From 4931cbf03c53c29bb9647fc9e9dccc06fe9e6318 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jun 09 2016 14:48:53 +0000 Subject: * Thu Jun 08 2016 Lukas Vrabec 3.13.1-191 - Add hwloc-dump-hwdata SELinux policy - Add labels for mediawiki123 - Fix label for all fence_scsi_check scripts - Allow setcap for fenced - Allow glusterd domain read krb5_keytab_t files. - Allow tmpreaper_t to read/setattr all non_security_file_type dirs - Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) - Update refpolicy to handle hwloc - Fix typo in files_setattr_non_security_dirs. - Add interface files_setattr_non_security_dirs() - Add support for onloadfs - Additional access required for unconfined domains --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index dbb46b8..59b1805 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 1a409ea..3bc8868 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -1935,7 +1935,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..5210ca5 100644 +index c44c359..ae484a0 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2051,7 +2051,11 @@ index c44c359..5210ca5 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',` +@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',` + optional_policy(` + nagios_dontaudit_rw_log(ping_t) + nagios_dontaudit_rw_pipes(ping_t) ++ nagios_dontaudit_write_pipes_nrpe(ping_t) ') ') @@ -2077,7 +2081,7 @@ index c44c359..5210ca5 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +182,15 @@ optional_policy(` +@@ -161,6 +183,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -2093,7 +2097,7 @@ index c44c359..5210ca5 100644 ######################################## # # Traceroute local policy -@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -2101,7 +2105,7 @@ index c44c359..5210ca5 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -2109,7 +2113,7 @@ index c44c359..5210ca5 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t) +@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -9717,7 +9721,7 @@ index 76f285e..5cd2702 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..8d4003a 100644 +index 0b1a871..4cef59b 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9873,7 +9877,7 @@ index 0b1a871..8d4003a 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +371,6 @@ files_associate_tmp(device_node) +@@ -319,5 +371,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -9882,6 +9886,8 @@ index 0b1a871..8d4003a 100644 +allow devices_unconfined_type device_node:{ blk_file lnk_file } *; +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint }; +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint }; ++dev_getattr_all(devices_unconfined_type) ++ diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6a1e4d1..26e5558 100644 --- a/policy/modules/kernel/domain.if @@ -10991,7 +10997,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..89768e5 100644 +index f962f76..d755ff2 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11247,7 +11253,32 @@ index f962f76..89768e5 100644 allow $1 non_security_file_type:file mounton; ') -@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',` +@@ -545,6 +711,24 @@ interface(`files_write_non_security_dirs',` + + ######################################## + ## ++## Allow attempts to setattr any directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_non_security_dirs',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ allow $1 non_security_file_type:dir { read setattr }; ++') ++ ++######################################## ++## + ## Allow attempts to manage non-security directories + ## + ## +@@ -582,6 +766,42 @@ interface(`files_getattr_all_files',` ######################################## ## @@ -11290,7 +11321,7 @@ index f962f76..89768e5 100644 ## Do not audit attempts to get the attributes ## of all files. ## -@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -620,6 +840,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -11354,7 +11385,7 @@ index f962f76..89768e5 100644 ## Read all files. ## ## -@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',` +@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -11472,7 +11503,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',` +@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',` ## ## # @@ -11534,23 +11565,19 @@ index f962f76..89768e5 100644 +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. - ## - ## - # --interface(`files_dontaudit_read_all_symlinks',` ++## ++## ++# +interface(`files_read_all_dirs_except',` - gen_require(` - attribute file_type; - ') - -- dontaudit $1 file_type:lnk_file read; ++ gen_require(` ++ attribute file_type; ++ ') ++ + allow $1 { file_type $2 }:dir list_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of non security symbolic links. ++') ++ ++######################################## ++## +## Read all files on the filesystem, except +## the listed exceptions. +## @@ -11643,25 +11670,10 @@ index f962f76..89768e5 100644 +## +## +## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_read_all_symlinks',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ dontaudit $1 file_type:lnk_file read; -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of non security symbolic links. - ## - ## - ## -@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` + ## + ## + # +@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -11687,7 +11699,7 @@ index f962f76..89768e5 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -11732,7 +11744,7 @@ index f962f76..89768e5 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',` +@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -11749,7 +11761,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',` +@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',` # satisfy the assertions: seutil_create_bin_policy($1) files_manage_kernel_modules($1) @@ -11758,7 +11770,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -1182,24 +1612,6 @@ interface(`files_list_all',` +@@ -1182,24 +1630,6 @@ interface(`files_list_all',` ######################################## ## @@ -11783,7 +11795,7 @@ index f962f76..89768e5 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',` +@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',` relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -11794,7 +11806,7 @@ index f962f76..89768e5 100644 ') ############################################# -@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',` +@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## @@ -11819,7 +11831,7 @@ index f962f76..89768e5 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,44 +2121,44 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,44 +2139,44 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -11878,7 +11890,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -1736,94 +2166,223 @@ interface(`files_list_root',` +@@ -1736,79 +2184,208 @@ interface(`files_list_root',` ## ## # @@ -11972,24 +11984,19 @@ index f962f76..89768e5 100644 # -interface(`files_dontaudit_read_root_files',` +interface(`files_write_all_dirs',` - gen_require(` -- type root_t; ++ gen_require(` + attribute file_type; - ') - -- dontaudit $1 root_t:file { getattr read }; ++ ') ++ + allow $1 file_type:dir write; - ') - - ######################################## - ## --## Do not audit attempts to read or write --## files in the root directory. ++') ++ ++######################################## ++## +## List the contents of the root directory. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. +## +## @@ -12123,25 +12130,10 @@ index f962f76..89768e5 100644 +## +# +interface(`files_dontaudit_read_root_files',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ dontaudit $1 root_t:file { getattr read }; -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## files in the root directory. -+## -+## -+## -+## Domain to not audit. - ## - ## - # -@@ -1892,25 +2451,25 @@ interface(`files_delete_root_dir_entry',` + gen_require(` + type root_t; + ') +@@ -1892,25 +2469,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -12173,7 +12165,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -1923,7 +2482,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2500,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -12182,7 +12174,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -1946,6 +2505,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2523,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -12225,7 +12217,7 @@ index f962f76..89768e5 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2776,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2794,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -12250,7 +12242,7 @@ index f962f76..89768e5 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3258,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -12275,7 +12267,7 @@ index f962f76..89768e5 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3347,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -12283,7 +12275,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -2724,7 +3356,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -12292,7 +12284,7 @@ index f962f76..89768e5 100644 ## ## # -@@ -2780,6 +3412,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -12318,7 +12310,7 @@ index f962f76..89768e5 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3449,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -12343,7 +12335,7 @@ index f962f76..89768e5 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3632,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -12368,7 +12360,7 @@ index f962f76..89768e5 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3672,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -12379,7 +12371,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -3031,18 +3680,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -12401,7 +12393,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -3060,6 +3708,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -12428,7 +12420,7 @@ index f962f76..89768e5 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3745,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -12436,7 +12428,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3098,6 +3767,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -12444,7 +12436,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3142,10 +3812,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -12495,7 +12487,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3161,10 +3869,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -12508,7 +12500,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3180,10 +3888,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -12521,7 +12513,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3199,10 +3907,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -12534,7 +12526,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3218,10 +3926,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -12603,7 +12595,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3237,10 +4001,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -12616,7 +12608,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3256,10 +4020,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -12648,7 +12640,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3275,10 +4058,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -12661,7 +12653,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3294,10 +4077,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -12674,7 +12666,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3313,10 +4096,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -12687,7 +12679,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3332,10 +4115,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -12700,7 +12692,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3351,10 +4134,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -12713,7 +12705,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3370,10 +4153,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -12726,7 +12718,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3389,10 +4172,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -12739,7 +12731,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3408,10 +4191,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -12752,7 +12744,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3427,10 +4210,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -12765,7 +12757,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3446,10 +4229,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -12778,7 +12770,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3465,10 +4248,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -12810,7 +12802,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3484,10 +4286,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -12823,7 +12815,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3503,10 +4305,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -12836,7 +12828,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -3552,6 +4354,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -12864,7 +12856,7 @@ index f962f76..89768e5 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4637,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -12908,7 +12900,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -4012,6 +4853,12 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -12921,7 +12913,7 @@ index f962f76..89768e5 100644 ') ######################################## -@@ -4217,192 +5064,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13181,12 +13173,11 @@ index f962f76..89768e5 100644 ######################################## ## -## Read files in the tmp directory (/tmp). --## --## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). -+## + ## +-## +## ## -## Domain allowed access. @@ -13237,7 +13228,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -4410,53 +5283,56 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',` ## ## # @@ -13306,7 +13297,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -4464,77 +5340,93 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -13424,7 +13415,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -4542,110 +5434,116 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -13541,40 +13532,25 @@ index f962f76..89768e5 100644 -## -## -## -+# -+interface(`files_manage_generic_tmp_files',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ manage_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## -+## Read symbolic links in the tmp directory (/tmp). -+## -+## - ## +-## -## The name of the object being created. -+## Domain allowed access. - ## - ## +-## +-## # -interface(`files_tmp_filetrans',` -+interface(`files_read_generic_tmp_symlinks',` ++interface(`files_manage_generic_tmp_files',` gen_require(` type tmp_t; ') - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ manage_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Delete the contents of /tmp. -+## Read and write generic named sockets in the tmp directory (/tmp). ++## Read symbolic links in the tmp directory (/tmp). ## ## ## @@ -13583,7 +13559,7 @@ index f962f76..89768e5 100644 ## # -interface(`files_purge_tmp',` -+interface(`files_rw_generic_tmp_sockets',` ++interface(`files_read_generic_tmp_symlinks',` gen_require(` - attribute tmpfile; + type tmp_t; @@ -13595,13 +13571,13 @@ index f962f76..89768e5 100644 - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ rw_sock_files_pattern($1, tmp_t, tmp_t) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Set the attributes of the /usr directory. -+## Relabel a dir from the type used in /tmp. ++## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## @@ -13610,20 +13586,20 @@ index f962f76..89768e5 100644 ## # -interface(`files_setattr_usr_dirs',` -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_rw_generic_tmp_sockets',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir setattr; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ rw_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Search the content of /usr. -+## Relabel a file from the type used in /tmp. ++## Relabel a dir from the type used in /tmp. ## ## ## @@ -13632,21 +13608,21 @@ index f962f76..89768e5 100644 ## # -interface(`files_search_usr',` -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_relabelfrom_tmp_dirs',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir search_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## List the contents of generic -## directories in /usr. -+## Set the attributes of all tmp directories. ++## Relabel a file from the type used in /tmp. ## ## ## @@ -13655,20 +13631,20 @@ index f962f76..89768e5 100644 ## # -interface(`files_list_usr',` -+interface(`files_setattr_all_tmp_dirs',` ++interface(`files_relabelfrom_tmp_files',` gen_require(` - type usr_t; -+ attribute tmpfile; ++ type tmp_t; ') - allow $1 usr_t:dir list_dir_perms; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit write of /usr dirs -+## Allow caller to read inherited tmp files. ++## Set the attributes of all tmp directories. ## ## ## @@ -13678,20 +13654,20 @@ index f962f76..89768e5 100644 ## # -interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_read_inherited_tmp_files',` ++interface(`files_setattr_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## -## Add and remove entries from /usr directories. -+## Allow caller to append inherited tmp files. ++## Allow caller to read inherited tmp files. ## ## ## @@ -13700,21 +13676,21 @@ index f962f76..89768e5 100644 ## # -interface(`files_rw_usr_dirs',` -+interface(`files_append_inherited_tmp_files',` ++interface(`files_read_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file append_inherited_file_perms; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ') ######################################## ## -## Do not audit attempts to add and remove -## entries from /usr directories. -+## Allow caller to read and write inherited tmp files. ++## Allow caller to append inherited tmp files. ## ## ## @@ -13724,92 +13700,90 @@ index f962f76..89768e5 100644 ## # -interface(`files_dontaudit_rw_usr_dirs',` -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_append_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## -## Delete generic directories in /usr in the caller domain. -+## List all tmp directories. ++## Allow caller to read and write inherited tmp files. ## ## ## -@@ -4786,111 +5677,100 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # -interface(`files_delete_usr_dirs',` -+interface(`files_list_all_tmp',` ++interface(`files_rw_inherited_tmp_file',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_dirs_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Delete generic files in /usr in the caller domain. -+## Relabel to and from all temporary -+## directory types. ++## List all tmp directories. ## ## ## - ## Domain allowed access. +@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',` ## ## -+## # -interface(`files_delete_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_list_all_tmp',` gen_require(` - type usr_t; + attribute tmpfile; -+ type var_t; ') - delete_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## -## Get the attributes of files in /usr. -+## Do not audit attempts to get the attributes -+## of all tmp files. ++## Relabel to and from all temporary ++## directory types. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -interface(`files_getattr_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_relabel_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ++ type var_t; ') - getattr_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Read generic files in /usr. -+## Allow attempts to get the attributes ++## Do not audit attempts to get the attributes +## of all tmp files. ## -## @@ -13831,13 +13805,14 @@ index f962f76..89768e5 100644 -## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`files_read_usr_files',` -+interface(`files_getattr_all_tmp_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; @@ -13846,67 +13821,74 @@ index f962f76..89768e5 100644 - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; ++ dontaudit $1 tmpfile:file getattr; ') ######################################## ## -## Execute generic programs in /usr in the caller domain. -+## Relabel to and from all temporary -+## file types. ++## Allow attempts to get the attributes ++## of all tmp files. ## ## ## - ## Domain allowed access. +@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',` ## ## -+## # -interface(`files_exec_usr_files',` -+interface(`files_relabel_all_tmp_files',` ++interface(`files_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; -+ type var_t; ') - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:file getattr; ') ######################################## ## -## dontaudit write of /usr files -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. ++## Relabel to and from all temporary ++## file types. ## ## ## -@@ -4898,35 +5778,17 @@ interface(`files_exec_usr_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## ++## # -interface(`files_dontaudit_write_usr_files',` -- gen_require(` ++interface(`files_relabel_all_tmp_files',` + gen_require(` - type usr_t; -- ') -- ++ attribute tmpfile; ++ type var_t; + ') + - dontaudit $1 usr_t:file write; --') -- --######################################## --## ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## -## Create, read, write, and delete files in the /usr directory. --## --## --## ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## -## Domain allowed access. --## --## --# ++## Domain to not audit. + ## + ## + # -interface(`files_manage_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` @@ -13925,7 +13907,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -4934,67 +5796,70 @@ interface(`files_manage_usr_files',` +@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -14014,7 +13996,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5003,35 +5868,50 @@ interface(`files_read_usr_symlinks',` +@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -14074,7 +14056,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5039,20 +5919,17 @@ interface(`files_dontaudit_search_src',` +@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -14099,7 +14081,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5060,20 +5937,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -14124,7 +14106,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5081,38 +5956,35 @@ interface(`files_read_usr_src_files',` +@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -14172,7 +14154,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5120,37 +5992,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -14220,7 +14202,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5158,35 +6029,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -14265,7 +14247,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5194,36 +6065,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -14331,7 +14313,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5231,36 +6121,37 @@ interface(`files_dontaudit_search_var',` +@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -14379,7 +14361,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5268,17 +6159,17 @@ interface(`files_manage_var_dirs',` +@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -14401,7 +14383,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5286,17 +6177,17 @@ interface(`files_read_var_files',` +@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',` ## ## # @@ -14423,7 +14405,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5304,73 +6195,86 @@ interface(`files_append_var_files',` +@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',` ## ## # @@ -14530,7 +14512,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5378,50 +6282,41 @@ interface(`files_read_var_symlinks',` +@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -14595,7 +14577,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5429,69 +6324,56 @@ interface(`files_var_filetrans',` +@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',` ## ## # @@ -14680,7 +14662,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5499,17 +6381,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -14704,7 +14686,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5517,70 +6400,54 @@ interface(`files_list_var_lib',` +@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',` ## ## # @@ -14788,7 +14770,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5588,41 +6455,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -14840,7 +14822,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5630,36 +6492,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -14887,7 +14869,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5667,38 +6529,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -14935,7 +14917,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5706,19 +6565,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14959,7 +14941,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5726,60 +6583,54 @@ interface(`files_list_locks',` +@@ -5726,60 +6601,54 @@ interface(`files_list_locks',` ## ## # @@ -15035,7 +15017,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5787,20 +6638,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -15061,7 +15043,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5808,165 +6657,156 @@ interface(`files_getattr_generic_locks',` +@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -15289,7 +15271,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -5974,59 +6814,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -15380,7 +15362,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6034,18 +6886,18 @@ interface(`files_dontaudit_search_pids',` +@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',` ## ## # @@ -15404,47 +15386,58 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6053,19 +6905,1228 @@ interface(`files_list_pids',` +@@ -6053,19 +6923,21 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` +interface(`files_manage_var_lib_symlinks',` gen_require(` +- type var_t, var_run_t; + type var_lib_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ + ') + +# cjp: the next two interfaces really need to be fixed +# in some way. They really neeed their own types. + -+######################################## -+## + ######################################## + ## +-## Write named generic process ID pipes +## Create, read, write, and delete the +## pseudorandom number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_manage_urandom_seed',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_lib_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Allow domain to manage mount tables +## necessary for rpcd, nfsd, etc. -+## + ## +-## +## +## +## Domain allowed access. @@ -16457,12 +16450,9 @@ index f962f76..89768e5 100644 +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -16474,21 +16464,29 @@ index f962f76..89768e5 100644 +## used for spool files. +## +## -+##

+ ##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +## Make the specified type usable for spool files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a spool file may result in problems with +## purging spool files. -+##

-+##

-+## Related interfaces: -+##

-+##
    + ##

    + ##

    + ## Related interfaces: + ##

    + ##
      +-##
    • files_pid_file()
      • +##
    • files_spool_filetrans()
      • -+##
    -+##

    -+## Example usage with a domain that can create and + ##

+ ##

+ ## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +## write its spool file in the system spool file +## directories (/var/spool): +##

@@ -16497,7 +16495,7 @@ index f962f76..89768e5 100644 +## files_spool_file(myfile_spool_t) +## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; +## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

+ ##

+## +## +## @@ -16628,36 +16626,30 @@ index f962f76..89768e5 100644 + ') + + list_dirs_pattern($1, var_t, var_spool_t) - ') - - ######################################## - ## --## Write named generic process ID pipes ++') ++ ++######################################## ++## +## Create, read, write, and delete generic +## spool directories (/var/spool). - ## - ## - ## -@@ -6073,43 +8134,170 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_generic_spool_dirs',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. ++') ++ ++######################################## ++## +## Read generic spool files. +## +## @@ -16807,27 +16799,9 @@ index f962f76..89768e5 100644 +######################################## +## +## Create a core files in / - ## - ## ++## ++## ##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--##
    --##
  • files_pid_file()
    • --##
--##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

-## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; @@ -16836,7 +16810,7 @@ index f962f76..89768e5 100644 ##

## ## -@@ -6117,80 +8305,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -17023,7 +16997,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6198,19 +8463,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17047,7 +17021,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6218,18 +8481,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17070,7 +17044,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6237,129 +8499,118 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8517,118 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17239,7 +17213,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6367,18 +8618,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8636,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17264,7 +17238,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6386,132 +8638,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8656,227 @@ interface(`files_search_spool',` ## ## # @@ -17538,7 +17512,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6519,53 +8866,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8884,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17596,7 +17570,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6573,10 +8884,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8902,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -17855,7 +17829,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..531dfef 100644 +index 8416beb..761fbab 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -19627,16 +19601,11 @@ index 8416beb..531dfef 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',` - type nfs_t; - ') +@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',` -- allow $1 nfs_t:filesystem remount; -+ allow $1 nfs_t:filesystem remount; -+') -+ -+######################################## -+## + ######################################## + ## +-## Unmount a NFS filesystem. +## Unmount a NFS filesystem. +## +## @@ -19651,11 +19620,10 @@ index 8416beb..531dfef 100644 + ') + + allow $1 nfs_t:filesystem unmount; - ') - - ######################################## - ## --## Unmount a NFS filesystem. ++') ++ ++######################################## ++## +## Get the attributes of a NFS filesystem. ## ## @@ -20126,82 +20094,48 @@ index 8416beb..531dfef 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',` - ## - ## - ## --## The type of the object to be associated. -+## The type of the object to be associated. -+## -+## -+# -+interface(`fs_associate_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:filesystem associate; +@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:filesystem relabelfrom; ++ allow $1 tmpfs_t:filesystem relabelfrom; +') + +######################################## +## -+## Relabel from tmpfs filesystem. ++## Get the attributes of tmpfs directories. +## -+## ++## +## +## Domain allowed access. +## +## +# -+interface(`fs_relabelfrom_tmpfs',` ++interface(`fs_getattr_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:filesystem relabelfrom; ++ allow $1 tmpfs_t:dir getattr; +') + +######################################## +## -+## Get the attributes of tmpfs directories. -+## -+## -+## -+## Domain allowed access. - ## - ## - # --interface(`fs_associate_tmpfs',` -+interface(`fs_getattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:filesystem associate; -+ allow $1 tmpfs_t:dir getattr; - ') - - ######################################## - ## --## Relabel from tmpfs filesystem. +## Do not audit attempts to get the attributes +## of tmpfs directories. - ## --## ++## +## - ## --## Domain allowed access. ++## +## Domain to not audit. - ## - ## - # --interface(`fs_relabelfrom_tmpfs',` ++## ++## ++# +interface(`fs_dontaudit_getattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:filesystem relabelfrom; ++ gen_require(` ++ type tmpfs_t; ++ ') ++ + dontaudit $1 tmpfs_t:dir getattr; ') @@ -20631,7 +20565,7 @@ index 8416beb..531dfef 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -20695,8 +20629,27 @@ index 8416beb..531dfef 100644 + + read_files_pattern($1, efivarfs_t, efivarfs_t) +') ++ ++######################################## ++## ++## Read and write sockets of ONLOAD file system pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_onload_sockets',` ++ gen_require(` ++ type onload_fs_t; ++ ') ++ ++ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t) ++') ++ diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..fc52817 100644 +index e7d1738..59c1cb8 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -20790,7 +20743,7 @@ index e7d1738..fc52817 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -20801,6 +20754,11 @@ index e7d1738..fc52817 100644 +fs_type(nsfs_t) +genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) + ++type onload_fs_t; ++fs_type(onload_fs_t) ++files_mountpoint(onload_fs_t) ++genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0) ++ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -20810,7 +20768,7 @@ index e7d1738..fc52817 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,17 +185,16 @@ fs_type(spufs_t) +@@ -150,17 +190,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -20832,7 +20790,7 @@ index e7d1738..fc52817 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -172,6 +206,8 @@ type vxfs_t; +@@ -172,6 +211,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -20841,7 +20799,7 @@ index e7d1738..fc52817 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +218,8 @@ fs_type(tmpfs_t) +@@ -182,6 +223,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -20850,7 +20808,7 @@ index e7d1738..fc52817 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -20859,7 +20817,7 @@ index e7d1738..fc52817 100644 files_mountpoint(removable_t) # -@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -20867,7 +20825,7 @@ index e7d1738..fc52817 100644 ######################################## # -@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -22184,7 +22142,7 @@ index e100d88..1428581 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..092e065 100644 +index 8dbab4c..5b93205 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -22489,7 +22447,7 @@ index 8dbab4c..092e065 100644 -allow kern_unconfined sysctl_type:{ dir file } *; +allow kern_unconfined sysctl_type:{ file } ~entrypoint; -+allow kern_unconfined sysctl_type:{ dir } *; ++allow kern_unconfined sysctl_type:{ dir lnk_file } *; allow kern_unconfined kernel_t:system *; @@ -25207,7 +25165,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..a73a163 100644 +index 2522ca6..f7ff2c7 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -25371,14 +25329,14 @@ index 2522ca6..a73a163 100644 + +optional_policy(` + consoletype_exec(sysadm_t) ++') ++ ++optional_policy(` ++ daemonstools_run_start(sysadm_t, sysadm_r) ') optional_policy(` - cvs_exec(sysadm_t) -+ daemonstools_run_start(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + dbus_role_template(sysadm, sysadm_r, sysadm_t) + + dontaudit sysadm_dbusd_t self:capability net_admin; @@ -25413,7 +25371,19 @@ index 2522ca6..a73a163 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -172,13 +246,31 @@ optional_policy(` +@@ -164,6 +238,11 @@ optional_policy(` + ') + + optional_policy(` ++ hwloc_admin(sysadm_t) ++ hwloc_run_dhwd(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + hadoop_role(sysadm_r, sysadm_t) + ') + +@@ -172,13 +251,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -25445,7 +25415,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -190,11 +282,12 @@ optional_policy(` +@@ -190,11 +287,12 @@ optional_policy(` ') optional_policy(` @@ -25460,7 +25430,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -210,22 +303,20 @@ optional_policy(` +@@ -210,22 +308,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25489,7 +25459,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -237,14 +328,28 @@ optional_policy(` +@@ -237,14 +333,28 @@ optional_policy(` ') optional_policy(` @@ -25518,7 +25488,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -252,10 +357,20 @@ optional_policy(` +@@ -252,10 +362,20 @@ optional_policy(` ') optional_policy(` @@ -25539,7 +25509,7 @@ index 2522ca6..a73a163 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +381,41 @@ optional_policy(` +@@ -266,35 +386,41 @@ optional_policy(` ') optional_policy(` @@ -25588,7 +25558,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -308,6 +429,7 @@ optional_policy(` +@@ -308,6 +434,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25596,7 +25566,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -315,12 +437,20 @@ optional_policy(` +@@ -315,12 +442,20 @@ optional_policy(` ') optional_policy(` @@ -25618,7 +25588,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -345,30 +475,37 @@ optional_policy(` +@@ -345,30 +480,37 @@ optional_policy(` ') optional_policy(` @@ -25665,7 +25635,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -380,10 +517,6 @@ optional_policy(` +@@ -380,10 +522,6 @@ optional_policy(` ') optional_policy(` @@ -25676,7 +25646,7 @@ index 2522ca6..a73a163 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +524,9 @@ optional_policy(` +@@ -391,6 +529,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25686,7 +25656,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -398,31 +534,34 @@ optional_policy(` +@@ -398,31 +539,34 @@ optional_policy(` ') optional_policy(` @@ -25727,7 +25697,7 @@ index 2522ca6..a73a163 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +574,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +579,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25738,7 +25708,7 @@ index 2522ca6..a73a163 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +594,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +599,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -45938,7 +45908,7 @@ index 2cea692..bf86a31 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..78fa512 100644 +index a392fc4..155d5ce 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46172,7 +46142,7 @@ index a392fc4..78fa512 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46194,11 +46164,12 @@ index a392fc4..78fa512 100644 +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) +allow ifconfig_t ifconfig_var_run_t:file mounton; ++allow ifconfig_t ifconfig_var_run_t:dir mounton; + kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -46231,7 +46202,7 @@ index a392fc4..78fa512 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -46289,7 +46260,7 @@ index a392fc4..78fa512 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -46302,7 +46273,7 @@ index a392fc4..78fa512 100644 ') optional_policy(` -@@ -350,7 +452,16 @@ optional_policy(` +@@ -350,7 +453,16 @@ optional_policy(` ') optional_policy(` @@ -46320,7 +46291,7 @@ index a392fc4..78fa512 100644 ') optional_policy(` -@@ -371,3 +482,13 @@ optional_policy(` +@@ -371,3 +483,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -50480,7 +50451,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..e6556aa 100644 +index 9dc60c6..595ad40 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -51175,7 +51146,7 @@ index 9dc60c6..e6556aa 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +737,132 @@ template(`userdom_common_user_template',` +@@ -546,93 +737,137 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -51286,18 +51257,23 @@ index 9dc60c6..e6556aa 100644 optional_policy(` - consolekit_dbus_chat($1_t) + hal_dbus_chat($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat_config($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) + ') + ++ optional_policy(` ++ hwloc_exec_dhwd($1_t) ++ hwloc_read_runtime_files($1_t) ++ ') ++ ++ optional_policy(` ++ kde_dbus_chat_backlighthelper($1_usertype) + ') + + optional_policy(` + memcached_stream_connect($1_usertype) + ') + -+ optional_policy(` + optional_policy(` +- cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) ') @@ -51322,31 +51298,31 @@ index 9dc60c6..e6556aa 100644 - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) -+ ') -+ -+ optional_policy(` + lircd_stream_connect($1_usertype) ') optional_policy(` -@@ -642,23 +872,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +877,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -51375,7 +51351,7 @@ index 9dc60c6..e6556aa 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +899,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +904,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -51384,7 +51360,7 @@ index 9dc60c6..e6556aa 100644 ') optional_policy(` -@@ -680,9 +908,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +913,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -51397,7 +51373,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -693,32 +921,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +926,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -51444,7 +51420,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -743,17 +974,32 @@ template(`userdom_common_user_template',` +@@ -743,17 +979,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -51463,9 +51439,7 @@ index 9dc60c6..e6556aa 100644 + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -51473,7 +51447,9 @@ index 9dc60c6..e6556aa 100644 + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -51481,7 +51457,7 @@ index 9dc60c6..e6556aa 100644 userdom_change_password_template($1) -@@ -761,82 +1007,112 @@ template(`userdom_login_user_template', ` +@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -51557,14 +51533,14 @@ index 9dc60c6..e6556aa 100644 - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - -- libs_exec_lib_files($1_t) ++ + # Needed by pam_selinux.so calling in systemd-users + init_entrypoint_exec(login_userdomain) -- logging_dontaudit_getattr_all_logs($1_t) +- libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) -+ + +- logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) @@ -51630,7 +51606,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -868,6 +1144,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -51643,7 +51619,7 @@ index 9dc60c6..e6556aa 100644 ############################## # # Local policy -@@ -907,53 +1189,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -51663,14 +51639,10 @@ index 9dc60c6..e6556aa 100644 + dev_read_rand($1_usertype) - logging_send_syslog_msg($1_t) -- logging_dontaudit_send_audit_msgs($1_t) + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) - -- # Need to to this just so screensaver will work. Should be moved to screensaver domain -- logging_send_audit_msgs($1_t) -- selinux_get_enforce_mode($1_t) ++ + libs_dontaudit_setattr_lib_files($1_usertype) + + init_read_state($1_usertype) @@ -51688,10 +51660,11 @@ index 9dc60c6..e6556aa 100644 + ') + + logging_send_syslog_msg($1_t) -+ logging_dontaudit_send_audit_msgs($1_t) -+ -+ # Need to to this just so screensaver will work. Should be moved to screensaver domain -+ selinux_get_enforce_mode($1_t) + logging_dontaudit_send_audit_msgs($1_t) + + # Need to to this just so screensaver will work. Should be moved to screensaver domain +- logging_send_audit_msgs($1_t) + selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) @@ -51798,7 +51771,7 @@ index 9dc60c6..e6556aa 100644 ') ####################################### -@@ -987,27 +1353,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -51836,7 +51809,7 @@ index 9dc60c6..e6556aa 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1390,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -51896,21 +51869,21 @@ index 9dc60c6..e6556aa 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` ++ wine_role_template($1, $1_r, $1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) -+ wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1455,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -51921,7 +51894,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -1079,7 +1493,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -51932,7 +51905,7 @@ index 9dc60c6..e6556aa 100644 ') ############################## -@@ -1095,6 +1511,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -51940,7 +51913,7 @@ index 9dc60c6..e6556aa 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1522,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -51957,7 +51930,7 @@ index 9dc60c6..e6556aa 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1539,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -51966,7 +51939,7 @@ index 9dc60c6..e6556aa 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1558,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -51982,7 +51955,7 @@ index 9dc60c6..e6556aa 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1577,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -52027,7 +52000,7 @@ index 9dc60c6..e6556aa 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1620,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -52036,7 +52009,7 @@ index 9dc60c6..e6556aa 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1629,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -52059,7 +52032,7 @@ index 9dc60c6..e6556aa 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1679,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -52068,7 +52041,7 @@ index 9dc60c6..e6556aa 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1689,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52077,7 +52050,7 @@ index 9dc60c6..e6556aa 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1703,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52089,7 +52062,7 @@ index 9dc60c6..e6556aa 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1717,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -52132,7 +52105,7 @@ index 9dc60c6..e6556aa 100644 ') optional_policy(` -@@ -1357,14 +1802,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -52151,7 +52124,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1397,12 +1845,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -52205,7 +52178,7 @@ index 9dc60c6..e6556aa 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -52237,7 +52210,7 @@ index 9dc60c6..e6556aa 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -52252,7 +52225,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -52264,7 +52237,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1613,6 +2131,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -52289,7 +52262,7 @@ index 9dc60c6..e6556aa 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2167,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -52349,7 +52322,7 @@ index 9dc60c6..e6556aa 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2293,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -52364,7 +52337,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1741,10 +2332,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -52379,7 +52352,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1769,7 +2362,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -52388,7 +52361,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1777,19 +2370,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -52412,7 +52385,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1797,55 +2388,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -52483,7 +52456,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1853,18 +2444,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -52511,7 +52484,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1872,17 +2464,167 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -52519,13 +52492,17 @@ index 9dc60c6..e6556aa 100644 - gen_require(` - type user_home_dir_t, user_home_t; - ') +- +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- files_search_home($1) +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read user home files. +## Dontaudit getattr on user tmp sockets. +## +## @@ -52584,22 +52561,24 @@ index 9dc60c6..e6556aa 100644 +## +## Do not audit attempts to set the +## attributes of user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',` + ## + ## + # +-interface(`userdom_dontaudit_read_user_home_content_files',` +interface(`userdom_dontaudit_setattr_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ + gen_require(` + type user_home_t; + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_t:file setattr_file_perms; +') - -- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ +######################################## +## +## Set the attributes of all user home directories. @@ -52635,11 +52614,11 @@ index 9dc60c6..e6556aa 100644 + ') + + mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) - ') - - ######################################## - ## ++ files_search_home($1) ++') ++ ++######################################## ++## +## Read user home files. +## +## @@ -52681,20 +52660,20 @@ index 9dc60c6..e6556aa 100644 + +######################################## +## - ## Do not audit attempts to read user home files. - ## - ## -@@ -1893,11 +2635,14 @@ interface(`userdom_read_user_home_content_files',` - # - interface(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` -- type user_home_t; ++## Do not audit attempts to read user home files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_user_home_content_files',` ++ gen_require(` + attribute user_home_type; + type user_home_dir_t; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; ++ ') ++ + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -52702,7 +52681,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1938,7 +2683,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -52711,7 +52690,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1946,10 +2691,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -52724,7 +52703,7 @@ index 9dc60c6..e6556aa 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2702,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -52733,7 +52712,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1966,12 +2710,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -52802,7 +52781,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2007,8 +2805,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -52812,7 +52791,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2024,21 +2821,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -52826,19 +52805,18 @@ index 9dc60c6..e6556aa 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -2120,7 +2911,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -52847,7 +52825,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2128,19 +2919,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -52871,7 +52849,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2148,12 +2937,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -52887,7 +52865,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2388,18 +3177,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -52945,7 +52923,7 @@ index 9dc60c6..e6556aa 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3239,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -52954,7 +52932,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2455,6 +3280,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -52980,34 +52958,12 @@ index 9dc60c6..e6556aa 100644 ######################################## ## -@@ -2538,7 +3382,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user -## temporary symbolic links. +## temporary files. - ## - ## - ## -@@ -2546,18 +3390,59 @@ interface(`userdom_manage_user_tmp_files',` - ## - ## - # --interface(`userdom_manage_user_tmp_symlinks',` -+interface(`userdom_filetrans_named_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user -+## temporary symbolic links. +## +## +## @@ -53015,26 +52971,26 @@ index 9dc60c6..e6556aa 100644 +## +## +# -+interface(`userdom_manage_user_tmp_symlinks',` ++interface(`userdom_filetrans_named_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user -+## temporary named pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# ++## temporary symbolic links. + ## + ## + ## +@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # +interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; @@ -53048,10 +53004,18 @@ index 9dc60c6..e6556aa 100644 +######################################## +## +## Create, read, write, and delete user - ## temporary named pipes. - ## - ## -@@ -2661,6 +3546,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` ++## temporary named pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; +@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -53073,7 +53037,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3572,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -53095,7 +53059,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2692,19 +3587,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -53118,7 +53082,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2713,13 +3602,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -53179,7 +53143,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2814,6 +3746,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -53204,7 +53168,7 @@ index 9dc60c6..e6556aa 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3782,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -53247,7 +53211,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2856,14 +3818,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -53285,7 +53249,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2882,8 +3863,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -53315,7 +53279,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2955,6 +3955,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -53358,7 +53322,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4014,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -53383,7 +53347,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4032,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -53395,7 +53359,7 @@ index 9dc60c6..e6556aa 100644 ## memory segments. ## ## -@@ -3025,17 +4043,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -53416,7 +53380,7 @@ index 9dc60c6..e6556aa 100644 ## memory segments. ## ## -@@ -3044,12 +4062,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -53431,7 +53395,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -3094,7 +4112,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -53440,7 +53404,7 @@ index 9dc60c6..e6556aa 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4128,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -53474,7 +53438,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -3214,7 +4216,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -53501,7 +53465,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -3269,12 +4289,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -53517,7 +53481,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -3282,54 +4303,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -53589,7 +53553,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -3337,12 +4360,86 @@ interface(`userdom_getattr_all_users',` +@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',` ## ## # @@ -53601,10 +53565,11 @@ index 9dc60c6..e6556aa 100644 - allow $1 userdomain:fd use; + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to inherit the file +## Do not audit attempts to use user ttys. +## +## @@ -53675,10 +53640,15 @@ index 9dc60c6..e6556aa 100644 + ') + + allow $1 userdomain:fd use; - ') - - ######################################## -@@ -3382,6 +4479,42 @@ interface(`userdom_signal_all_users',` ++') ++ ++######################################## ++## ++## Do not audit attempts to inherit the file + ## descriptors from any user domains. + ## + ## +@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -53721,7 +53691,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4535,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -53782,7 +53752,7 @@ index 9dc60c6..e6556aa 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index ea4e912..25514be 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -10794,7 +10794,7 @@ index 02fefaa..308616e 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..3c5a83a 100644 +index 687d4c4..f668033 100644 --- a/boinc.te +++ b/boinc.te @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1) @@ -10887,7 +10887,7 @@ index 687d4c4..3c5a83a 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -10925,6 +10925,7 @@ index 687d4c4..3c5a83a 100644 -corenet_all_recvfrom_unlabeled(boinc_t) +dev_getattr_mouse_dev(boinc_t) ++dev_rw_dri(boinc_t) + +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) @@ -10984,7 +10985,7 @@ index 687d4c4..3c5a83a 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -137,8 +151,9 @@ init_read_utmp(boinc_t) +@@ -137,8 +152,9 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -10996,7 +10997,7 @@ index 687d4c4..3c5a83a 100644 tunable_policy(`boinc_execmem',` allow boinc_t self:process { execstack execmem }; -@@ -148,48 +163,61 @@ optional_policy(` +@@ -148,48 +164,61 @@ optional_policy(` mta_send_mail(boinc_t) ') @@ -32031,10 +32032,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..33654d5 +index 0000000..c31e40e --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,297 @@ +@@ -0,0 +1,302 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32099,7 +32100,7 @@ index 0000000..33654d5 +allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; + +allow glusterd_t self:capability2 block_suspend; -+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched }; ++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; +allow glusterd_t self:sem create_sem_perms; +allow glusterd_t self:fifo_file rw_fifo_file_perms; +allow glusterd_t self:tcp_socket { accept listen }; @@ -32283,6 +32284,11 @@ index 0000000..33654d5 + hostname_exec(glusterd_t) +') + ++ ++optional_policy(` ++ kerberos_read_keytab(glusterd_t) ++') ++ +optional_policy(` + lvm_domtrans(glusterd_t) +') @@ -37022,6 +37028,166 @@ index 0000000..28816b4 +auth_use_nsswitch(hsqldb_t) + +sysnet_read_config(hsqldb_t) +diff --git a/hwloc.fc b/hwloc.fc +new file mode 100644 +index 0000000..d0c5a15 +--- /dev/null ++++ b/hwloc.fc +@@ -0,0 +1,5 @@ ++/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) ++ ++/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0) ++ ++/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) +diff --git a/hwloc.if b/hwloc.if +new file mode 100644 +index 0000000..c2349ec +--- /dev/null ++++ b/hwloc.if +@@ -0,0 +1,106 @@ ++## Dump topology and locality information from hardware tables. ++ ++######################################## ++## ++## Execute hwloc dhwd in the hwloc dhwd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`hwloc_domtrans_dhwd',` ++ gen_require(` ++ type hwloc_dhwd_t, hwloc_dhwd_exec_t; ++ ') ++ ++ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) ++') ++ ++######################################## ++## ++## Execute hwloc dhwd in the hwloc dhwd domain, and ++## allow the specified role the hwloc dhwd domain, ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`hwloc_run_dhwd',` ++ gen_require(` ++ attribute_role hwloc_dhwd_roles; ++ ') ++ ++ hwloc_domtrans_dhwd($1) ++ roleattribute $2 hwloc_dhwd_roles; ++') ++ ++######################################## ++## ++## Execute hwloc dhwd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hwloc_exec_dhwd',` ++ gen_require(` ++ type hwloc_dhwd_exec_t; ++ ') ++ ++ can_exec($1, hwloc_dhwd_exec_t) ++') ++ ++######################################## ++## ++## Read hwloc runtime files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hwloc_read_runtime_files',` ++ gen_require(` ++ type hwloc_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t) ++') ++ ++######################################## ++## ++## All of the rules required to ++## administrate an hwloc environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`hwloc_admin',` ++ gen_require(` ++ type hwloc_dhwd_t, hwloc_var_run_t; ++ ') ++ ++ allow $1 hwloc_dhwd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, hwloc_dhwd_t) ++ ++ admin_pattern($1, hwloc_var_run_t) ++ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc") ++') +diff --git a/hwloc.te b/hwloc.te +new file mode 100644 +index 0000000..0f45fd5 +--- /dev/null ++++ b/hwloc.te +@@ -0,0 +1,31 @@ ++policy_module(hwloc, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute_role hwloc_dhwd_roles; ++roleattribute system_r hwloc_dhwd_roles; ++ ++type hwloc_dhwd_t; ++type hwloc_dhwd_exec_t; ++init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) ++role hwloc_dhwd_roles types hwloc_dhwd_t; ++ ++type hwloc_var_run_t; ++files_pid_file(hwloc_var_run_t) ++ ++type hwloc_dhwd_unit_t; ++systemd_unit_file(hwloc_dhwd_unit_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; ++allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; ++files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir) ++ ++dev_read_sysfs(hwloc_dhwd_t) diff --git a/hypervkvp.fc b/hypervkvp.fc index b46130e..e2ae3b2 100644 --- a/hypervkvp.fc @@ -48067,7 +48233,7 @@ index 0000000..8bc27f4 +domain_use_interactive_fds(mcollective_t) + diff --git a/mediawiki.fc b/mediawiki.fc -index 99f7c41..93ec6db 100644 +index 99f7c41..1745603 100644 --- a/mediawiki.fc +++ b/mediawiki.fc @@ -1,8 +1,8 @@ @@ -48079,12 +48245,12 @@ index 99f7c41..93ec6db 100644 +/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) -/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) -+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) ++/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) -/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) -/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) -+/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) -+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) ++/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) ++/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) diff --git a/mediawiki.if b/mediawiki.if index 9771b4b..9b183e6 100644 --- a/mediawiki.if @@ -57009,7 +57175,7 @@ index d78dfc3..40e1c77 100644 -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if -index 0641e97..438eeb3 100644 +index 0641e97..f3b1111 100644 --- a/nagios.if +++ b/nagios.if @@ -1,12 +1,13 @@ @@ -57058,12 +57224,10 @@ index 0641e97..438eeb3 100644 + + kernel_read_system_state(nagios_$1_plugin_t) + - ') - - ######################################## - ## --## Do not audit attempts to read or --## write nagios unnamed pipes. ++') ++ ++######################################## ++## +## Execute the nagios unconfined plugins with +## a domain transition. +## @@ -57080,10 +57244,12 @@ index 0641e97..438eeb3 100644 + ') + + domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read or +-## write nagios unnamed pipes. +## Do not audit attempts to read or write nagios +## unnamed pipes. ## @@ -57160,10 +57326,11 @@ index 0641e97..438eeb3 100644 - files_search_spool($1) allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nagios temporary files. +## Append nagios spool files. +## +## @@ -57179,11 +57346,10 @@ index 0641e97..438eeb3 100644 + + allow $1 nagios_spool_t:file append_file_perms; + files_search_spool($1) - ') - - ######################################## - ## --## Read nagios temporary files. ++') ++ ++######################################## ++## +## Allow the specified domain to read +## nagios temporary files. ## @@ -57196,11 +57362,10 @@ index 0641e97..438eeb3 100644 - files_search_tmp($1) allow $1 nagios_tmp_t:file read_file_perms; + files_search_tmp($1) - ') - - ######################################## - ## --## Execute nrpe with a domain transition. ++') ++ ++######################################## ++## +## Allow the specified domain to read +## nagios temporary files. +## @@ -57217,16 +57382,17 @@ index 0641e97..438eeb3 100644 + + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute nrpe with a domain transition. +## Execute the nagios NRPE with +## a domain transition. ## ## ## -@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',` +@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',` type nrpe_t, nrpe_exec_t; ') @@ -57234,6 +57400,24 @@ index 0641e97..438eeb3 100644 domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') ++###################################### ++## ++## Do not audit attempts to write nrpe daemon unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_dontaudit_write_pipes_nrpe',` ++ gen_require(` ++ type nrpe_t; ++ ') ++ ++ dontaudit $1 nrpe_t:fifo_file write; ++') ++ ######################################## ## -## All of the rules required to @@ -57243,7 +57427,7 @@ index 0641e97..438eeb3 100644 ## ## ## -@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',` +@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',` ## ## ## @@ -85669,10 +85853,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..dfb3396 100644 +index 47de2d6..bc62d96 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,95 @@ +@@ -1,31 +1,96 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -85763,6 +85947,7 @@ index 47de2d6..dfb3396 100644 +/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0) + +/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) + @@ -86660,7 +86845,7 @@ index c8bdea2..1574225 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..1a605f9 100644 +index 6cf79c4..943fd8b 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -87028,7 +87213,7 @@ index 6cf79c4..1a605f9 100644 -allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; +allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin }; -+allow fenced_t self:process { getsched setpgid signal_perms }; ++allow fenced_t self:process { getsched setcap setpgid signal_perms }; + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; @@ -107626,7 +107811,7 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..948bc5b 100644 +index 585a77f..a7cb326 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1) @@ -107672,7 +107857,7 @@ index 585a77f..948bc5b 100644 dev_read_urand(tmpreaper_t) -@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t) +@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) @@ -107683,11 +107868,9 @@ index 585a77f..948bc5b 100644 -files_getattr_all_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) +-files_setattr_all_tmp_dirs(tmpreaper_t) +files_delete_all_non_security_files(tmpreaper_t) -+# why does it need setattr? - files_setattr_all_tmp_dirs(tmpreaper_t) -+files_setattr_isid_type_dirs(tmpreaper_t) -+files_setattr_usr_dirs(tmpreaper_t) ++files_setattr_non_security_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) @@ -107696,7 +107879,7 @@ index 585a77f..948bc5b 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t) +@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -107704,7 +107887,7 @@ index 585a77f..948bc5b 100644 miscfiles_delete_man_pages(tmpreaper_t) ifdef(`distro_debian',` -@@ -53,10 +82,33 @@ ifdef(`distro_debian',` +@@ -53,10 +79,33 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -107739,7 +107922,7 @@ index 585a77f..948bc5b 100644 ') optional_policy(` -@@ -64,6 +116,7 @@ optional_policy(` +@@ -64,6 +113,7 @@ optional_policy(` ') optional_policy(` @@ -107747,7 +107930,7 @@ index 585a77f..948bc5b 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,7 +132,19 @@ optional_policy(` +@@ -79,7 +129,19 @@ optional_policy(` ') optional_policy(` @@ -107768,7 +107951,7 @@ index 585a77f..948bc5b 100644 ') optional_policy(` -@@ -89,3 +154,8 @@ optional_policy(` +@@ -89,3 +151,8 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 3eac2b6..abdb6c7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 190%{?dist} +Release: 191%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -645,6 +645,20 @@ exit 0 %endif %changelog +* Thu Jun 08 2016 Lukas Vrabec 3.13.1-191 +- Add hwloc-dump-hwdata SELinux policy +- Add labels for mediawiki123 +- Fix label for all fence_scsi_check scripts +- Allow setcap for fenced +- Allow glusterd domain read krb5_keytab_t files. +- Allow tmpreaper_t to read/setattr all non_security_file_type dirs +- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) +- Update refpolicy to handle hwloc +- Fix typo in files_setattr_non_security_dirs. +- Add interface files_setattr_non_security_dirs() +- Add support for onloadfs +- Additional access required for unconfined domains + * Mon May 30 2016 Lukas Vrabec 3.13.1-190 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs