusd_t, system_bus_type) - ++ +userdom_dontaudit_search_admin_dir(system_bus_type) +userdom_read_all_users_state(system_bus_type) + @@ -18807,7 +18932,7 @@ index 2c2e7e1..78bbb7d 100644 +optional_policy(` + unconfined_dbus_send(system_bus_type) +') -+ + +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') @@ -18848,7 +18973,7 @@ index 2c2e7e1..78bbb7d 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -18873,7 +18998,7 @@ index 2c2e7e1..78bbb7d 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -18881,7 +19006,7 @@ index 2c2e7e1..78bbb7d 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -18923,7 +19048,7 @@ index 2c2e7e1..78bbb7d 100644 ') ######################################## -@@ -244,5 +340,6 @@ optional_policy(` +@@ -244,5 +344,6 @@ optional_policy(` # Unconfined access to this module # @@ -19594,7 +19719,7 @@ index d294865..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index ff933af..d75b565 100644 +index ff933af..cd1d88d 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) @@ -19616,20 +19741,20 @@ index ff933af..d75b565 100644 type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) -@@ -45,11 +45,10 @@ kernel_read_system_state(devicekit_t) +@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t) dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) -files_read_etc_files(devicekit_t) - +- -miscfiles_read_localization(devicekit_t) - +- optional_policy(` + dbus_system_domain(devicekit_t, devicekit_exec_t) dbus_system_bus_client(devicekit_t) allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; -@@ -64,7 +63,8 @@ optional_policy(` +@@ -64,7 +61,8 @@ optional_policy(` # Disk local policy # @@ -19639,7 +19764,7 @@ index ff933af..d75b565 100644 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -81,10 +81,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; +@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) @@ -19652,15 +19777,16 @@ index ff933af..d75b565 100644 kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) -@@ -98,6 +99,7 @@ corecmd_getattr_all_executables(devicekit_disk_t) +@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) +dev_rw_generic_blk_files(devicekit_disk_t) ++dev_rw_loop_control(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_urand(devicekit_disk_t) -@@ -116,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t) +@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) @@ -19670,7 +19796,7 @@ index ff933af..d75b565 100644 fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) -@@ -134,16 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -19691,7 +19817,7 @@ index ff933af..d75b565 100644 dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -167,6 +171,7 @@ optional_policy(` +@@ -167,6 +170,7 @@ optional_policy(` optional_policy(` mount_domtrans(devicekit_disk_t) @@ -19699,7 +19825,7 @@ index ff933af..d75b565 100644 ') optional_policy(` -@@ -180,6 +185,11 @@ optional_policy(` +@@ -180,6 +184,11 @@ optional_policy(` ') optional_policy(` @@ -19711,7 +19837,7 @@ index ff933af..d75b565 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -188,12 +198,19 @@ optional_policy(` +@@ -188,12 +197,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -19732,7 +19858,7 @@ index ff933af..d75b565 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -207,9 +224,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -19743,7 +19869,7 @@ index ff933af..d75b565 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t) +@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -19763,7 +19889,7 @@ index ff933af..d75b565 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -269,9 +283,11 @@ optional_policy(` +@@ -269,9 +282,11 @@ optional_policy(` optional_policy(` cron_initrc_domtrans(devicekit_power_t) @@ -19775,7 +19901,7 @@ index ff933af..d75b565 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -302,8 +318,11 @@ optional_policy(` +@@ -302,8 +317,11 @@ optional_policy(` ') optional_policy(` @@ -19788,7 +19914,7 @@ index ff933af..d75b565 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -341,3 +360,9 @@ optional_policy(` +@@ -341,3 +359,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -21664,7 +21790,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..4ebb0ad 100644 +index a7bfaf0..9a6a36e 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -21712,7 +21838,7 @@ index a7bfaf0..4ebb0ad 100644 type dovecot_var_lib_t; files_type(dovecot_var_lib_t) -@@ -56,20 +54,17 @@ logging_log_file(dovecot_var_log_t) +@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t) type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) @@ -21734,10 +21860,11 @@ index a7bfaf0..4ebb0ad 100644 kernel_read_all_sysctls(dovecot_domain) -kernel_read_system_state(dovecot_domain) ++kernel_read_network_state(dovecot_domain) corecmd_exec_bin(dovecot_domain) corecmd_exec_shell(dovecot_domain) -@@ -78,37 +73,46 @@ dev_read_sysfs(dovecot_domain) +@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain) dev_read_rand(dovecot_domain) dev_read_urand(dovecot_domain) @@ -21797,7 +21924,7 @@ index a7bfaf0..4ebb0ad 100644 logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -120,45 +124,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) @@ -21854,7 +21981,7 @@ index a7bfaf0..4ebb0ad 100644 init_getattr_utmp(dovecot_t) -@@ -166,44 +160,42 @@ auth_use_nsswitch(dovecot_t) +@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) @@ -21917,7 +22044,7 @@ index a7bfaf0..4ebb0ad 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +213,63 @@ optional_policy(` +@@ -221,46 +214,63 @@ optional_policy(` ######################################## # @@ -21990,7 +22117,7 @@ index a7bfaf0..4ebb0ad 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -271,15 +280,30 @@ optional_policy(` +@@ -271,15 +281,30 @@ optional_policy(` ') optional_policy(` @@ -22022,7 +22149,7 @@ index a7bfaf0..4ebb0ad 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +314,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22082,7 +22209,7 @@ index a7bfaf0..4ebb0ad 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +357,6 @@ optional_policy(` +@@ -326,5 +358,6 @@ optional_policy(` ') optional_policy(` @@ -23370,10 +23497,18 @@ index c3f7916..cab3954 100644 admin_pattern($1, fetchmail_etc_t) diff --git a/fetchmail.te b/fetchmail.te -index f0388cb..7d63acb 100644 +index f0388cb..df501ec 100644 --- a/fetchmail.te +++ b/fetchmail.te -@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen }; +@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t) + # + # Local policy + # +- ++allow fetchmail_t self:capability setuid; + dontaudit fetchmail_t self:capability sys_tty_config; + allow fetchmail_t self:process { signal_perms setrlimit }; + allow fetchmail_t self:unix_stream_socket { accept listen }; allow fetchmail_t fetchmail_etc_t:file read_file_perms; @@ -25055,10 +25190,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..3156ad4 +index 0000000..7244e2c --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,166 @@ +@@ -0,0 +1,167 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25189,6 +25324,7 @@ index 0000000..3156ad4 + +domain_use_interactive_fds(glusterd_t) + ++fs_mount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) + +files_mounton_mnt(glusterd_t) @@ -31267,10 +31403,10 @@ index 0000000..dbe3f03 +') + diff --git a/kdump.fc b/kdump.fc -index a49ae4e..1906ffe 100644 +index a49ae4e..913a0e3 100644 --- a/kdump.fc +++ b/kdump.fc -@@ -1,13 +1,13 @@ +@@ -1,13 +1,14 @@ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) +/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) @@ -31291,8 +31427,9 @@ index a49ae4e..1906ffe 100644 -/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..15d521b 100644 +index 3a00b3a..f6402dc 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -31363,12 +31500,50 @@ index 3a00b3a..15d521b 100644 ## ## ## -@@ -56,10 +100,27 @@ interface(`kdump_read_config',` +@@ -56,10 +100,65 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') +##################################### +## ++## Read kdump crash files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_read_crash',` ++ gen_require(` ++ type kdump_crash_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, kdump_crash_t, kdump_crash_t) ++') ++ ++##################################### ++## ++## Read kdump crash files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_manage_crash',` ++ gen_require(` ++ type kdump_crash_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, kdump_crash_t, kdump_crash_t) ++') ++ ++##################################### ++## +## Dontaudit read kdump configuration file. +## +## @@ -31393,7 +31568,7 @@ index 3a00b3a..15d521b 100644 ## ## ## -@@ -76,10 +137,31 @@ interface(`kdump_manage_config',` +@@ -76,10 +175,31 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -31427,7 +31602,7 @@ index 3a00b3a..15d521b 100644 ## ## ## -@@ -88,19 +170,23 @@ interface(`kdump_manage_config',` +@@ -88,19 +208,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -31444,6 +31619,7 @@ index 3a00b3a..15d521b 100644 + type kdump_t, kdump_etc_t; + type kdump_initrc_exec_t; + type kdump_unit_file_t; ++ type kdump_crash_t ') - allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; @@ -31456,18 +31632,21 @@ index 3a00b3a..15d521b 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +196,7 @@ interface(`kdump_admin',` +@@ -110,6 +235,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) - files_search_tmp($1) - admin_pattern($1, kdumpctl_tmp_t) ++ files_search_var($1) ++ admin_pattern($1, kdump_crash_t) ++ + kdump_systemctl($1) + admin_pattern($1, kdump_unit_file_t) + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index 70f3007..bacefd5 100644 +index 70f3007..074a2ee 100644 --- a/kdump.te +++ b/kdump.te @@ -1,4 +1,4 @@ @@ -31476,7 +31655,13 @@ index 70f3007..bacefd5 100644 ####################################### # -@@ -15,30 +15,33 @@ files_config_file(kdump_etc_t) +@@ -12,35 +12,48 @@ init_system_domain(kdump_t, kdump_exec_t) + type kdump_etc_t; + files_config_file(kdump_etc_t) + ++type kdump_crash_t; ++files_type(kdump_crash_t) ++ type kdump_initrc_exec_t; init_script_file(kdump_initrc_exec_t) @@ -31502,6 +31687,11 @@ index 70f3007..bacefd5 100644 +allow kdump_t self:capability2 compromise_kernel; -allow kdump_t kdump_etc_t:file read_file_perms; ++manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) ++manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) ++manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) ++files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash") ++ +read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) -files_read_etc_files(kdump_t) @@ -31514,8 +31704,12 @@ index 70f3007..bacefd5 100644 -kernel_read_system_state(kdump_t) kernel_request_load_module(kdump_t) ++mls_file_read_all_levels(kdump_t) ++ dev_read_framebuffer(kdump_t) -@@ -48,22 +51,27 @@ term_use_console(kdump_t) + dev_read_sysfs(kdump_t) + +@@ -48,22 +61,32 @@ term_use_console(kdump_t) ####################################### # @@ -31544,11 +31738,16 @@ index 70f3007..bacefd5 100644 +can_exec(kdumpctl_t, kdumpctl_tmp_t) -domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) ++manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) ++manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) ++manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) ++files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash") ++ +read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) kernel_read_system_state(kdumpctl_t) -@@ -71,46 +79,56 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +94,56 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -34711,7 +34910,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..3baae66 100644 +index 7bab8e5..b88bbf3 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -34924,7 +35123,7 @@ index 7bab8e5..3baae66 100644 ') optional_policy(` -@@ -198,21 +218,22 @@ optional_policy(` +@@ -198,21 +218,26 @@ optional_policy(` ') optional_policy(` @@ -34938,11 +35137,15 @@ index 7bab8e5..3baae66 100644 - openvswitch_read_pid_files(logrotate_t) - openvswitch_domtrans(logrotate_t) + polipo_named_filetrans_log_files(logrotate_t) ++') ++ ++optional_policy(` ++ psad_domtrans(logrotate_t) ') optional_policy(` - polipo_log_filetrans_log(logrotate_t, file, "polipo") -+ psad_domtrans(logrotate_t) ++ rabbitmq_domtrans_beam(logrotate_t) ') optional_policy(` @@ -34951,7 +35154,7 @@ index 7bab8e5..3baae66 100644 ') optional_policy(` -@@ -228,10 +249,20 @@ optional_policy(` +@@ -228,10 +253,20 @@ optional_policy(` ') optional_policy(` @@ -34972,7 +35175,7 @@ index 7bab8e5..3baae66 100644 su_exec(logrotate_t) ') -@@ -241,13 +272,11 @@ optional_policy(` +@@ -241,13 +276,11 @@ optional_policy(` ####################################### # @@ -38216,7 +38419,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..35b2b47 100644 +index 6194b80..3209b1c 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38383,10 +38586,10 @@ index 6194b80..35b2b47 100644 - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +- can_exec($2, mozilla_plugin_rw_t) + mozilla_filetrans_home_content($2) -- can_exec($2, mozilla_plugin_rw_t) -- - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') @@ -38532,7 +38735,7 @@ index 6194b80..35b2b47 100644 ') ######################################## -@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',` +@@ -303,102 +195,107 @@ interface(`mozilla_domtrans',` type mozilla_t, mozilla_exec_t; ') @@ -38640,9 +38843,12 @@ index 6194b80..35b2b47 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 mozilla_plugin_t:process ptrace; ') -- + - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) ++ optional_policy(` ++ lpd_run_lpr(mozilla_plugin_t, $2) ++ ') ') -######################################## @@ -38685,7 +38891,7 @@ index 6194b80..35b2b47 100644 ') ######################################## -@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +321,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -38695,7 +38901,7 @@ index 6194b80..35b2b47 100644 ## ## ## -@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +329,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -38833,7 +39039,7 @@ index 6194b80..35b2b47 100644 ## ## ## -@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +438,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -38858,7 +39064,7 @@ index 6194b80..35b2b47 100644 ## ## ## -@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +457,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -38937,7 +39143,7 @@ index 6194b80..35b2b47 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..4440013 100644 +index 6a306ee..2288b0e 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -39208,11 +39414,11 @@ index 6a306ee..4440013 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -- --userdom_manage_user_tmp_dirs(mozilla_t) --userdom_manage_user_tmp_files(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t) +-userdom_manage_user_tmp_dirs(mozilla_t) +-userdom_manage_user_tmp_files(mozilla_t) +- -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) @@ -39464,12 +39670,12 @@ index 6a306ee..4440013 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -39639,12 +39845,12 @@ index 6a306ee..4440013 100644 -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - +- -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -39704,7 +39910,7 @@ index 6a306ee..4440013 100644 ') optional_policy(` -@@ -523,36 +509,48 @@ optional_policy(` +@@ -523,36 +509,44 @@ optional_policy(` ') optional_policy(` @@ -39719,6 +39925,13 @@ index 6a306ee..4440013 100644 + dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ gnome_manage_config(mozilla_plugin_t) ++ gnome_read_usr_config(mozilla_plugin_t) ++ gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` @@ -39726,13 +39939,6 @@ index 6a306ee..4440013 100644 - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") -+ gnome_manage_config(mozilla_plugin_t) -+ gnome_read_usr_config(mozilla_plugin_t) -+ gnome_filetrans_home_content(mozilla_plugin_t) -+ gnome_exec_gstreamer_home_files(mozilla_plugin_t) -+') -+ -+optional_policy(` + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') @@ -39744,10 +39950,6 @@ index 6a306ee..4440013 100644 optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) -+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -+') -+ -+optional_policy(` + mplayer_exec(mozilla_plugin_t) + mplayer_manage_generic_home_content(mozilla_plugin_t) + mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") @@ -39766,7 +39968,7 @@ index 6a306ee..4440013 100644 ') optional_policy(` -@@ -560,7 +558,7 @@ optional_policy(` +@@ -560,7 +554,7 @@ optional_policy(` ') optional_policy(` @@ -39775,7 +39977,7 @@ index 6a306ee..4440013 100644 ') optional_policy(` -@@ -568,108 +566,124 @@ optional_policy(` +@@ -568,108 +562,126 @@ optional_policy(` ') optional_policy(` @@ -39850,6 +40052,7 @@ index 6a306ee..4440013 100644 +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++mozilla_filetrans_home_content(mozilla_plugin_t) -kernel_read_system_state(mozilla_plugin_config_t) -kernel_request_load_module(mozilla_plugin_config_t) @@ -39858,6 +40061,7 @@ index 6a306ee..4440013 100644 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) +userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file }) ++mozilla_filetrans_home_content(mozilla_plugin_config_t) corecmd_exec_bin(mozilla_plugin_config_t) corecmd_exec_shell(mozilla_plugin_config_t) @@ -43164,7 +43368,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..5f38792 100644 +index 9f6179e..0f6abcb 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -43345,7 +43549,8 @@ index 9f6179e..5f38792 100644 +# Local mysqld_safe policy # - allow mysqld_safe_t self:capability { chown dac_override fowner kill }; +-allow mysqld_safe_t self:capability { chown dac_override fowner kill }; ++allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource }; allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -43362,7 +43567,7 @@ index 9f6179e..5f38792 100644 -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -+allow mysqld_safe_t mysqld_log_t:file manage_file_perms; ++manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) @@ -44080,7 +44285,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 44ad3b7..39b7add 100644 +index 44ad3b7..e5b268b 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -44162,7 +44367,7 @@ index 44ad3b7..39b7add 100644 manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) -+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file}) manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) @@ -52786,7 +52991,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..74e4179 100644 +index 7bcf327..92780c3 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52810,7 +53015,7 @@ index 7bcf327..74e4179 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,239 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,240 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -52990,6 +53195,7 @@ index 7bcf327..74e4179 100644 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) +files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) + ++ +kernel_read_all_sysctls(pegasus_openlmi_storage_t) + +dev_read_rand(pegasus_openlmi_storage_t) @@ -53055,7 +53261,7 @@ index 7bcf327..74e4179 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +272,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +273,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -53086,7 +53292,7 @@ index 7bcf327..74e4179 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +298,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +299,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -53119,7 +53325,7 @@ index 7bcf327..74e4179 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +326,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +327,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -53127,7 +53333,7 @@ index 7bcf327..74e4179 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +341,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +342,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -53159,7 +53365,7 @@ index 7bcf327..74e4179 100644 ') optional_policy(` -@@ -151,16 +371,24 @@ optional_policy(` +@@ -151,16 +372,24 @@ optional_policy(` ') optional_policy(` @@ -53188,7 +53394,7 @@ index 7bcf327..74e4179 100644 ') optional_policy(` -@@ -168,7 +396,7 @@ optional_policy(` +@@ -168,7 +397,7 @@ optional_policy(` ') optional_policy(` @@ -57658,7 +57864,7 @@ index 2e23946..e9ac366 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..cddce7d 100644 +index 191a66f..2177e93 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -57722,7 +57928,15 @@ index 191a66f..cddce7d 100644 mta_mailserver(postfix_t, postfix_master_exec_t) type postfix_initrc_exec_t; -@@ -80,13 +79,13 @@ mta_mailserver_sender(postfix_smtp_t) +@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe) + + postfix_user_domain_template(postdrop) + mta_mailserver_user_agent(postfix_postdrop_t) ++mta_agent_executable(postfix_postdrop_t) + + postfix_user_domain_template(postqueue) + mta_mailserver_user_agent(postfix_postqueue_t) +@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) type postfix_spool_t, postfix_spool_type; @@ -57739,7 +57953,7 @@ index 191a66f..cddce7d 100644 type postfix_public_t; files_type(postfix_public_t) -@@ -94,6 +93,7 @@ files_type(postfix_public_t) +@@ -94,6 +94,7 @@ files_type(postfix_public_t) type postfix_var_run_t; files_pid_file(postfix_var_run_t) @@ -57747,7 +57961,7 @@ index 191a66f..cddce7d 100644 type postfix_data_t; files_type(postfix_data_t) -@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t) ######################################## # @@ -57933,7 +58147,7 @@ index 191a66f..cddce7d 100644 corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -58002,7 +58216,7 @@ index 191a66f..cddce7d 100644 optional_policy(` cyrus_stream_connect(postfix_master_t) ') -@@ -316,14 +211,11 @@ optional_policy(` +@@ -316,14 +212,11 @@ optional_policy(` ') optional_policy(` @@ -58018,7 +58232,7 @@ index 191a66f..cddce7d 100644 postgrey_search_spool(postfix_master_t) ') -@@ -333,12 +225,14 @@ optional_policy(` +@@ -333,12 +226,14 @@ optional_policy(` ######################################## # @@ -58035,7 +58249,7 @@ index 191a66f..cddce7d 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -58082,7 +58296,7 @@ index 191a66f..cddce7d 100644 optional_policy(` mailman_read_data_files(postfix_cleanup_t) -@@ -393,36 +284,50 @@ optional_policy(` +@@ -393,36 +285,50 @@ optional_policy(` ######################################## # @@ -58142,7 +58356,7 @@ index 191a66f..cddce7d 100644 ') optional_policy(` -@@ -434,6 +339,7 @@ optional_policy(` +@@ -434,6 +340,7 @@ optional_policy(` ') optional_policy(` @@ -58150,7 +58364,7 @@ index 191a66f..cddce7d 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -444,6 +350,10 @@ optional_policy(` +@@ -444,6 +351,10 @@ optional_policy(` ') optional_policy(` @@ -58161,7 +58375,7 @@ index 191a66f..cddce7d 100644 procmail_domtrans(postfix_local_t) ') -@@ -458,15 +368,17 @@ optional_policy(` +@@ -458,15 +369,17 @@ optional_policy(` ######################################## # @@ -58185,7 +58399,7 @@ index 191a66f..cddce7d 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -58205,7 +58419,7 @@ index 191a66f..cddce7d 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -58213,7 +58427,7 @@ index 191a66f..cddce7d 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -58239,7 +58453,7 @@ index 191a66f..cddce7d 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -58259,7 +58473,7 @@ index 191a66f..cddce7d 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +488,26 @@ optional_policy(` +@@ -576,19 +489,26 @@ optional_policy(` ######################################## # @@ -58291,7 +58505,7 @@ index 191a66f..cddce7d 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +522,7 @@ optional_policy(` +@@ -603,10 +523,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -58303,7 +58517,7 @@ index 191a66f..cddce7d 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +537,24 @@ optional_policy(` +@@ -621,17 +538,24 @@ optional_policy(` ####################################### # @@ -58331,7 +58545,7 @@ index 191a66f..cddce7d 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +570,77 @@ optional_policy(` +@@ -647,67 +571,77 @@ optional_policy(` ######################################## # @@ -58427,7 +58641,7 @@ index 191a66f..cddce7d 100644 ') optional_policy(` -@@ -720,29 +653,30 @@ optional_policy(` +@@ -720,29 +654,30 @@ optional_policy(` ######################################## # @@ -58466,7 +58680,7 @@ index 191a66f..cddce7d 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -754,6 +688,7 @@ optional_policy(` +@@ -754,6 +689,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -58474,7 +58688,7 @@ index 191a66f..cddce7d 100644 ') optional_policy(` -@@ -764,31 +699,99 @@ optional_policy(` +@@ -764,31 +700,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -65687,24 +65901,78 @@ index 4b2c272..1aee969 100644 + dbus_connect_system_bus(quota_nld_t) ') diff --git a/rabbitmq.fc b/rabbitmq.fc -index c5ad6de..c67dbef 100644 +index c5ad6de..a48c318 100644 --- a/rabbitmq.fc +++ b/rabbitmq.fc -@@ -4,7 +4,9 @@ +@@ -4,7 +4,11 @@ /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) +/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) ++ ++/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0) /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) +diff --git a/rabbitmq.if b/rabbitmq.if +index 2c3d338..cf3e5ad 100644 +--- a/rabbitmq.if ++++ b/rabbitmq.if +@@ -10,13 +10,13 @@ + ## + ## + # +-interface(`rabbitmq_domtrans',` ++interface(`rabbitmq_domtrans_beam',` + gen_require(` +- type rabbitmq_t, rabbitmq_exec_t; ++ type rabbitmq_beam_t, rabbitmq_beam_exec_t; + ') + + corecmd_search_bin($1) +- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) ++ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t) + ') + + ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..b0e67e8 100644 +index 3698b51..7054723 100644 --- a/rabbitmq.te +++ b/rabbitmq.te -@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) + type rabbitmq_var_lib_t; + files_type(rabbitmq_var_lib_t) + ++type rabbitmq_var_lock_t; ++files_lock_file(rabbitmq_var_lock_t) ++ + type rabbitmq_var_log_t; + logging_log_file(rabbitmq_var_log_t) + +@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t) + # Beam local policy + # + ++allow rabbitmq_beam_t self:capability setuid; ++ + allow rabbitmq_beam_t self:process { setsched signal signull }; + allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; + allow rabbitmq_beam_t self:tcp_socket { accept listen }; +@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++ ++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) ++files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file) + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) @@ -65713,7 +65981,7 @@ index 3698b51..b0e67e8 100644 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -@@ -54,6 +56,8 @@ kernel_read_system_state(rabbitmq_beam_t) +@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t) corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -65722,7 +65990,13 @@ index 3698b51..b0e67e8 100644 corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) corenet_all_recvfrom_netlabel(rabbitmq_beam_t) corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) -@@ -68,20 +72,35 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) + corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) + corenet_tcp_bind_generic_node(rabbitmq_beam_t) ++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) + + corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) + corenet_tcp_bind_amqp_port(rabbitmq_beam_t) +@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -65733,6 +66007,7 @@ index 3698b51..b0e67e8 100644 +domain_read_all_domains_state(rabbitmq_beam_t) + +auth_read_passwd(rabbitmq_beam_t) ++auth_use_pam(rabbitmq_beam_t) -files_read_etc_files(rabbitmq_beam_t) +files_getattr_all_mountpoints(rabbitmq_beam_t) @@ -65747,12 +66022,18 @@ index 3698b51..b0e67e8 100644 sysnet_dns_name_resolve(rabbitmq_beam_t) ++logging_send_syslog_msg(rabbitmq_beam_t) ++ +optional_policy(` + couchdb_read_conf_files(rabbitmq_beam_t) + couchdb_read_log_files(rabbitmq_beam_t) + couchdb_manage_lib_files(rabbitmq_beam_t) +') + ++optional_policy(` ++ dbus_system_bus_client(rabbitmq_beam_t) ++') ++ ######################################## # # Epmd local policy @@ -65762,7 +66043,7 @@ index 3698b51..b0e67e8 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +118,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -68744,7 +69025,7 @@ index 56bc01f..4699b1b 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..a4a6d82 100644 +index 2c2de9a..6b7a0f6 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -69142,18 +69423,23 @@ index 2c2de9a..a4a6d82 100644 ') optional_policy(` -@@ -190,10 +469,6 @@ optional_policy(` +@@ -190,12 +469,12 @@ optional_policy(` ') optional_policy(` - gnome_read_generic_home_content(fenced_t) --') -- --optional_policy(` - lvm_domtrans(fenced_t) - lvm_read_config(fenced_t) ++ lvm_domtrans(fenced_t) ++ lvm_read_config(fenced_t) ') -@@ -203,6 +478,13 @@ optional_policy(` + + optional_policy(` +- lvm_domtrans(fenced_t) +- lvm_read_config(fenced_t) ++ sanlock_domtrans(fenced_t) + ') + + optional_policy(` +@@ -203,6 +482,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -69167,7 +69453,7 @@ index 2c2de9a..a4a6d82 100644 ####################################### # # foghorn local policy -@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -69188,7 +69474,7 @@ index 2c2de9a..a4a6d82 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +541,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -69197,7 +69483,7 @@ index 2c2de9a..a4a6d82 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -69239,7 +69525,7 @@ index 2c2de9a..a4a6d82 100644 ###################################### # # qdiskd local policy -@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -74593,7 +74879,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..ea8d79d 100644 +index 57c034b..aa2be40 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -75567,7 +75853,11 @@ index 57c034b..ea8d79d 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +@@ -834,16 +838,19 @@ optional_policy(` + # + + allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; ++allow winbind_t self:capability2 block_suspend; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; @@ -75587,7 +75877,7 @@ index 57c034b..ea8d79d 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -75598,7 +75888,7 @@ index 57c034b..ea8d79d 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -75628,7 +75918,7 @@ index 57c034b..ea8d79d 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -75649,7 +75939,7 @@ index 57c034b..ea8d79d 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -75660,7 +75950,7 @@ index 57c034b..ea8d79d 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -75687,7 +75977,7 @@ index 57c034b..ea8d79d 100644 optional_policy(` ctdbd_stream_connect(winbind_t) -@@ -936,7 +944,12 @@ optional_policy(` +@@ -936,7 +945,12 @@ optional_policy(` ') optional_policy(` @@ -75700,7 +75990,7 @@ index 57c034b..ea8d79d 100644 ') optional_policy(` -@@ -952,31 +965,29 @@ optional_policy(` +@@ -952,31 +966,29 @@ optional_policy(` # Winbind helper local policy # @@ -75738,7 +76028,7 @@ index 57c034b..ea8d79d 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +1001,38 @@ optional_policy(` +@@ -990,25 +1002,38 @@ optional_policy(` ######################################## # @@ -79874,10 +80164,18 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index a8b1aaf..a09f2fe 100644 +index a8b1aaf..fc0a2be 100644 --- a/smokeping.te +++ b/smokeping.te -@@ -39,7 +39,6 @@ corecmd_exec_bin(smokeping_t) +@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) + # + + dontaudit smokeping_t self:capability { dac_read_search dac_override }; ++allow smokeping_t self:process signal_perms; + allow smokeping_t self:fifo_file rw_fifo_file_perms; + allow smokeping_t self:unix_stream_socket { accept listen }; + +@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t) dev_read_urand(smokeping_t) @@ -79885,7 +80183,7 @@ index a8b1aaf..a09f2fe 100644 files_search_tmp(smokeping_t) auth_use_nsswitch(smokeping_t) -@@ -47,8 +46,6 @@ auth_dontaudit_read_shadow(smokeping_t) +@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t) logging_send_syslog_msg(smokeping_t) @@ -79894,7 +80192,7 @@ index a8b1aaf..a09f2fe 100644 mta_send_mail(smokeping_t) netutils_domtrans_ping(smokeping_t) -@@ -70,6 +67,8 @@ optional_policy(` +@@ -70,6 +68,8 @@ optional_policy(` files_search_tmp(httpd_smokeping_cgi_script_t) files_search_var_lib(httpd_smokeping_cgi_script_t) @@ -85336,7 +85634,7 @@ index 9957e30..cf0b925 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index f455e70..d2778d3 100644 +index f455e70..a3b440c 100644 --- a/tftp.te +++ b/tftp.te @@ -1,4 +1,4 @@ @@ -85444,7 +85742,7 @@ index f455e70..d2778d3 100644 domain_use_interactive_fds(tftpd_t) files_read_etc_runtime_files(tftpd_t) -@@ -84,43 +88,44 @@ files_read_var_files(tftpd_t) +@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) @@ -85462,6 +85760,8 @@ index f455e70..d2778d3 100644 userdom_dontaudit_use_user_terminals(tftpd_t) -userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) +userdom_dontaudit_search_user_home_dirs(tftpd_t) ++ ++userdom_home_manager(tftpd_t) tunable_policy(`tftp_anon_write',` miscfiles_manage_public_files(tftpd_t) @@ -85810,10 +86110,10 @@ index 0000000..92b6843 +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..74cd27c +index 0000000..8b2dfff --- /dev/null +++ b/thumb.if -@@ -0,0 +1,129 @@ +@@ -0,0 +1,130 @@ + +## policy for thumb + @@ -85865,9 +86165,10 @@ index 0000000..74cd27c + + dontaudit thumb_t $1:dir list_dir_perms; + dontaudit thumb_t $1:file read_file_perms; ++ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms; + -+ allow thumb_t $1:shm rw_shm_perms; -+ allow thumb_t $1:sem create_sem_perms; ++ allow thumb_t $1:shm create_shm_perms; ++ allow thumb_t $1:sem create_sem_perms; +') + +######################################## @@ -88739,7 +89040,7 @@ index c30da4c..898ce74 100644 +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..378880d 100644 +index 9dec06c..bdba959 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -89245,16 +89546,16 @@ index 9dec06c..378880d 100644 ######################################## ## -## Relabel virt content. -+## Read virt PID files. ++## Read virt PID symlinks files. ## ## ## -@@ -495,53 +312,40 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',` ## ## # -interface(`virt_relabel_virt_content',` -+interface(`virt_read_pid_files',` ++interface(`virt_read_pid_symlinks',` gen_require(` - type virt_content_t; + type virt_var_run_t; @@ -89268,14 +89569,14 @@ index 9dec06c..378880d 100644 - allow $1 virt_content_t:sock_file relabel_sock_file_perms; - allow $1 virt_content_t:blk_file relabel_blk_file_perms; + files_search_pids($1) -+ read_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) ') ######################################## ## -## Create specified objects in user home -## directories with the virt content type. -+## Manage virt pid directories. ++## Read virt PID files. ## ## ## @@ -89294,34 +89595,31 @@ index 9dec06c..378880d 100644 -## # -interface(`virt_home_filetrans_virt_content',` -+interface(`virt_manage_pid_dirs',` ++interface(`virt_read_pid_files',` gen_require(` - type virt_content_t; + type virt_var_run_t; -+ type virt_lxc_var_run_t; ') - virt_home_filetrans($1, virt_content_t, $2, $3) + files_search_pids($1) -+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) -+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) -+ virt_filetrans_named_content($1) ++ read_files_pattern($1, virt_var_run_t, virt_var_run_t) ') ######################################## ## -## Create, read, write, and delete -## svirt home content. -+## Manage virt pid files. ++## Manage virt pid directories. ## ## ## -@@ -549,67 +353,36 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # -interface(`virt_manage_svirt_home_content',` -+interface(`virt_manage_pid_files',` ++interface(`virt_manage_pid_dirs',` gen_require(` - type svirt_home_t; - ') @@ -89347,48 +89645,59 @@ index 9dec06c..378880d 100644 - fs_manage_cifs_symlinks($1) - ') + files_search_pids($1) -+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) ++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ++ virt_filetrans_named_content($1) ') ######################################## ## -## Relabel svirt home content. -+## Create objects in the pid directory -+## with a private type with a type transition. ++## Manage virt pid files. ## ## ## - ## Domain allowed access. +@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',` ## ## --# + # -interface(`virt_relabel_svirt_home_content',` -- gen_require(` ++interface(`virt_manage_pid_files',` + gen_require(` - type svirt_home_t; -- ') -- ++ type virt_var_run_t; ++ type virt_lxc_var_run_t; + ') + - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir relabel_dir_perms; - allow $1 svirt_home_t:file relabel_file_perms; - allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 svirt_home_t:sock_file relabel_sock_file_perms; --') -- --######################################## --## ++ files_search_pids($1) ++ manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) + ') + + ######################################## + ## -## Create specified objects in user home -## directories with the svirt home type. --## --## -+## ++## Create objects in the pid directory ++## with a private type with a type transition. + ## + ## ## --## Domain allowed access. -+## Type to which the created node will be transitioned. + ## Domain allowed access. ## ## -## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## +## ## -## Class of the object being created. @@ -89397,7 +89706,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -618,54 +391,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -89461,7 +89770,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -673,54 +428,38 @@ interface(`virt_home_filetrans',` +@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',` ## ## # @@ -89528,7 +89837,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -728,52 +467,39 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # @@ -89593,7 +89902,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -781,19 +507,18 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -89618,7 +89927,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -801,18 +526,19 @@ interface(`virt_read_pid_files',` +@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',` ## ## # @@ -89643,7 +89952,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -820,18 +546,18 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',` ## ## # @@ -89667,7 +89976,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -839,20 +565,73 @@ interface(`virt_search_lib',` +@@ -839,20 +584,73 @@ interface(`virt_search_lib',` ## ## # @@ -89746,7 +90055,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -860,115 +639,245 @@ interface(`virt_read_lib_files',` +@@ -860,115 +658,245 @@ interface(`virt_read_lib_files',` ## ## # @@ -89957,13 +90266,13 @@ index 9dec06c..378880d 100644 ## -## Domain allowed access. +## Domain allowed access - ## - ## ++## ++## +## +## +## The role to be allowed the sandbox domain. -+## -+## + ## + ## +## # -interface(`virt_append_log',` @@ -90029,7 +90338,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -976,18 +885,17 @@ interface(`virt_manage_log',` +@@ -976,18 +904,17 @@ interface(`virt_manage_log',` ## ## # @@ -90052,7 +90361,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -995,36 +903,35 @@ interface(`virt_search_images',` +@@ -995,36 +922,35 @@ interface(`virt_search_images',` ## ## # @@ -90108,7 +90417,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -1032,58 +939,57 @@ interface(`virt_read_images',` +@@ -1032,58 +958,57 @@ interface(`virt_read_images',` ## ## # @@ -90188,7 +90497,7 @@ index 9dec06c..378880d 100644 ## ## ## -@@ -1091,95 +997,169 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +1016,169 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -90418,7 +90727,7 @@ index 9dec06c..378880d 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..6b715d6 100644 +index 1f22fba..2757963 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,97 @@ @@ -91146,7 +91455,7 @@ index 1f22fba..6b715d6 100644 selinux_validate_context(virtd_t) -@@ -613,18 +444,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +444,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -91170,6 +91479,8 @@ index 1f22fba..6b715d6 100644 +userdom_list_user_home_content(virtd_t) +userdom_read_all_users_state(virtd_t) +userdom_read_user_home_content_files(virtd_t) ++userdom_relabel_user_tmp_files(virtd_t) ++userdom_setattr_user_tmp_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) +manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) @@ -91181,7 +91492,7 @@ index 1f22fba..6b715d6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +470,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +472,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -91190,7 +91501,7 @@ index 1f22fba..6b715d6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +495,325 @@ optional_policy(` +@@ -658,95 +497,326 @@ optional_policy(` ') optional_policy(` @@ -91448,6 +91759,7 @@ index 1f22fba..6b715d6 100644 + virt_read_lib_files(virt_domain) + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) ++ virt_read_pid_symlinks(virt_domain) + virt_domtrans_bridgehelper(virt_domain) ') @@ -91562,7 +91874,7 @@ index 1f22fba..6b715d6 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +825,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +828,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91593,7 +91905,7 @@ index 1f22fba..6b715d6 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +848,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -91620,7 +91932,7 @@ index 1f22fba..6b715d6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +868,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -91652,7 +91964,7 @@ index 1f22fba..6b715d6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +898,20 @@ optional_policy(` +@@ -847,14 +901,20 @@ optional_policy(` ') optional_policy(` @@ -91674,7 +91986,7 @@ index 1f22fba..6b715d6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +936,45 @@ optional_policy(` +@@ -879,34 +939,45 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -91729,7 +92041,7 @@ index 1f22fba..6b715d6 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +984,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +987,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -91747,7 +92059,7 @@ index 1f22fba..6b715d6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +1006,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1009,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -91758,7 +92070,7 @@ index 1f22fba..6b715d6 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1015,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1018,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -91766,7 +92078,7 @@ index 1f22fba..6b715d6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1027,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1030,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -91785,7 +92097,7 @@ index 1f22fba..6b715d6 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1044,39 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -91833,7 +92145,7 @@ index 1f22fba..6b715d6 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1084,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -91860,7 +92172,7 @@ index 1f22fba..6b715d6 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1102,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91880,7 +92192,7 @@ index 1f22fba..6b715d6 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1121,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -91907,7 +92219,7 @@ index 1f22fba..6b715d6 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1146,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -92047,7 +92359,7 @@ index 1f22fba..6b715d6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1242,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1245,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -92062,7 +92374,7 @@ index 1f22fba..6b715d6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1260,8 @@ optional_policy(` +@@ -1183,9 +1263,8 @@ optional_policy(` ######################################## # @@ -92073,7 +92385,7 @@ index 1f22fba..6b715d6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1274,115 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1277,115 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index cbfc18d..cbdeaac 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 69%{?dist} +Release: 70%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,42 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Aug 8 2013 Miroslav Grepl 3.12.1-70 +- Add label for /var/crash +- Allow fenced to domtrans to sanclok_t +- Allow nagios to manage nagios spool files +- Make tfptd as home_manager +- Allow kdump to read kcore on MLS system +- Allow mysqld-safe sys_nice/sys_resource caps +- Allow apache to search automount tmp dirs if http_use_nfs is enabled +- Allow crond to transition to named_t, for use with unbound +- Allow crond to look at named_conf_t, for unbound +- Allow mozilla_plugin_t to transition its home content +- Allow dovecot_domain to read all system and network state +- Allow semanage to read pid files +- Dontaudit leaked file descriptors from user domain into thumb +- Add fixes for rabbit to fix ##992920,#99293 +- Make NFS home, NIS authentication and dbus-daemon working +- Fix thumb_run() +- winbind wants block_suspend +- Fix typo in smokeping.te +- Fix rabbit.te +- Remove dup rule for dovecot.te +- Fix abrt.te +- Allow afs domains to read afs_config files +- Allow login programs to read afs config +- Allow virt_domain to read virt_var_run_t symlinks +- Allow smokeping to send its process signals +- Allow fetchmail to setuid +- Add kdump_manage_crash() interface +- Allow abrt domain to write abrt.socket +- Add append to the dontaudit for unix_stream_socket of xdm_t leak +- Allow xdm_t to create symlinks in log direcotries +- Allow login programs to read afs config +- Fix rules for creating pluto pid files +- Fix userdom_relabel_user_tmp_files() +- Label 10933 as a pop port, for dovecot + * Fri Aug 2 2013 Miroslav Grepl 3.12.1-69 - Add fix for pand service - Fix pegasus.te