From 5bcffd3a3a75e80d9233efe32b10aec4f91ff92a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 09 2015 10:38:09 +0000 Subject: See Changelog for all changes. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 014851f..fcd3ecd 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2275,7 +2275,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 0960199..aa51ab2 100644 +index 0960199..2e75ec7 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -2417,7 +2417,7 @@ index 0960199..aa51ab2 100644 ') ') -@@ -178,3 +107,22 @@ interface(`sudo_sigchld',` +@@ -178,3 +107,41 @@ interface(`sudo_sigchld',` allow $1 sudodomain:process sigchld; ') @@ -2440,6 +2440,25 @@ index 0960199..aa51ab2 100644 + + can_exec($1, sudo_exec_t) +') ++ ++###################################### ++## ++## Allow to manage sudo database in called domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sudo_manage_db',` ++ gen_require(` ++ type sudo_db_t; ++ ') ++ ++ manage_dirs_pattern($1, sudo_db_t, sudo_db_t) ++ manage_files_pattern($1, sudo_db_t, sudo_db_t) ++') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index d9fce57..5c4a213 100644 --- a/policy/modules/admin/sudo.te @@ -3324,7 +3343,7 @@ index 7590165..d81185e 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..b48c654 100644 +index 33e0f8d..c5c1122 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3347,7 +3366,16 @@ index 33e0f8d..b48c654 100644 /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -67,18 +69,28 @@ ifdef(`distro_redhat',` +@@ -59,6 +61,8 @@ ifdef(`distro_redhat',` + /etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) +@@ -67,18 +71,28 @@ ifdef(`distro_redhat',` /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3376,7 +3404,7 @@ index 33e0f8d..b48c654 100644 /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -101,8 +113,6 @@ ifdef(`distro_redhat',` +@@ -101,8 +115,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -3385,7 +3413,7 @@ index 33e0f8d..b48c654 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -116,6 +126,9 @@ ifdef(`distro_redhat',` +@@ -116,6 +128,9 @@ ifdef(`distro_redhat',` /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3395,7 +3423,7 @@ index 33e0f8d..b48c654 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -135,10 +148,12 @@ ifdef(`distro_debian',` +@@ -135,10 +150,12 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3409,7 +3437,7 @@ index 33e0f8d..b48c654 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -149,10 +164,12 @@ ifdef(`distro_gentoo',` +@@ -149,10 +166,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3423,7 +3451,7 @@ index 33e0f8d..b48c654 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +185,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +187,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3431,7 +3459,7 @@ index 33e0f8d..b48c654 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,34 +197,50 @@ ifdef(`distro_gentoo',` +@@ -179,34 +199,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3491,7 +3519,7 @@ index 33e0f8d..b48c654 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,19 +252,32 @@ ifdef(`distro_gentoo',` +@@ -218,19 +254,32 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3531,7 +3559,7 @@ index 33e0f8d..b48c654 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +292,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +294,40 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3577,7 +3605,7 @@ index 33e0f8d..b48c654 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +341,15 @@ ifdef(`distro_gentoo',` +@@ -280,10 +343,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3593,7 +3621,7 @@ index 33e0f8d..b48c654 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +364,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +366,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3618,7 +3646,7 @@ index 33e0f8d..b48c654 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +397,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +399,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3647,7 +3675,7 @@ index 33e0f8d..b48c654 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +425,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +427,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3655,7 +3683,7 @@ index 33e0f8d..b48c654 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,11 +467,16 @@ ifdef(`distro_suse', ` +@@ -387,17 +469,33 @@ ifdef(`distro_suse', ` # # /var # @@ -3673,7 +3701,11 @@ index 33e0f8d..b48c654 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -401,3 +486,12 @@ ifdef(`distro_suse', ` + /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) + ++/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) ++ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6125,7 +6157,7 @@ index b31c054..1f28afb 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..4311238 100644 +index 76f285e..99f01e2 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7101,45 +7133,45 @@ index 76f285e..4311238 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3814,7 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',` ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) +## Relabel the printer device node. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_printer',` ++ gen_require(` ++ type printer_device_t; ++ ') ++ ++ allow $1 printer_device_t:chr_file relabel_chr_file_perms; ++') ++ ++######################################## ++## ++## Read and write the printer device. ## ## ## -@@ -3262,12 +3822,31 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',` ## ## # -interface(`dev_read_printk',` -+interface(`dev_relabel_printer',` ++interface(`dev_manage_printer',` gen_require(` - type device_t, printk_device_t; -+ type printer_device_t; ++ type device_t, printer_device_t; ') - read_chr_files_pattern($1, device_t, printk_device_t) -+ allow $1 printer_device_t:chr_file relabel_chr_file_perms; -+') -+ -+######################################## -+## -+## Read and write the printer device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_manage_printer',` -+ gen_require(` -+ type device_t, printer_device_t; -+ ') -+ + manage_chr_files_pattern($1, device_t, printer_device_t) + dev_filetrans_printer_named_dev($1) ') @@ -7286,7 +7318,32 @@ index 76f285e..4311238 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3946,23 +4634,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3928,6 +4616,24 @@ interface(`dev_write_sysfs_dirs',` + + ######################################## + ## ++## Access check for a sysfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_access_check_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:dir audit_access; ++') ++ ++######################################## ++## + ## Do not audit attempts to write in a sysfs directory. + ## + ## +@@ -3946,23 +4652,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -7340,7 +7397,7 @@ index 76f285e..4311238 100644 ######################################## ## ## Read hardware state information. -@@ -4016,6 +4730,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4748,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7403,7 +7460,7 @@ index 76f285e..4311238 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4883,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4901,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7429,7 +7486,7 @@ index 76f285e..4311238 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +4912,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +4930,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -7438,7 +7495,7 @@ index 76f285e..4311238 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5198,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5216,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7450,7 +7507,7 @@ index 76f285e..4311238 100644 ## ## ## -@@ -4419,17 +5208,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5226,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7473,7 +7530,7 @@ index 76f285e..4311238 100644 ## ## ## -@@ -4437,12 +5226,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5244,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7489,7 +7546,7 @@ index 76f285e..4311238 100644 ') ######################################## -@@ -4539,6 +5328,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5346,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7624,7 +7681,7 @@ index 76f285e..4311238 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5474,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5492,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7649,7 +7706,7 @@ index 76f285e..4311238 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5697,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5715,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7694,7 +7751,7 @@ index 76f285e..4311238 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5824,966 @@ interface(`dev_unconfined',` +@@ -4851,3 +5842,966 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -9069,7 +9126,7 @@ index 6a1e4d1..549967a 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..f372320 100644 +index cf04cb5..ed54d58 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -9222,7 +9279,7 @@ index cf04cb5..f372320 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +242,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +242,361 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9242,6 +9299,10 @@ index cf04cb5..f372320 100644 + kdump_filetrans_named_content(unconfined_domain_type) +') + ++#optional_policy(` ++# docker_filetrans_named_content(named_filetrans_domain) ++#') ++ +optional_policy(` + locallogin_filetrans_home_content(named_filetrans_domain) +') @@ -18016,7 +18077,7 @@ index 7be4ddf..4d4c577 100644 -# This module currently does not have any file contexts. +/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 6d0811d..f67bd8f 100644 +index 6d0811d..708f074 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -18084,15 +18145,20 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:filesystem getattr; ') -@@ -221,6 +235,7 @@ interface(`selinux_search_fs',` +@@ -221,7 +235,12 @@ interface(`selinux_search_fs',` ') dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir search_dir_perms; ++ ++ optional_policy(` ++ seutil_search_config($1) ++ ') ') -@@ -244,6 +259,28 @@ interface(`selinux_dontaudit_search_fs',` + ######################################## +@@ -244,6 +263,28 @@ interface(`selinux_dontaudit_search_fs',` ######################################## ## @@ -18121,7 +18187,7 @@ index 6d0811d..f67bd8f 100644 ## Do not audit attempts to read ## generic selinuxfs entries ## -@@ -258,6 +295,7 @@ interface(`selinux_dontaudit_read_fs',` +@@ -258,6 +299,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') @@ -18129,7 +18195,7 @@ index 6d0811d..f67bd8f 100644 dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') -@@ -280,8 +318,10 @@ interface(`selinux_get_enforce_mode',` +@@ -280,8 +322,10 @@ interface(`selinux_get_enforce_mode',` ') dev_search_sysfs($1) @@ -18140,7 +18206,7 @@ index 6d0811d..f67bd8f 100644 ') ######################################## -@@ -310,22 +350,12 @@ interface(`selinux_set_enforce_mode',` +@@ -310,22 +354,12 @@ interface(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; @@ -18163,7 +18229,7 @@ index 6d0811d..f67bd8f 100644 ') ######################################## -@@ -342,22 +372,13 @@ interface(`selinux_load_policy',` +@@ -342,22 +376,13 @@ interface(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; @@ -18187,7 +18253,7 @@ index 6d0811d..f67bd8f 100644 ') ######################################## -@@ -378,6 +399,7 @@ interface(`selinux_read_policy',` +@@ -378,6 +403,7 @@ interface(`selinux_read_policy',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; @@ -18195,7 +18261,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:security read_policy; ') -@@ -438,19 +460,15 @@ interface(`selinux_set_boolean',` +@@ -438,19 +464,15 @@ interface(`selinux_set_boolean',` interface(`selinux_set_generic_booleans',` gen_require(` type security_t; @@ -18218,7 +18284,7 @@ index 6d0811d..f67bd8f 100644 ') ######################################## -@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',` +@@ -479,25 +501,16 @@ interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; @@ -18250,7 +18316,7 @@ index 6d0811d..f67bd8f 100644 ') ######################################## -@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',` +@@ -528,7 +541,9 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') @@ -18260,7 +18326,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; -@@ -552,7 +563,9 @@ interface(`selinux_validate_context',` +@@ -552,7 +567,9 @@ interface(`selinux_validate_context',` type security_t; ') @@ -18270,7 +18336,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security check_context; -@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',` +@@ -595,7 +612,9 @@ interface(`selinux_compute_access_vector',` type security_t; ') @@ -18280,7 +18346,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; -@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',` +@@ -617,7 +636,9 @@ interface(`selinux_compute_create_context',` type security_t; ') @@ -18290,7 +18356,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; -@@ -639,7 +656,9 @@ interface(`selinux_compute_member',` +@@ -639,7 +660,9 @@ interface(`selinux_compute_member',` type security_t; ') @@ -18300,7 +18366,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; -@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',` +@@ -669,7 +692,9 @@ interface(`selinux_compute_relabel_context',` type security_t; ') @@ -18310,7 +18376,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; -@@ -677,6 +698,29 @@ interface(`selinux_compute_relabel_context',` +@@ -677,6 +702,29 @@ interface(`selinux_compute_relabel_context',` ######################################## ## @@ -18340,7 +18406,7 @@ index 6d0811d..f67bd8f 100644 ## Allows caller to compute possible contexts for a user. ## ## -@@ -690,7 +734,9 @@ interface(`selinux_compute_user_contexts',` +@@ -690,7 +738,9 @@ interface(`selinux_compute_user_contexts',` type security_t; ') @@ -18350,7 +18416,7 @@ index 6d0811d..f67bd8f 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; -@@ -712,4 +758,28 @@ interface(`selinux_unconfined',` +@@ -712,4 +762,28 @@ interface(`selinux_unconfined',` ') typeattribute $1 selinux_unconfined_type; @@ -19136,7 +19202,7 @@ index 0ea25b6..37069ae 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index cbb729b..ef15aac 100644 +index cbb729b..f118b2a 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -19363,7 +19429,36 @@ index cbb729b..ef15aac 100644 ## ## # -@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',` +@@ -1067,6 +1184,28 @@ interface(`term_getattr_unallocated_ttys',` + + ######################################## + ## ++## Allow open access for all unallocated ++## tty device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_open_unallocated_ttys',` ++ gen_require(` ++ type tty_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 tty_device_t:chr_file open; ++') ++ ++ ++ ++######################################## ++## + ## Do not audit attempts to get the attributes + ## of all unallocated tty device nodes. + ## +@@ -1165,6 +1304,25 @@ interface(`term_relabel_unallocated_ttys',` ######################################## ## @@ -19389,7 +19484,7 @@ index cbb729b..ef15aac 100644 ## Relabel from all user tty types to ## the unallocated tty type. ## -@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1417,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -19438,7 +19533,7 @@ index cbb729b..ef15aac 100644 ') ######################################## -@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1473,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -19452,7 +19547,7 @@ index cbb729b..ef15aac 100644 ') ######################################## -@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1496,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -19465,7 +19560,7 @@ index cbb729b..ef15aac 100644 ') ######################################## -@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1579,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -19494,7 +19589,7 @@ index cbb729b..ef15aac 100644 ') ######################################## -@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1618,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -19503,7 +19598,7 @@ index cbb729b..ef15aac 100644 ') ######################################## -@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1726,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -19512,7 +19607,7 @@ index cbb729b..ef15aac 100644 ## ## # -@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1513,21 +1735,435 @@ interface(`term_dontaudit_use_all_user_ttys',` term_dontaudit_use_all_ttys($1) ') @@ -20136,7 +20231,7 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..c57c9cf 100644 +index 0fef1fc..eb39093 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,72 @@ policy_module(staff, 2.4.0) @@ -20212,7 +20307,7 @@ index 0fef1fc..c57c9cf 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +83,110 @@ optional_policy(` +@@ -23,11 +83,115 @@ optional_policy(` ') optional_policy(` @@ -20239,8 +20334,12 @@ index 0fef1fc..c57c9cf 100644 dbadm_role_change(staff_r) ') - optional_policy(` -- git_role(staff_r, staff_t) ++#optional_policy(` ++# docker_stream_connect(staff_t) ++# docker_exec(staff_t) ++#') ++ ++optional_policy(` + dnsmasq_read_pid_files(staff_t) +') + @@ -20305,7 +20404,8 @@ index 0fef1fc..c57c9cf 100644 + oident_relabel_user_content(staff_t) +') + -+optional_policy(` + optional_policy(` +- git_role(staff_r, staff_t) + mta_role(staff_r, staff_t) +') + @@ -20324,7 +20424,7 @@ index 0fef1fc..c57c9cf 100644 ') optional_policy(` -@@ -35,15 +194,31 @@ optional_policy(` +@@ -35,15 +199,31 @@ optional_policy(` ') optional_policy(` @@ -20358,7 +20458,7 @@ index 0fef1fc..c57c9cf 100644 ') optional_policy(` -@@ -52,11 +227,61 @@ optional_policy(` +@@ -52,11 +232,61 @@ optional_policy(` ') optional_policy(` @@ -20421,7 +20521,7 @@ index 0fef1fc..c57c9cf 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +290,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +295,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20432,7 +20532,7 @@ index 0fef1fc..c57c9cf 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +299,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +304,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -20443,7 +20543,7 @@ index 0fef1fc..c57c9cf 100644 ') optional_policy(` -@@ -101,10 +318,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +323,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20454,7 +20554,7 @@ index 0fef1fc..c57c9cf 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +338,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +343,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20465,7 +20565,7 @@ index 0fef1fc..c57c9cf 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +350,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +355,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20476,7 +20576,7 @@ index 0fef1fc..c57c9cf 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +381,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +386,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -21188,10 +21288,10 @@ index 0000000..b680867 +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..2a850f2 +index 0000000..4165608 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,671 @@ +@@ -0,0 +1,689 @@ +## Unconfined user role + +######################################## @@ -21635,6 +21735,24 @@ index 0000000..2a850f2 + +######################################## +## ++## Dontaudit write process information for unconfined process. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dontaudit_write_state',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:file write; ++') ++ ++######################################## ++## +## Write keys for the unconfined domain. +## +## @@ -23739,7 +23857,7 @@ index fe0c682..3ad1b1f 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..1cd66c2 100644 +index cc877c7..66bf790 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -24200,7 +24318,7 @@ index cc877c7..1cd66c2 100644 + +corecmd_exec_bin(sshd_keygen_t) + -+auth_read_passwd(sshd_keygen_t) ++auth_use_nsswitch(sshd_keygen_t) + +files_rw_etc_dirs(sshd_keygen_t) + @@ -24407,7 +24525,7 @@ index cc877c7..1cd66c2 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..ba82af0 100644 +index 8274418..b3baa75 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,36 @@ @@ -24470,7 +24588,7 @@ index 8274418..ba82af0 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +77,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -24507,10 +24625,11 @@ index 8274418..ba82af0 100644 +/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) + +/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +129,34 @@ ifndef(`distro_debian',` +@@ -91,19 +130,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -24549,7 +24668,7 @@ index 8274418..ba82af0 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +164,18 @@ ifndef(`distro_debian',` +@@ -111,7 +165,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -26309,7 +26428,7 @@ index 6bf0ecc..b036584 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..2532a81 100644 +index 8b40377..8c77595 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -26696,10 +26815,10 @@ index 8b40377..2532a81 100644 allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; +allow xdm_t self:dbus { send_msg acquire_svc }; ++ ++allow xdm_t xauth_home_t:file manage_file_perms; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -+allow xdm_t xauth_home_t:file manage_file_perms; -+ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -26872,7 +26991,7 @@ index 8b40377..2532a81 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +611,28 @@ files_list_mnt(xdm_t) +@@ -431,9 +611,29 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -26890,6 +27009,7 @@ index 8b40377..2532a81 100644 +fs_search_all(xdm_t) +fs_rw_anon_inodefs_files(xdm_t) +fs_mount_tmpfs(xdm_t) ++fs_mounton_fusefs(xdm_t) +fs_list_inotifyfs(xdm_t) +fs_dontaudit_list_noxattr_fs(xdm_t) +fs_dontaudit_read_noxattr_fs_files(xdm_t) @@ -26901,7 +27021,7 @@ index 8b40377..2532a81 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +641,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +642,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -26950,7 +27070,7 @@ index 8b40377..2532a81 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +687,159 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +688,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -26998,6 +27118,10 @@ index 8b40377..2532a81 100644 +userdom_filetrans_generic_home_content(xdm_t) + +optional_policy(` ++ dbus_stream_connect_session_bus(xdm_t) ++') ++ ++optional_policy(` + colord_read_lib_files(xdm_t) +') + @@ -27116,7 +27240,7 @@ index 8b40377..2532a81 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +852,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +857,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -27148,7 +27272,7 @@ index 8b40377..2532a81 100644 ') optional_policy(` -@@ -517,9 +886,34 @@ optional_policy(` +@@ -517,9 +891,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -27184,7 +27308,7 @@ index 8b40377..2532a81 100644 ') ') -@@ -530,6 +924,20 @@ optional_policy(` +@@ -530,6 +929,20 @@ optional_policy(` ') optional_policy(` @@ -27205,7 +27329,7 @@ index 8b40377..2532a81 100644 hostname_exec(xdm_t) ') -@@ -547,28 +955,78 @@ optional_policy(` +@@ -547,28 +960,78 @@ optional_policy(` ') optional_policy(` @@ -27293,7 +27417,7 @@ index 8b40377..2532a81 100644 ') optional_policy(` -@@ -580,6 +1038,14 @@ optional_policy(` +@@ -580,6 +1043,14 @@ optional_policy(` ') optional_policy(` @@ -27308,7 +27432,7 @@ index 8b40377..2532a81 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1060,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1065,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -27317,7 +27441,7 @@ index 8b40377..2532a81 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1070,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1075,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27330,7 +27454,7 @@ index 8b40377..2532a81 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1087,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1092,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27346,7 +27470,7 @@ index 8b40377..2532a81 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1103,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1108,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -27357,7 +27481,7 @@ index 8b40377..2532a81 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1118,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1123,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27394,7 +27518,7 @@ index 8b40377..2532a81 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1164,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1169,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -27426,7 +27550,7 @@ index 8b40377..2532a81 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1197,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1202,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -27441,7 +27565,7 @@ index 8b40377..2532a81 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1218,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1223,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -27465,7 +27589,7 @@ index 8b40377..2532a81 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1237,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1242,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -27474,7 +27598,7 @@ index 8b40377..2532a81 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1281,54 @@ optional_policy(` +@@ -785,17 +1286,54 @@ optional_policy(` ') optional_policy(` @@ -27531,7 +27655,7 @@ index 8b40377..2532a81 100644 ') optional_policy(` -@@ -803,6 +1336,10 @@ optional_policy(` +@@ -803,6 +1341,10 @@ optional_policy(` ') optional_policy(` @@ -27542,7 +27666,7 @@ index 8b40377..2532a81 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1355,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1360,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -27567,7 +27691,7 @@ index 8b40377..2532a81 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1378,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1383,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27602,7 +27726,7 @@ index 8b40377..2532a81 100644 ') optional_policy(` -@@ -912,7 +1443,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1448,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -27611,7 +27735,7 @@ index 8b40377..2532a81 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1497,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1502,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -27643,7 +27767,7 @@ index 8b40377..2532a81 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1543,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1548,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -28936,7 +29060,7 @@ index 3efd5b6..9e85ea0 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..03657db 100644 +index 09b791d..15dea9c 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -29260,7 +29384,7 @@ index 09b791d..03657db 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +520,155 @@ optional_policy(` +@@ -456,10 +520,156 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -29300,6 +29424,7 @@ index 09b791d..03657db 100644 +allow login_pgm self:process setkeycreate; +allow login_pgm self:key manage_key_perms; +userdom_manage_all_users_keys(login_pgm) ++allow login_pgm nsswitch_domain:key manage_key_perms; + +files_list_var_lib(login_pgm) +manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t) @@ -31645,7 +31770,7 @@ index 79a45f6..ca8a198 100644 + read_files_pattern($1, init_var_lib_t, init_var_lib_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..1381948 100644 +index 17eda24..740457b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -31755,7 +31880,7 @@ index 17eda24..1381948 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -98,7 +145,10 @@ ifdef(`enable_mls',` +@@ -98,7 +145,11 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -31763,11 +31888,12 @@ index 17eda24..1381948 100644 +allow init_t self:capability ~{ audit_control audit_write sys_module }; +allow init_t self:capability2 ~{ mac_admin mac_override }; +allow init_t self:tcp_socket { listen accept }; ++allow init_t self:packet_socket create_socket_perms; +allow init_t self:key manage_key_perms; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +158,43 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +159,43 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -31817,7 +31943,7 @@ index 17eda24..1381948 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +204,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +205,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -31842,7 +31968,7 @@ index 17eda24..1381948 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +228,23 @@ domain_signal_all_domains(init_t) +@@ -139,14 +229,24 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -31855,6 +31981,7 @@ index 17eda24..1381948 100644 +files_read_system_conf_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) ++files_read_isid_type_files(init_t) +files_read_etc_runtime_files(init_t) +files_manage_all_locks(init_t) files_manage_etc_runtime_files(init_t) @@ -31867,7 +31994,7 @@ index 17eda24..1381948 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +254,53 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +256,53 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -31925,7 +32052,7 @@ index 17eda24..1381948 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +309,242 @@ ifdef(`distro_gentoo',` +@@ -186,29 +311,242 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -32177,7 +32304,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -216,7 +552,31 @@ optional_policy(` +@@ -216,7 +554,31 @@ optional_policy(` ') optional_policy(` @@ -32209,7 +32336,7 @@ index 17eda24..1381948 100644 ') ######################################## -@@ -225,9 +585,9 @@ optional_policy(` +@@ -225,9 +587,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -32221,7 +32348,7 @@ index 17eda24..1381948 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +618,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +620,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -32238,7 +32365,7 @@ index 17eda24..1381948 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +643,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +645,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -32281,7 +32408,7 @@ index 17eda24..1381948 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +680,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +682,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -32293,7 +32420,7 @@ index 17eda24..1381948 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +692,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +694,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -32304,7 +32431,7 @@ index 17eda24..1381948 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +703,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +705,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -32314,7 +32441,7 @@ index 17eda24..1381948 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +712,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +714,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -32322,7 +32449,7 @@ index 17eda24..1381948 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +719,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +721,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -32330,7 +32457,7 @@ index 17eda24..1381948 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +727,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +729,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -32348,7 +32475,7 @@ index 17eda24..1381948 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +745,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +747,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -32362,7 +32489,7 @@ index 17eda24..1381948 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +760,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +762,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -32376,7 +32503,7 @@ index 17eda24..1381948 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +773,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +775,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -32387,7 +32514,7 @@ index 17eda24..1381948 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +786,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +788,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -32395,7 +32522,7 @@ index 17eda24..1381948 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +805,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +807,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -32419,7 +32546,7 @@ index 17eda24..1381948 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +838,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +840,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -32427,7 +32554,7 @@ index 17eda24..1381948 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +872,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +874,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -32438,7 +32565,7 @@ index 17eda24..1381948 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +896,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +898,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -32447,7 +32574,7 @@ index 17eda24..1381948 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +911,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +913,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -32455,7 +32582,7 @@ index 17eda24..1381948 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +932,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +934,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -32463,7 +32590,7 @@ index 17eda24..1381948 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +942,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +944,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -32508,7 +32635,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -559,14 +987,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +989,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -32540,7 +32667,7 @@ index 17eda24..1381948 100644 ') ') -@@ -577,6 +1022,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1024,39 @@ ifdef(`distro_suse',` ') ') @@ -32580,7 +32707,7 @@ index 17eda24..1381948 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1067,8 @@ optional_policy(` +@@ -589,6 +1069,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -32589,7 +32716,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -610,6 +1090,7 @@ optional_policy(` +@@ -610,6 +1092,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -32597,7 +32724,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -626,6 +1107,17 @@ optional_policy(` +@@ -626,6 +1109,17 @@ optional_policy(` ') optional_policy(` @@ -32615,7 +32742,7 @@ index 17eda24..1381948 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1134,13 @@ optional_policy(` +@@ -642,9 +1136,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -32629,7 +32756,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -657,15 +1153,11 @@ optional_policy(` +@@ -657,15 +1155,11 @@ optional_policy(` ') optional_policy(` @@ -32647,7 +32774,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -686,6 +1178,15 @@ optional_policy(` +@@ -686,6 +1180,15 @@ optional_policy(` ') optional_policy(` @@ -32663,7 +32790,7 @@ index 17eda24..1381948 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1227,7 @@ optional_policy(` +@@ -726,6 +1229,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -32671,7 +32798,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -743,7 +1245,13 @@ optional_policy(` +@@ -743,7 +1247,13 @@ optional_policy(` ') optional_policy(` @@ -32686,7 +32813,7 @@ index 17eda24..1381948 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1274,10 @@ optional_policy(` +@@ -766,6 +1276,10 @@ optional_policy(` ') optional_policy(` @@ -32697,7 +32824,7 @@ index 17eda24..1381948 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1287,20 @@ optional_policy(` +@@ -775,10 +1289,20 @@ optional_policy(` ') optional_policy(` @@ -32718,7 +32845,7 @@ index 17eda24..1381948 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1309,10 @@ optional_policy(` +@@ -787,6 +1311,10 @@ optional_policy(` ') optional_policy(` @@ -32729,7 +32856,7 @@ index 17eda24..1381948 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1334,6 @@ optional_policy(` +@@ -808,8 +1336,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -32738,7 +32865,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -818,6 +1342,10 @@ optional_policy(` +@@ -818,6 +1344,10 @@ optional_policy(` ') optional_policy(` @@ -32749,7 +32876,7 @@ index 17eda24..1381948 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1355,12 @@ optional_policy(` +@@ -827,10 +1357,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -32762,7 +32889,7 @@ index 17eda24..1381948 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1387,60 @@ optional_policy(` +@@ -857,21 +1389,60 @@ optional_policy(` ') optional_policy(` @@ -32824,7 +32951,7 @@ index 17eda24..1381948 100644 ') optional_policy(` -@@ -887,6 +1456,10 @@ optional_policy(` +@@ -887,6 +1458,10 @@ optional_policy(` ') optional_policy(` @@ -32835,7 +32962,7 @@ index 17eda24..1381948 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1470,218 @@ optional_policy(` +@@ -897,3 +1472,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -33117,10 +33244,35 @@ index 662e79b..d32012f 100644 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..9395313 100644 +index 0d4c8d3..720ece8 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if -@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',` +@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',` + domtrans_pattern($1, ipsec_exec_t, ipsec_t) + ') + ++####################################### ++## ++## Allow read/write ipsec pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_rw_inherited_pipes',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ + ######################################## + ## + ## Connect to IPSEC using a unix domain stream socket. +@@ -55,6 +73,64 @@ interface(`ipsec_domtrans_mgmt',` domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) ') @@ -33185,7 +33337,7 @@ index 0d4c8d3..9395313 100644 ######################################## ## ## Connect to racoon using a unix domain stream socket. -@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',` +@@ -120,7 +196,6 @@ interface(`ipsec_exec_mgmt',` ## ## # @@ -33193,7 +33345,7 @@ index 0d4c8d3..9395313 100644 interface(`ipsec_signal_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',` +@@ -139,7 +214,6 @@ interface(`ipsec_signal_mgmt',` ## ## # @@ -33201,7 +33353,7 @@ index 0d4c8d3..9395313 100644 interface(`ipsec_signull_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',` +@@ -158,7 +232,6 @@ interface(`ipsec_signull_mgmt',` ## ## # @@ -33209,7 +33361,7 @@ index 0d4c8d3..9395313 100644 interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',` +@@ -167,6 +240,60 @@ interface(`ipsec_kill_mgmt',` allow $1 ipsec_mgmt_t:process sigkill; ') @@ -33270,7 +33422,7 @@ index 0d4c8d3..9395313 100644 ###################################### ## ## Send and receive messages from -@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',` +@@ -225,6 +352,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; @@ -33278,7 +33430,7 @@ index 0d4c8d3..9395313 100644 ') ######################################## -@@ -369,3 +479,27 @@ interface(`ipsec_run_setkey',` +@@ -369,3 +497,27 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -35863,7 +36015,7 @@ index 59b04c1..aaf4124 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 6b91740..562d1fd 100644 +index 6b91740..5c1669a 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -23,6 +23,8 @@ ifdef(`distro_gentoo',` @@ -35875,7 +36027,7 @@ index 6b91740..562d1fd 100644 # # /lib # -@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',` +@@ -33,22 +35,27 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -35900,7 +36052,11 @@ index 6b91740..562d1fd 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -89,8 +95,74 @@ ifdef(`distro_gentoo',` ++/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) + /sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -89,8 +96,75 @@ ifdef(`distro_gentoo',` # # /usr # @@ -35929,6 +36085,7 @@ index 6b91740..562d1fd 100644 +/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmpolld -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -35977,7 +36134,7 @@ index 6b91740..562d1fd 100644 # # /var -@@ -98,5 +170,9 @@ ifdef(`distro_gentoo',` +@@ -98,5 +172,9 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -36224,7 +36381,7 @@ index 58bc27f..a4ec06e 100644 +') + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..c3a255a 100644 +index 79048c4..6cf8b94 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -36455,7 +36612,18 @@ index 79048c4..c3a255a 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +375,30 @@ optional_policy(` +@@ -320,6 +362,10 @@ optional_policy(` + ccs_stream_connect(lvm_t) + ') + ++#optional_policy(` ++# docker_rw_sem(lvm_t) ++#') ++ + optional_policy(` + gpm_dontaudit_getattr_gpmctl(lvm_t) + ') +@@ -333,14 +379,30 @@ optional_policy(` ') optional_policy(` @@ -38190,7 +38358,7 @@ index cbbda4a..b569d5f 100644 +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index d43f3b1..870bc36 100644 +index d43f3b1..04743dc 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,14 @@ @@ -38211,7 +38379,7 @@ index d43f3b1..870bc36 100644 # # /root -@@ -35,19 +36,27 @@ +@@ -35,19 +36,30 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) @@ -38223,13 +38391,17 @@ index d43f3b1..870bc36 100644 +/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) ++/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) # # /var/lib # - /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) +-/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0) ++/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) ++/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) ++/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) # @@ -38241,7 +38413,7 @@ index d43f3b1..870bc36 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..8893bcf 100644 +index 3822072..593c90d 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -38484,7 +38656,33 @@ index 3822072..8893bcf 100644 ## Do not audit attempts to search the SELinux ## configuration directory (/etc/selinux). ## -@@ -680,10 +848,115 @@ interface(`seutil_manage_config',` +@@ -574,6 +742,25 @@ interface(`seutil_dontaudit_search_config',` + + ######################################## + ## ++## Allow attempts to search the SELinux ++## configuration directory (/etc/selinux). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_search_config',` ++ gen_require(` ++ type selinux_config_t; ++ ') ++ ++ allow $1 selinux_config_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read the SELinux + ## userland configuration (/etc/selinux). + ## +@@ -680,10 +867,115 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -38600,7 +38798,7 @@ index 3822072..8893bcf 100644 ####################################### ## ## Create, read, write, and delete -@@ -694,15 +967,62 @@ interface(`seutil_manage_config',` +@@ -694,15 +986,62 @@ interface(`seutil_manage_config',` ## Domain allowed access. ## ## @@ -38666,7 +38864,7 @@ index 3822072..8893bcf 100644 ') ######################################## -@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',` +@@ -746,6 +1085,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -38696,7 +38894,7 @@ index 3822072..8893bcf 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',` +@@ -784,7 +1146,9 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; @@ -38706,7 +38904,7 @@ index 3822072..8893bcf 100644 ') ######################################## -@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1363,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -38733,7 +38931,7 @@ index 3822072..8893bcf 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1382,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1401,105 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -38841,9 +39039,13 @@ index 3822072..8893bcf 100644 ') ######################################## -@@ -1043,7 +1502,11 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1519,15 @@ interface(`seutil_manage_module_store',` + ') + files_search_etc($1) ++ files_search_var($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) ++ manage_dirs_pattern($1, semanage_store_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) + manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") @@ -38853,7 +39055,7 @@ index 3822072..8893bcf 100644 ') ####################################### -@@ -1067,6 +1530,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1551,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -38878,7 +39080,7 @@ index 3822072..8893bcf 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1618,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1639,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -39001,7 +39203,7 @@ index 3822072..8893bcf 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..f064846 100644 +index dc46420..9edcb69 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -39078,7 +39280,7 @@ index dc46420..f064846 100644 + type semanage_store_t; +') + -+typealias semanage_store_t alias policy_config_t; ++typealias semanage_store_t alias { policy_config_t semanage_var_lib_t }; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -39090,7 +39292,7 @@ index dc46420..f064846 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,25 +105,32 @@ type run_init_t; +@@ -92,34 +105,43 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) @@ -39124,12 +39326,14 @@ index dc46420..f064846 100644 -type semanage_trans_lock_t; -files_type(semanage_trans_lock_t) +- +-type semanage_var_lib_t; +-files_type(semanage_var_lib_t) +type semanage_trans_lock_t; +files_lock_file(semanage_trans_lock_t) - type semanage_var_lib_t; - files_type(semanage_var_lib_t) -@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t; + type setfiles_t alias restorecon_t, can_relabelto_binary_policy; + type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -39141,7 +39345,7 @@ index dc46420..f064846 100644 ######################################## # # Checkpolicy local policy -@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) +@@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) allow checkpolicy_t selinux_config_t:dir search_dir_perms; @@ -39149,7 +39353,7 @@ index dc46420..f064846 100644 domain_use_interactive_fds(checkpolicy_t) -@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t) +@@ -151,7 +174,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) @@ -39158,7 +39362,7 @@ index dc46420..f064846 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` -@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t) +@@ -188,13 +211,13 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -39175,7 +39379,7 @@ index dc46420..f064846 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',` +@@ -205,6 +228,7 @@ ifdef(`distro_ubuntu',` ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; @@ -39183,7 +39387,7 @@ index dc46420..f064846 100644 optional_policy(` unconfined_dontaudit_read_pipes(load_policy_t) -@@ -215,12 +242,21 @@ optional_policy(` +@@ -215,12 +239,21 @@ optional_policy(` portage_dontaudit_use_fds(load_policy_t) ') @@ -39206,7 +39410,7 @@ index dc46420..f064846 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -232,7 +268,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -39215,7 +39419,7 @@ index dc46420..f064846 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +285,7 @@ domain_use_interactive_fds(newrole_t) +@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -39223,7 +39427,7 @@ index dc46420..f064846 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -276,25 +313,34 @@ term_relabel_all_ptys(newrole_t) +@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -39265,7 +39469,7 @@ index dc46420..f064846 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -309,7 +355,7 @@ if(secure_mode) { +@@ -309,7 +352,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } @@ -39274,7 +39478,7 @@ index dc46420..f064846 100644 files_polyinstantiate_all(newrole_t) ') -@@ -328,9 +374,13 @@ kernel_use_fds(restorecond_t) +@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -39289,7 +39493,7 @@ index dc46420..f064846 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,16 +391,17 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -39309,7 +39513,7 @@ index dc46420..f064846 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -366,21 +417,24 @@ optional_policy(` +@@ -366,21 +414,24 @@ optional_policy(` # Run_init local policy # @@ -39336,7 +39540,7 @@ index dc46420..f064846 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,23 +452,30 @@ selinux_compute_create_context(run_init_t) +@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -39372,7 +39576,7 @@ index dc46420..f064846 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +486,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -39392,7 +39596,7 @@ index dc46420..f064846 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +514,88 @@ optional_policy(` +@@ -440,81 +511,85 @@ optional_policy(` # semodule local policy # @@ -39407,17 +39611,17 @@ index dc46420..f064846 100644 -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) - - manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) - manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) - +- +-manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) +-manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) +- -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) -- + -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -39442,11 +39646,11 @@ index dc46420..f064846 100644 -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) -- --logging_send_syslog_msg(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) +-logging_send_syslog_msg(semanage_t) +- -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -39534,7 +39738,7 @@ index dc46420..f064846 100644 ') ######################################## -@@ -522,111 +603,197 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +597,197 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -39613,13 +39817,13 @@ index dc46420..f064846 100644 +optional_policy(` + cloudform_dontaudit_write_cloud_log(setfiles_t) +') - --seutil_libselinux_linked(setfiles_t) ++ +optional_policy(` + devicekit_dontaudit_read_pid_files(setfiles_t) + devicekit_dontaudit_rw_log(setfiles_t) +') -+ + +-seutil_libselinux_linked(setfiles_t) +optional_policy(` + # pki is leaking + pki_dontaudit_write_log(setfiles_t) @@ -39628,7 +39832,8 @@ index dc46420..f064846 100644 +optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) +') -+ + +-userdom_use_all_users_fds(setfiles_t) +ifdef(`hide_broken_symptoms',` + + optional_policy(` @@ -39642,8 +39847,7 @@ index dc46420..f064846 100644 + unconfined_domain(setfiles_t) + ') +') - --userdom_use_all_users_fds(setfiles_t) ++ +######################################## +# +# Setfiles common policy @@ -39953,7 +40157,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..fd3a212 100644 +index 2cea692..57c9025 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -40198,7 +40402,7 @@ index 2cea692..fd3a212 100644 ') ') -@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -501,11 +669,31 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -40206,7 +40410,31 @@ index 2cea692..fd3a212 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',` + ####################################### + ## ++## Manage the dhcp client pid file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_manage_dhcpc_pid',` ++ gen_require(` ++ type dhcpc_var_run_t; ++ ') ++ ++ files_rw_pid_dirs($1) ++ manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t) ++') ++ ++####################################### ++## + ## Execute ifconfig in the ifconfig domain. + ## + ## +@@ -610,6 +798,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -40232,7 +40460,7 @@ index 2cea692..fd3a212 100644 ## Read the DHCP configuration files. ## ## -@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -626,6 +833,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -40240,7 +40468,7 @@ index 2cea692..fd3a212 100644 ') ######################################## -@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',` +@@ -647,6 +855,26 @@ interface(`sysnet_search_dhcp_state',` allow $1 dhcp_state_t:dir search_dir_perms; ') @@ -40267,7 +40495,7 @@ index 2cea692..fd3a212 100644 ######################################## ## ## Create DHCP state data. -@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -711,8 +939,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -40276,7 +40504,7 @@ index 2cea692..fd3a212 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,8 +946,13 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) @@ -40290,7 +40518,7 @@ index 2cea692..fd3a212 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',` +@@ -750,8 +981,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -40299,7 +40527,7 @@ index 2cea692..fd3a212 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',` +@@ -760,9 +989,14 @@ interface(`sysnet_use_ldap',` # Support for LDAPS dev_read_rand($1) @@ -40314,7 +40542,7 @@ index 2cea692..fd3a212 100644 ') ######################################## -@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +1018,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -40322,7 +40550,7 @@ index 2cea692..fd3a212 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1029,125 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -40449,7 +40677,7 @@ index 2cea692..fd3a212 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..ca1b2bc 100644 +index a392fc4..77ee719 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -40618,15 +40846,13 @@ index a392fc4..ca1b2bc 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +222,36 @@ optional_policy(` +@@ -195,23 +222,31 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) -+ netutils_domtrans_ping(dhcpc_t) -+ netutils_domtrans(dhcpc_t) - ',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; +-',` +- allow dhcpc_t self:capability setuid; +- allow dhcpc_t self:rawip_socket create_socket_perms; ') optional_policy(` @@ -40655,7 +40881,7 @@ index a392fc4..ca1b2bc 100644 ') optional_policy(` -@@ -221,7 +261,11 @@ optional_policy(` +@@ -221,7 +256,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -40668,7 +40894,7 @@ index a392fc4..ca1b2bc 100644 ') optional_policy(` -@@ -233,6 +277,10 @@ optional_policy(` +@@ -233,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -40679,7 +40905,7 @@ index a392fc4..ca1b2bc 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +312,24 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -40704,7 +40930,7 @@ index a392fc4..ca1b2bc 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +339,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -40737,7 +40963,7 @@ index a392fc4..ca1b2bc 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +377,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -40795,7 +41021,7 @@ index a392fc4..ca1b2bc 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +432,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +427,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -40808,7 +41034,7 @@ index a392fc4..ca1b2bc 100644 ') optional_policy(` -@@ -350,7 +450,16 @@ optional_policy(` +@@ -350,7 +445,16 @@ optional_policy(` ') optional_policy(` @@ -40826,7 +41052,7 @@ index a392fc4..ca1b2bc 100644 ') optional_policy(` -@@ -371,3 +480,13 @@ optional_policy(` +@@ -371,3 +475,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -42365,10 +42591,10 @@ index 0000000..d2a8fc7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..c19260b +index 0000000..3c4ffa35 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,714 @@ +@@ -0,0 +1,720 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -42620,6 +42846,7 @@ index 0000000..c19260b +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; +allow systemd_networkd_t self:packet_socket create_socket_perms; +allow systemd_networkd_t self:udp_socket create_socket_perms; ++allow systemd_networkd_t self:rawip_socket create_socket_perms; + +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) @@ -42629,6 +42856,11 @@ index 0000000..c19260b +kernel_request_load_module(systemd_networkd_t) +kernel_rw_net_sysctls(systemd_networkd_t) + ++corenet_tcp_bind_all_nodes(systemd_networkd_t) ++corenet_udp_bind_all_nodes(systemd_networkd_t) ++corenet_tcp_bind_dhcpc_port(systemd_networkd_t) ++corenet_udp_bind_dhcpc_port(systemd_networkd_t) ++ +dev_read_sysfs(systemd_networkd_t) + +auth_read_passwd(systemd_networkd_t) @@ -44443,10 +44675,10 @@ index 5fe902d..a349d18 100644 + dbus_chat_system_bus(unconfined_service_t) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..1ee08ec 100644 +index db75976..c54480a 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,36 @@ +@@ -1,4 +1,37 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -44463,7 +44695,8 @@ index db75976..1ee08ec 100644 +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -+HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/\.local/share/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++HOME_DIR/\.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs/.* <> +HOME_DIR/\.debug(/.*)? <> @@ -44485,7 +44718,7 @@ index db75976..1ee08ec 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..f0e4b9c 100644 +index 9dc60c6..f01932f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -47787,7 +48020,7 @@ index 9dc60c6..f0e4b9c 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4579,1687 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4579,1691 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -49285,6 +49518,10 @@ index 9dc60c6..f0e4b9c 100644 + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") + userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") + userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") ++ ++ optional_policy(` ++ gnome_data_filetrans($1, home_cert_t, dir, "certificates") ++ ') +') + +######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9a3a62b..4113220 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -546,7 +546,7 @@ index 058d908..158acba 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..7f6a8b6 100644 +index eb50f07..fb0af36 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -821,7 +821,7 @@ index eb50f07..7f6a8b6 100644 ') optional_policy(` -@@ -222,6 +249,20 @@ optional_policy(` +@@ -222,6 +249,24 @@ optional_policy(` ') optional_policy(` @@ -838,11 +838,15 @@ index eb50f07..7f6a8b6 100644 +') + +optional_policy(` ++ pcp_read_lib_files(abrt_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +275,11 @@ optional_policy(` +@@ -234,6 +279,11 @@ optional_policy(` ') optional_policy(` @@ -854,7 +858,7 @@ index eb50f07..7f6a8b6 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +289,7 @@ optional_policy(` +@@ -243,6 +293,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -862,7 +866,7 @@ index eb50f07..7f6a8b6 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +300,21 @@ optional_policy(` +@@ -253,9 +304,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -885,7 +889,7 @@ index eb50f07..7f6a8b6 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +325,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +329,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -900,7 +904,7 @@ index eb50f07..7f6a8b6 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -908,7 +912,7 @@ index eb50f07..7f6a8b6 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -929,7 +933,7 @@ index eb50f07..7f6a8b6 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +374,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +378,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -956,7 +960,7 @@ index eb50f07..7f6a8b6 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -970,7 +974,7 @@ index eb50f07..7f6a8b6 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +428,11 @@ optional_policy(` +@@ -343,10 +432,11 @@ optional_policy(` ####################################### # @@ -984,7 +988,7 @@ index eb50f07..7f6a8b6 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +451,60 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +455,60 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1049,7 +1053,7 @@ index eb50f07..7f6a8b6 100644 ####################################### # -@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +516,58 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1110,7 +1114,7 @@ index eb50f07..7f6a8b6 100644 ') ####################################### -@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +575,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -2562,7 +2566,7 @@ index 14a61b7..76d9329 100644 + files_search_var_lib($1) +') diff --git a/anaconda.te b/anaconda.te -index aa44abf..84c95ed 100644 +index aa44abf..9efa1f2 100644 --- a/anaconda.te +++ b/anaconda.te @@ -4,6 +4,10 @@ gen_require(` @@ -2610,7 +2614,7 @@ index aa44abf..84c95ed 100644 optional_policy(` rpm_domtrans(anaconda_t) -@@ -53,3 +74,46 @@ optional_policy(` +@@ -53,3 +74,54 @@ optional_policy(` optional_policy(` unconfined_domain_noaudit(anaconda_t) ') @@ -2629,6 +2633,10 @@ index aa44abf..84c95ed 100644 +') + +optional_policy(` ++ iscsid_run(install_t, install_roles) ++') ++ ++optional_policy(` + mount_run(install_t, install_roles) +') + @@ -2637,6 +2645,10 @@ index aa44abf..84c95ed 100644 +') + +optional_policy(` ++ policykit_dbus_chat(install_t) ++') ++ ++optional_policy(` + seutil_run_setfiles_mac(install_t, install_roles) +') + @@ -3040,10 +3052,10 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..253a684 +index 0000000..6183b21 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,270 @@ +@@ -0,0 +1,271 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3110,7 +3122,7 @@ index 0000000..253a684 +# antivirus domain local policy +# + -+allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin }; ++allow antivirus_domain self:capability { dac_override chown kill fsetid setgid setuid sys_admin }; +dontaudit antivirus_domain self:capability sys_tty_config; +allow antivirus_domain self:process signal_perms; + @@ -3149,6 +3161,7 @@ index 0000000..253a684 + +can_exec(antivirus_domain, antivirus_exec_t) + ++kernel_read_system_state(antivirus_t) +kernel_read_network_state(antivirus_domain) +kernel_read_all_sysctls(antivirus_domain) + @@ -3315,10 +3328,10 @@ index 0000000..253a684 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..3009a35 100644 +index 7caefc3..863bce5 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,204 @@ +@@ -1,162 +1,206 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3531,6 +3544,7 @@ index 7caefc3..3009a35 100644 +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/ipsilon(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -3558,6 +3572,7 @@ index 7caefc3..3009a35 100644 +/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -5157,7 +5172,7 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..d671bf8 100644 +index 6649962..d888ffb 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -6658,11 +6673,10 @@ index 6649962..d671bf8 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache PHP script local policy +# + @@ -6721,10 +6735,11 @@ index 6649962..d671bf8 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache suexec local policy # @@ -6956,10 +6971,10 @@ index 6649962..d671bf8 100644 -allow httpd_script_domains self:fifo_file rw_file_perms; -allow httpd_script_domains self:unix_stream_socket connectto; +- +-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; +allow httpd_sys_script_t self:process getsched; --allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) - @@ -7111,8 +7126,7 @@ index 6649962..d671bf8 100644 -dontaudit httpd_sys_script_t httpd_config_t:dir search; - -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; -allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; @@ -7128,7 +7142,8 @@ index 6649962..d671bf8 100644 -apache_domtrans_rotatelogs(httpd_sys_script_t) - -auth_use_nsswitch(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) - corenet_tcp_connect_smtp_port(httpd_sys_script_t) @@ -7353,7 +7368,7 @@ index 6649962..d671bf8 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1633,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7371,7 +7386,8 @@ index 6649962..d671bf8 100644 +systemd_manage_passwd_run(httpd_passwd_t) +systemd_manage_passwd_run(httpd_t) +#systemd_passwd_agent_dev_template(httpd) -+ + +-allow httpd_gpg_t self:process setrlimit; +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; + @@ -7405,37 +7421,36 @@ index 6649962..d671bf8 100644 + +miscfiles_read_fonts(httpd_script_type) +miscfiles_read_public_files(httpd_script_type) - --allow httpd_gpg_t self:process setrlimit; ++ +allow httpd_t httpd_script_type:unix_stream_socket connectto; - --allow httpd_gpg_t httpd_t:fd use; --allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; --allow httpd_gpg_t httpd_t:process sigchld; ++ +allow httpd_t httpd_script_exec_type:file read_file_perms; +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; +allow httpd_t httpd_script_type:process { signal sigkill sigstop signull }; +allow httpd_t httpd_script_exec_type:dir list_dir_perms; --dev_read_rand(httpd_gpg_t) --dev_read_urand(httpd_gpg_t) +-allow httpd_gpg_t httpd_t:fd use; +-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +-allow httpd_gpg_t httpd_t:process sigchld; +allow httpd_script_type self:process { setsched signal_perms }; +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; +allow httpd_script_type self:unix_dgram_socket create_socket_perms; +allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms; --files_read_usr_files(httpd_gpg_t) +-dev_read_rand(httpd_gpg_t) +-dev_read_urand(httpd_gpg_t) +allow httpd_script_type httpd_t:fd use; +allow httpd_script_type httpd_t:process sigchld; --miscfiles_read_localization(httpd_gpg_t) +-files_read_usr_files(httpd_gpg_t) +dontaudit httpd_script_type httpd_t:tcp_socket { read write }; +dontaudit httpd_script_type httpd_t:unix_stream_socket { read write }; +-miscfiles_read_localization(httpd_gpg_t) ++fs_getattr_xattr_fs(httpd_script_type) + -tunable_policy(`httpd_gpg_anon_write',` - miscfiles_manage_public_files(httpd_gpg_t) -+fs_getattr_xattr_fs(httpd_script_type) -+ +files_read_etc_runtime_files(httpd_script_type) + +libs_read_lib_files(httpd_script_type) @@ -7449,11 +7464,8 @@ index 6649962..d671bf8 100644 optional_policy(` - apache_manage_sys_rw_content(httpd_gpg_t) + nscd_socket_use(httpd_script_type) - ') - --optional_policy(` -- gpg_entry_type(httpd_gpg_t) -- gpg_exec(httpd_gpg_t) ++') ++ +read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) + +tunable_policy(`httpd_builtin_scripting',` @@ -7474,7 +7486,17 @@ index 6649962..d671bf8 100644 + +tunable_policy(`httpd_use_openstack',` + corenet_tcp_connect_osapi_compute_port(httpd_t) ++ corenet_tcp_bind_commplex_main_port(httpd_t) ') + + optional_policy(` +- gpg_entry_type(httpd_gpg_t) +- gpg_exec(httpd_gpg_t) ++ tunable_policy(`httpd_use_openstack',` ++ keystone_read_log(httpd_t) ++ ') + ') ++ diff --git a/apcupsd.fc b/apcupsd.fc index 5ec0e13..97c204f 100644 --- a/apcupsd.fc @@ -8820,7 +8842,7 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b000..aac8d2e 100644 +index f16b000..1a7c80f 100644 --- a/bacula.te +++ b/bacula.te @@ -27,6 +27,9 @@ type bacula_store_t; @@ -8833,7 +8855,15 @@ index f16b000..aac8d2e 100644 type bacula_var_lib_t; files_type(bacula_var_lib_t) -@@ -43,16 +46,22 @@ role bacula_admin_roles types bacula_admin_t; +@@ -38,21 +41,30 @@ type bacula_admin_exec_t; + application_domain(bacula_admin_t, bacula_admin_exec_t) + role bacula_admin_roles types bacula_admin_t; + ++type bacula_unconfined_script_exec_t; ++application_executable_file(bacula_unconfined_script_exec_t) ++ + ######################################## + # # Local policy # @@ -8857,7 +8887,7 @@ index f16b000..aac8d2e 100644 manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t) manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t) -@@ -88,6 +97,10 @@ corenet_udp_bind_generic_node(bacula_t) +@@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t) corenet_sendrecv_generic_server_packets(bacula_t) corenet_udp_bind_generic_port(bacula_t) @@ -8868,9 +8898,13 @@ index f16b000..aac8d2e 100644 corenet_sendrecv_hplip_server_packets(bacula_t) corenet_tcp_bind_hplip_port(bacula_t) corenet_udp_bind_hplip_port(bacula_t) -@@ -99,12 +112,18 @@ dev_getattr_all_blk_files(bacula_t) +@@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t) + dev_getattr_all_blk_files(bacula_t) dev_getattr_all_chr_files(bacula_t) ++files_getattr_all_pipes(bacula_t) ++files_getattr_all_sockets(bacula_t) ++ files_dontaudit_getattr_all_sockets(bacula_t) +files_dontaudit_getattr_all_pipes(bacula_t) files_read_all_files(bacula_t) @@ -8887,7 +8921,15 @@ index f16b000..aac8d2e 100644 auth_read_shadow(bacula_t) logging_send_syslog_msg(bacula_t) -@@ -125,6 +144,12 @@ optional_policy(` + + sysnet_dns_name_resolve(bacula_t) + ++userdom_home_manager(bacula_t) ++ + optional_policy(` + mysql_stream_connect(bacula_t) + mysql_tcp_connect(bacula_t) +@@ -125,6 +152,12 @@ optional_policy(` ldap_stream_connect(bacula_t) ') @@ -8900,7 +8942,7 @@ index f16b000..aac8d2e 100644 ######################################## # # Client local policy -@@ -148,11 +173,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) +@@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) domain_use_interactive_fds(bacula_admin_t) @@ -8913,6 +8955,30 @@ index f16b000..aac8d2e 100644 userdom_dontaudit_search_user_home_dirs(bacula_admin_t) userdom_use_user_ptys(bacula_admin_t) + ++######################################## ++# ++# Unconfined script local policy ++# ++ ++optional_policy(` ++ type bacula_unconfined_script_t; ++ domain_type(bacula_unconfined_script_t) ++ ++ domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t) ++ role system_r types bacula_unconfined_script_t; ++ ++ allow bacula_t bacula_unconfined_script_t:process signal_perms; ++ ++ domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t) ++ ++ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir search_dir_perms; ++ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:dir read_file_perms; ++ allow bacula_unconfined_script_t bacula_unconfined_script_exec_t:file ioctl; ++ ++ optional_policy(` ++ unconfined_domain(bacula_unconfined_script_t) ++ ') ++') diff --git a/bcfg2.fc b/bcfg2.fc index fb42e35..8af0e14 100644 --- a/bcfg2.fc @@ -9304,7 +9370,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..4569bde 100644 +index 1241123..e196b89 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9384,17 +9450,21 @@ index 1241123..4569bde 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +202,9 @@ optional_policy(` +@@ -187,7 +202,13 @@ optional_policy(` ') optional_policy(` ++ ipsec_rw_inherited_pipes(named_t) ++') ++ ++optional_policy(` + kerberos_filetrans_named_content(named_t) kerberos_read_keytab(named_t) + kerberos_read_host_rcache(named_t) kerberos_use(named_t) ') -@@ -215,7 +232,8 @@ optional_policy(` +@@ -215,7 +236,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9404,7 +9474,7 @@ index 1241123..4569bde 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +247,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +251,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9416,7 +9486,7 @@ index 1241123..4569bde 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +259,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +263,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9426,7 +9496,7 @@ index 1241123..4569bde 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +277,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +281,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -11916,6 +11986,169 @@ index fbe3ad9..21ab8e1 100644 kernel_read_network_state(cfengine_monitord_t) domain_read_all_domains_state(cfengine_monitord_t) +diff --git a/cgdcbxd.fc b/cgdcbxd.fc +new file mode 100644 +index 0000000..7567038 +--- /dev/null ++++ b/cgdcbxd.fc +@@ -0,0 +1,5 @@ ++/usr/lib/systemd/system/cgdcbxd\.service -- gen_context(system_u:object_r:cgdcbxd_unit_file_t,s0) ++ ++/usr/sbin/cgdcbxd -- gen_context(system_u:object_r:cgdcbxd_exec_t,s0) ++ ++/var/run/cgdcbxd\.pid -- gen_context(system_u:object_r:cgdcbxd_var_run_t,s0) +diff --git a/cgdcbxd.if b/cgdcbxd.if +new file mode 100644 +index 0000000..651a34b +--- /dev/null ++++ b/cgdcbxd.if +@@ -0,0 +1,104 @@ ++ ++## policy for cgdcbxd ++ ++######################################## ++## ++## Execute TEMPLATE in the cgdcbxd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cgdcbxd_domtrans',` ++ gen_require(` ++ type cgdcbxd_t, cgdcbxd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cgdcbxd_exec_t, cgdcbxd_t) ++') ++######################################## ++## ++## Read cgdcbxd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cgdcbxd_read_pid_files',` ++ gen_require(` ++ type cgdcbxd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, cgdcbxd_var_run_t, cgdcbxd_var_run_t) ++') ++ ++######################################## ++## ++## Execute cgdcbxd server in the cgdcbxd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cgdcbxd_systemctl',` ++ gen_require(` ++ type cgdcbxd_t; ++ type cgdcbxd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 cgdcbxd_unit_file_t:file read_file_perms; ++ allow $1 cgdcbxd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cgdcbxd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an cgdcbxd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cgdcbxd_admin',` ++ gen_require(` ++ type cgdcbxd_t; ++ type cgdcbxd_var_run_t; ++ type cgdcbxd_unit_file_t; ++ ') ++ ++ allow $1 cgdcbxd_t:process { signal_perms }; ++ ps_process_pattern($1, cgdcbxd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgdcbxd_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, cgdcbxd_var_run_t) ++ ++ cgdcbxd_systemctl($1) ++ admin_pattern($1, cgdcbxd_unit_file_t) ++ allow $1 cgdcbxd_unit_file_t:service all_service_perms; ++ ++') +diff --git a/cgdcbxd.te b/cgdcbxd.te +new file mode 100644 +index 0000000..06ff1b0 +--- /dev/null ++++ b/cgdcbxd.te +@@ -0,0 +1,36 @@ ++policy_module(cgdcbxd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type cgdcbxd_t; ++type cgdcbxd_exec_t; ++init_daemon_domain(cgdcbxd_t, cgdcbxd_exec_t) ++ ++type cgdcbxd_var_run_t; ++files_pid_file(cgdcbxd_var_run_t) ++ ++type cgdcbxd_unit_file_t; ++systemd_unit_file(cgdcbxd_unit_file_t) ++ ++######################################## ++# ++# cgdcbxd local policy ++# ++ ++allow cgdcbxd_t self:fifo_file rw_fifo_file_perms; ++allow cgdcbxd_t self:unix_stream_socket create_stream_socket_perms; ++ ++dontaudit cgdcbxd_t self:capability sys_ptrace; ++allow cgdcbxd_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++manage_files_pattern(cgdcbxd_t, cgdcbxd_var_run_t, cgdcbxd_var_run_t) ++files_pid_filetrans(cgdcbxd_t, cgdcbxd_var_run_t, { file }) ++ ++kernel_read_system_state(cgdcbxd_t) ++kernel_read_network_state(cgdcbxd_t) ++kernel_search_network_sysctl(cgdcbxd_t) ++ ++domain_dontaudit_read_all_domains_state(cgdcbxd_t) diff --git a/cgroup.if b/cgroup.if index 85ca63f..1d1c99c 100644 --- a/cgroup.if @@ -12185,10 +12418,10 @@ index 0000000..aa308eb +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..f50b201 +index 0000000..41effe4 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,249 @@ +@@ -0,0 +1,254 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -12301,6 +12534,8 @@ index 0000000..f50b201 + +libs_legacy_use_shared_libs(chrome_sandbox_t) + ++term_dontaudit_use_console(chrome_sandbox_t) ++ +miscfiles_read_fonts(chrome_sandbox_t) + +sysnet_dns_name_resolve(chrome_sandbox_t) @@ -12379,6 +12614,9 @@ index 0000000..f50b201 + sandbox_use_ptys(chrome_sandbox_t) +') + ++optional_policy(` ++ unconfined_dontaudit_write_state(chrome_sandbox_t) ++') + +######################################## +# @@ -12775,10 +13013,10 @@ index 0000000..fc9cae7 +') diff --git a/cinder.te b/cinder.te new file mode 100644 -index 0000000..f257547 +index 0000000..488a7a6 --- /dev/null +++ b/cinder.te -@@ -0,0 +1,167 @@ +@@ -0,0 +1,169 @@ +policy_module(cinder, 1.0.0) + +######################################## @@ -12905,6 +13143,8 @@ index 0000000..f257547 + +auth_use_nsswitch(cinder_backup_t) + ++systemd_dbus_chat_logind(cinder_backup_t) ++ +optional_policy(` + unconfined_domain(cinder_backup_t) +') @@ -16451,7 +16691,7 @@ index 715a826..a1cbdb2 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..81803f9 100644 +index ae1c1b1..9b3a328 100644 --- a/couchdb.te +++ b/couchdb.te @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) @@ -16479,7 +16719,7 @@ index ae1c1b1..81803f9 100644 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -@@ -56,11 +59,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) +@@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) @@ -16488,13 +16728,14 @@ index ae1c1b1..81803f9 100644 can_exec(couchdb_t, couchdb_exec_t) ++kernel_read_network_state(couchdb_t) kernel_read_system_state(couchdb_t) +kernel_read_fs_sysctls(couchdb_t) +kernel_dgram_send(couchdb_t) corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t) -@@ -75,14 +80,25 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) +@@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) corenet_tcp_bind_couchdb_port(couchdb_t) corenet_tcp_sendrecv_couchdb_port(couchdb_t) @@ -16507,8 +16748,6 @@ index ae1c1b1..81803f9 100644 +files_getattr_lost_found_dirs(couchdb_t) +files_dontaudit_list_var(couchdb_t) + -+gnome_dontaudit_search_config(couchdb_t) -+ dev_list_sysfs(couchdb_t) dev_read_sysfs(couchdb_t) dev_read_urand(couchdb_t) @@ -16518,6 +16757,10 @@ index ae1c1b1..81803f9 100644 -fs_getattr_xattr_fs(couchdb_t) +optional_policy(` ++ gnome_dontaudit_search_config(couchdb_t) ++') ++ ++optional_policy(` + rpc_read_nfs_state_data(couchdb_t) +') @@ -19108,10 +19351,10 @@ index 8401fe6..d58f3e7 100644 /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if -index b25b01d..e99c5c6 100644 +index b25b01d..6b7d687 100644 --- a/ctdb.if +++ b/ctdb.if -@@ -1,9 +1,144 @@ +@@ -1,9 +1,161 @@ -## Clustered Database based on Samba Trivial Database. + +## policy for ctdbd @@ -19153,6 +19396,23 @@ index b25b01d..e99c5c6 100644 + init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) +') + ++####################################### ++## ++## Allow domain to signal ctdbd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_signal',` ++ gen_require(` ++ type ctdbd_t; ++ ') ++ allow $1 ctdbd_t:process signal; ++') ++ +######################################## +## +## Read ctdbd's log files. @@ -19191,11 +19451,9 @@ index b25b01d..e99c5c6 100644 + logging_search_logs($1) + append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') - - ######################################## - ## --## Create, read, write, and delete --## ctdbd lib files. ++ ++######################################## ++## +## Manage ctdbd log files +## +## @@ -19252,14 +19510,16 @@ index b25b01d..e99c5c6 100644 + files_search_var_lib($1) + read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## Create, read, write, and delete +-## ctdbd lib files. +## Manage ctdbd lib files. ## ## ## -@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',` +@@ -17,13 +169,12 @@ interface(`ctdbd_manage_lib_files',` ') files_search_var_lib($1) @@ -19272,35 +19532,15 @@ index b25b01d..e99c5c6 100644 ## -## Connect to ctdbd with a unix -## domain stream socket. -+## Manage ctdbd lib files. ++## Manage ctdbd lib directories. ## ## ## -@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',` +@@ -31,19 +182,58 @@ interface(`ctdbd_manage_lib_files',` ## ## # -interface(`ctdbd_stream_connect',` -+interface(`ctdbd_manage_var_files',` - gen_require(` -- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; -+ type ctdbd_var_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t) -+') -+ -+######################################## -+## -+## Manage ctdbd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# +interface(`ctdbd_manage_lib_dirs',` + gen_require(` + type ctdbd_var_lib_t; @@ -19321,7 +19561,8 @@ index b25b01d..e99c5c6 100644 +## +# +interface(`ctdbd_read_pid_files',` -+ gen_require(` + gen_require(` +- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; + type ctdbd_var_run_t; ') @@ -19359,7 +19600,7 @@ index b25b01d..e99c5c6 100644 ## ## ## -@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',` +@@ -57,16 +247,19 @@ interface(`ctdbd_stream_connect',` ## ## # @@ -19383,7 +19624,7 @@ index b25b01d..e99c5c6 100644 domain_system_change_exemption($1) role_transition $2 ctdbd_initrc_exec_t system_r; allow $2 system_r; -@@ -74,12 +269,10 @@ interface(`ctdb_admin',` +@@ -74,12 +267,10 @@ interface(`ctdb_admin',` logging_search_logs($1) admin_pattern($1, ctdbd_log_t) @@ -19398,7 +19639,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..2ab29db 100644 +index 001b502..57be129 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -19411,7 +19652,7 @@ index 001b502..2ab29db 100644 type ctdbd_var_run_t; files_pid_file(ctdbd_var_run_t) -@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t) +@@ -33,12 +36,15 @@ files_pid_file(ctdbd_var_run_t) # allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; @@ -19423,10 +19664,11 @@ index 001b502..2ab29db 100644 allow ctdbd_t self:packet_socket create_socket_perms; allow ctdbd_t self:tcp_socket create_stream_socket_perms; +allow ctdbd_t self:udp_socket create_socket_perms; ++allow ctdbd_t self:rawip_socket create_socket_perms; append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) +@@ -57,12 +63,21 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) @@ -19444,8 +19686,12 @@ index 001b502..2ab29db 100644 +manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) ++can_exec(ctdbd_t, ctdbd_exec_t) ++ kernel_read_network_state(ctdbd_t) -@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t) + kernel_read_system_state(ctdbd_t) + kernel_rw_net_sysctls(ctdbd_t) +@@ -72,9 +87,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -19454,11 +19700,12 @@ index 001b502..2ab29db 100644 corenet_sendrecv_ctdb_server_packets(ctdbd_t) corenet_tcp_bind_ctdb_port(ctdbd_t) +corenet_udp_bind_ctdb_port(ctdbd_t) ++corenet_tcp_bind_smbd_port(ctdbd_t) +corenet_tcp_connect_ctdb_port(ctdbd_t) corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t) +@@ -85,14 +104,18 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -19474,8 +19721,12 @@ index 001b502..2ab29db 100644 -miscfiles_read_localization(ctdbd_t) miscfiles_read_public_files(ctdbd_t) ++userdom_home_reader(ctdbd_t) ++ optional_policy(` -@@ -109,6 +126,7 @@ optional_policy(` + consoletype_exec(ctdbd_t) + ') +@@ -109,6 +132,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -24862,10 +25113,10 @@ index 0000000..457d4dd +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..64f1a64 +index 0000000..b045889 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,72 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -24887,7 +25138,7 @@ index 0000000..64f1a64 +# +# dnssec_trigger local policy +# -+allow dnssec_trigger_t self:capability linux_immutable; ++allow dnssec_trigger_t self:capability { net_admin linux_immutable }; +allow dnssec_trigger_t self:process signal; +allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms; +allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms; @@ -24924,6 +25175,10 @@ index 0000000..64f1a64 +sysnet_filetrans_named_content(dnssec_trigger_t) + +optional_policy(` ++ dbus_system_bus_client(dnssec_trigger_t) ++') ++ ++optional_policy(` + bind_domtrans(dnssec_trigger_t) + bind_read_config(dnssec_trigger_t) + bind_read_dnssec_keys(dnssec_trigger_t) @@ -30161,10 +30416,10 @@ index 0000000..8c8c6c9 +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if new file mode 100644 -index 0000000..07b266a +index 0000000..5e3410a --- /dev/null +++ b/glusterd.if -@@ -0,0 +1,170 @@ +@@ -0,0 +1,224 @@ + +## policy for glusterd + @@ -30207,7 +30462,6 @@ index 0000000..07b266a + init_labeled_script_domtrans($1, glusterd_initrc_exec_t) +') + -+ +######################################## +## +## Read glusterd's log files. @@ -30247,6 +30501,23 @@ index 0000000..07b266a + append_files_pattern($1, glusterd_log_t, glusterd_log_t) +') + ++####################################### ++## ++## Transition content labels to glusterd named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_filetrans_named_pid',` ++ gen_require(` ++ type glusterd_var_run_t; ++ ') ++ files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket") ++') ++ +######################################## +## +## Manage glusterd log files @@ -30288,6 +30559,44 @@ index 0000000..07b266a + can_exec($1, glusterd_var_lib_t) +') + ++###################################### ++## ++## Read glusterd's config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_read_conf',` ++ gen_require(` ++ type glusterd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, glusterd_conf_t, glusterd_conf_t) ++') ++ ++###################################### ++## ++## Read and write /var/lib/glusterd files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_rw_lib',` ++ gen_require(` ++ type glusterd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -30337,10 +30646,10 @@ index 0000000..07b266a + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..9040220 +index 0000000..e4830ba --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,205 @@ +@@ -0,0 +1,232 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -30401,7 +30710,7 @@ index 0000000..9040220 +# Local policy +# + -+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin }; ++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod }; + +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; @@ -30440,9 +30749,13 @@ index 0000000..9040220 +manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) + +can_exec(glusterd_t, glusterd_exec_t) + @@ -30487,6 +30800,7 @@ index 0000000..9040220 + +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) ++dev_read_rand(glusterd_t) + +domain_read_all_domains_state(glusterd_t) + @@ -30514,6 +30828,9 @@ index 0000000..9040220 +userdom_filetrans_home_content(glusterd_t) + +mount_domtrans(glusterd_t) ++ ++fstools_domtrans(glusterd_t) ++ +tunable_policy(`gluster_anon_write',` + miscfiles_manage_public_files(glusterd_t) +') @@ -30531,7 +30848,26 @@ index 0000000..9040220 +') + +optional_policy(` -+ gluster_execute_lib(glusterd_t) ++ ctdbd_domtrans(glusterd_t) ++ ctdbd_signal(glusterd_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(glusterd_t) ++') ++ ++optional_policy(` ++ hostname_exec(glusterd_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(glusterd_t) ++') ++ ++optional_policy(` ++ samba_domtrans_smbd(glusterd_t) ++ samba_systemctl(glusterd_t) ++ samba_manage_config(glusterd_t) +') + +optional_policy(` @@ -34821,7 +35157,7 @@ index 0000000..1f16431 +') diff --git a/hostapd.te b/hostapd.te new file mode 100644 -index 0000000..eb501d2 +index 0000000..ef3f6a9 --- /dev/null +++ b/hostapd.te @@ -0,0 +1,51 @@ @@ -34846,7 +35182,7 @@ index 0000000..eb501d2 +# +# hostapd local policy +# -+allow hostapd_t self:capability chown; ++allow hostapd_t self:capability { chown net_admin }; +allow hostapd_t self:fifo_file rw_fifo_file_perms; +allow hostapd_t self:unix_stream_socket create_stream_socket_perms; +allow hostapd_t self:netlink_socket create_socket_perms; @@ -35068,10 +35404,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..041d6ab 100644 +index 4eb7041..2e4b08a 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,103 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,135 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -35129,6 +35465,9 @@ index 4eb7041..041d6ab 100644 -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++allow hypervkvp_t self:process setfscreate; ++allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms; ++ +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) @@ -35139,12 +35478,23 @@ index 4eb7041..041d6ab 100644 + +kernel_read_system_state(hypervkvp_t) +kernel_read_network_state(hypervkvp_t) ++kernel_rw_net_sysctls(hypervkvp_t) ++ ++domain_read_all_domains_state(hypervkvp_t) ++ ++seutil_exec_setfiles(hypervkvp_t) ++seutil_read_file_contexts(hypervkvp_t) + +domain_read_all_domains_state(hypervkvp_t) + ++dev_read_urand(hypervkvp_t) ++ +files_dontaudit_search_home(hypervkvp_t) + ++auth_use_nsswitch(hypervkvp_t) ++ +logging_send_syslog_msg(hypervkvp_t) ++logging_read_syslog_config(hypervkvp_t) + +libs_exec_ldconfig(hypervkvp_t) + @@ -35154,7 +35504,12 @@ index 4eb7041..041d6ab 100644 +sysnet_domtrans_dhcpc(hypervkvp_t) +sysnet_domtrans_ifconfig(hypervkvp_t) + ++sysnet_manage_dhcpc_pid(hypervkvp_t) ++sysnet_signal_dhcpc(hypervkvp_t) ++ +sysnet_manage_config(hypervkvp_t) ++sysnet_read_dhcpc_state(hypervkvp_t) ++sysnet_read_dhcp_config(hypervkvp_t) +sysnet_etc_filetrans_config(hypervkvp_t) + +systemd_exec_systemctl(hypervkvp_t) @@ -35162,7 +35517,20 @@ index 4eb7041..041d6ab 100644 +userdom_dontaudit_search_admin_dir(hypervkvp_t) + +optional_policy(` ++ brctl_domtrans(hypervkvp_t) ++') ++ ++optional_policy(` ++ dbus_read_pid_files(hypervkvp_t) ++') ++ ++optional_policy(` + netutils_domtrans_ping(hypervkvp_t) ++ netutils_domtrans(hypervkvp_t) ++') ++ ++optional_policy(` ++ networkmanager_read_pid_files(hypervkvp_t) +') + +optional_policy(` @@ -36286,13 +36654,39 @@ index 08b7560..417e630 100644 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) diff --git a/iscsi.if b/iscsi.if -index 1a35420..9fe1e87 100644 +index 1a35420..8101022 100644 --- a/iscsi.if +++ b/iscsi.if -@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',` +@@ -21,6 +21,52 @@ interface(`iscsid_domtrans',` + ######################################## ## - ## Create, read, write, and delete ++## Execute iscsid programs in the iscsid domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the iscsid domain. ++## ++## ++## ++# ++interface(`iscsid_run',` ++ gen_require(` ++ attribute_role iscsid_roles; ++ ') ++ ++ iscsid_domtrans($1) ++ roleattribute $2 iscsid_roles; ++') ++ ++######################################## ++## ++## Create, read, write, and delete +## iscsid lock files. +## +## @@ -36313,11 +36707,10 @@ index 1a35420..9fe1e87 100644 + +######################################## +## -+## Create, read, write, and delete + ## Create, read, write, and delete ## iscsid sempaphores. ## - ## -@@ -80,17 +101,54 @@ interface(`iscsi_read_lib_files',` +@@ -80,17 +126,54 @@ interface(`iscsi_read_lib_files',` ######################################## ## @@ -36377,7 +36770,7 @@ index 1a35420..9fe1e87 100644 ## ## ## -@@ -99,16 +157,16 @@ interface(`iscsi_admin',` +@@ -99,16 +182,16 @@ interface(`iscsi_admin',` gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; @@ -36400,12 +36793,19 @@ index 1a35420..9fe1e87 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..5f1a035 100644 +index ca020fa..e20fb2f 100644 --- a/iscsi.te +++ b/iscsi.te -@@ -9,8 +9,8 @@ type iscsid_t; +@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) + # Declarations + # + ++attribute_role iscsid_roles; ++ + type iscsid_t; type iscsid_exec_t; init_daemon_domain(iscsid_t, iscsid_exec_t) ++role iscsid_roles types iscsid_t; -type iscsi_initrc_exec_t; -init_script_file(iscsi_initrc_exec_t) @@ -36414,7 +36814,7 @@ index ca020fa..5f1a035 100644 type iscsi_lock_t; files_lock_file(iscsi_lock_t) -@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t) +@@ -32,8 +35,7 @@ files_pid_file(iscsi_var_run_t) # Local policy # @@ -36424,7 +36824,7 @@ index ca020fa..5f1a035 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; -@@ -55,20 +54,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) +@@ -55,20 +57,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file }) @@ -36452,7 +36852,7 @@ index ca020fa..5f1a035 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,21 +86,33 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,21 +89,33 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -36490,7 +36890,7 @@ index ca020fa..5f1a035 100644 optional_policy(` tgtd_manage_semaphores(iscsid_t) diff --git a/isns.te b/isns.te -index bc11034..81253f4 100644 +index bc11034..07e6310 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -36501,7 +36901,7 @@ index bc11034..81253f4 100644 allow isnsd_t self:udp_socket { accept listen }; allow isnsd_t self:unix_stream_socket { accept listen }; -@@ -46,10 +47,7 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -46,10 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) @@ -36509,7 +36909,7 @@ index bc11034..81253f4 100644 +auth_use_nsswitch(isnsd_t) logging_send_syslog_msg(isnsd_t) - +- -miscfiles_read_localization(isnsd_t) - -sysnet_dns_name_resolve(isnsd_t) @@ -42015,7 +42415,7 @@ index 0000000..7ba5060 + diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 -index 0000000..7529f3c +index 0000000..70dc4c3 --- /dev/null +++ b/linuxptp.te @@ -0,0 +1,173 @@ @@ -42165,7 +42565,7 @@ index 0000000..7529f3c +allow ptp4l_t self:shm create_shm_perms; +allow ptp4l_t self:udp_socket create_socket_perms; +allow ptp4l_t self:capability { net_admin net_raw sys_time }; -+allow ptp4l_t self:netlink_route_socket { bind create getattr nlmsg_read }; ++allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms; + +allow ptp4l_t phc2sys_t:unix_dgram_socket sendto; + @@ -43412,7 +43812,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..37557c2 100644 +index 4ec0eea..03b7f8b 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -43447,7 +43847,7 @@ index 4ec0eea..37557c2 100644 ######################################## # # Local policy -@@ -26,4 +44,56 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,59 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -43492,6 +43892,8 @@ index 4ec0eea..37557c2 100644 +corenet_tcp_connect_http_port(lsmd_plugin_t) +corenet_tcp_connect_http_cache_port(lsmd_plugin_t) +corenet_tcp_connect_lsm_plugin_port(lsmd_plugin_t) ++corenet_tcp_connect_pegasus_https_port(lsmd_plugin_t) ++corenet_tcp_connect_pegasus_http_port(lsmd_plugin_t) +corenet_tcp_connect_ssh_port(lsmd_plugin_t) + +auth_use_nsswitch(lsmd_plugin_t) @@ -43504,6 +43906,7 @@ index 4ec0eea..37557c2 100644 +miscfiles_read_certs(lsmd_plugin_t) + +sysnet_read_config(lsmd_plugin_t) ++ diff --git a/mailman.fc b/mailman.fc index 995d0a5..3d40d59 100644 --- a/mailman.fc @@ -52621,7 +53024,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..b852ab1 100644 +index 7584bbe..c2babeb 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) @@ -52666,7 +53069,7 @@ index 7584bbe..b852ab1 100644 type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t) +@@ -62,28 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # @@ -52698,7 +53101,12 @@ index 7584bbe..b852ab1 100644 manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -@@ -95,50 +92,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_fifo_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) + logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) + + manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -95,50 +93,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -52777,7 +53185,7 @@ index 7584bbe..b852ab1 100644 ') optional_policy(` -@@ -146,6 +153,10 @@ optional_policy(` +@@ -146,6 +154,10 @@ optional_policy(` ') optional_policy(` @@ -52788,7 +53196,7 @@ index 7584bbe..b852ab1 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +166,18 @@ optional_policy(` +@@ -155,21 +167,18 @@ optional_policy(` ####################################### # @@ -52815,7 +53223,7 @@ index 7584bbe..b852ab1 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +185,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +186,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -52826,7 +53234,7 @@ index 7584bbe..b852ab1 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +193,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +194,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -52862,7 +53270,7 @@ index 7584bbe..b852ab1 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +223,7 @@ optional_policy(` +@@ -209,7 +224,7 @@ optional_policy(` ######################################## # @@ -52871,7 +53279,7 @@ index 7584bbe..b852ab1 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +232,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +233,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -52889,7 +53297,7 @@ index 7584bbe..b852ab1 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +245,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +246,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -53989,10 +54397,36 @@ index 0641e97..ed3394e 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..2aa3b1d 100644 +index 7b3e682..1729d5d 100644 --- a/nagios.te +++ b/nagios.te -@@ -27,7 +27,7 @@ type nagios_var_run_t; +@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0) + # Declarations + # + ++## ++##

++## Allow nagios/nrpe to call sudo from NRPE utils scripts. ++##

++## ++gen_tunable(nagios_run_sudo, false) ++ ++## ++##

++## Allow nagios run in conjunction with PNP4Nagios. ++##

++## ++gen_tunable(nagios_run_pnp4nagios, false) ++ ++gen_require(` ++ class passwd rootok; ++ class passwd passwd; ++') ++ + attribute nagios_plugin_domain; + + type nagios_t; +@@ -27,7 +46,7 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) type nagios_spool_t; @@ -54001,7 +54435,7 @@ index 7b3e682..2aa3b1d 100644 type nagios_var_lib_t; files_type(nagios_var_lib_t) -@@ -39,6 +39,7 @@ nagios_plugin_template(services) +@@ -39,6 +58,7 @@ nagios_plugin_template(services) nagios_plugin_template(system) nagios_plugin_template(unconfined) nagios_plugin_template(eventhandler) @@ -54009,7 +54443,7 @@ index 7b3e682..2aa3b1d 100644 type nagios_eventhandler_plugin_tmp_t; files_tmp_file(nagios_eventhandler_plugin_tmp_t) -@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) +@@ -46,6 +66,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) type nagios_system_plugin_tmp_t; files_tmp_file(nagios_system_plugin_tmp_t) @@ -54019,7 +54453,7 @@ index 7b3e682..2aa3b1d 100644 type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -63,19 +67,21 @@ files_pid_file(nrpe_var_run_t) +@@ -63,19 +86,21 @@ files_pid_file(nrpe_var_run_t) allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; @@ -54048,7 +54482,7 @@ index 7b3e682..2aa3b1d 100644 ######################################## # -@@ -96,11 +102,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; +@@ -96,11 +121,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; allow nagios_t nagios_etc_t:file read_file_perms; allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; @@ -54067,7 +54501,7 @@ index 7b3e682..2aa3b1d 100644 manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -@@ -110,7 +118,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +@@ -110,7 +137,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) @@ -54078,7 +54512,7 @@ index 7b3e682..2aa3b1d 100644 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -@@ -123,7 +133,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +152,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -54086,7 +54520,7 @@ index 7b3e682..2aa3b1d 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +152,6 @@ domain_read_all_domains_state(nagios_t) +@@ -143,7 +171,6 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -54094,7 +54528,7 @@ index 7b3e682..2aa3b1d 100644 files_search_spool(nagios_t) fs_getattr_all_fs(nagios_t) -@@ -153,8 +161,6 @@ auth_use_nsswitch(nagios_t) +@@ -153,8 +180,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -54103,7 +54537,43 @@ index 7b3e682..2aa3b1d 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,35 +184,37 @@ optional_policy(` +@@ -162,6 +187,35 @@ mta_send_mail(nagios_t) + mta_signal_system_mail(nagios_t) + mta_kill_system_mail(nagios_t) + ++tunable_policy(`nagios_run_sudo',` ++ allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace }; ++ allow nagios_t self:process { setrlimit setsched }; ++ ++ allow nagios_t self:key write; ++ ++ allow nagios_t self:passwd { passwd rootok }; ++ ++ auth_rw_lastlog(nagios_t) ++ auth_rw_faillog(nagios_t) ++ ++ auth_domtrans_chkpwd(nagios_t) ++ ++ selinux_compute_access_vector(nagios_t) ++ ++ logging_send_audit_msgs(nagios_t) ++') ++ ++optional_policy(` ++ tunable_policy(`nagios_run_sudo',` ++ sudo_exec(nagios_t) ++ sudo_manage_db(nagios_t) ++ ') ++') ++ ++tunable_policy(`nagios_run_pnp4nagios',` ++ allow nagios_t nagios_log_t:file execute; ++') ++ + optional_policy(` + netutils_kill_ping(nagios_t) + ') +@@ -178,35 +232,37 @@ optional_policy(` # # CGI local policy # @@ -54159,7 +54629,7 @@ index 7b3e682..2aa3b1d 100644 ') ######################################## -@@ -229,9 +237,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +@@ -229,9 +285,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -54170,7 +54640,7 @@ index 7b3e682..2aa3b1d 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -252,8 +260,8 @@ dev_read_urand(nrpe_t) +@@ -252,8 +308,8 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) @@ -54180,7 +54650,7 @@ index 7b3e682..2aa3b1d 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +270,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,10 +318,34 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -54188,8 +54658,36 @@ index 7b3e682..2aa3b1d 100644 - userdom_dontaudit_use_unpriv_user_fds(nrpe_t) ++tunable_policy(`nagios_run_sudo',` ++ allow nrpe_t self:capability { setuid setgid sys_resource sys_ptrace }; ++ allow nrpe_t self:process { setrlimit setsched }; ++ ++ allow nrpe_t self:key write; ++ ++ allow nrpe_t self:passwd { passwd rootok }; ++ ++ auth_rw_lastlog(nrpe_t) ++ auth_rw_faillog(nrpe_t) ++ ++ auth_domtrans_chkpwd(nrpe_t) ++ ++ selinux_compute_access_vector(nrpe_t) ++ ++ logging_send_audit_msgs(nrpe_t) ++') ++ ++optional_policy(` ++ tunable_policy(`nagios_run_sudo',` ++ sudo_exec(nrpe_t) ++ sudo_manage_db(nrpe_t) ++ ') ++') ++ ++ optional_policy(` -@@ -310,15 +316,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) + inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) + ') +@@ -310,15 +390,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -54208,7 +54706,7 @@ index 7b3e682..2aa3b1d 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +351,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +425,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -54218,7 +54716,7 @@ index 7b3e682..2aa3b1d 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +366,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +440,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -54232,7 +54730,7 @@ index 7b3e682..2aa3b1d 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +402,11 @@ optional_policy(` +@@ -391,6 +476,11 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -54244,7 +54742,7 @@ index 7b3e682..2aa3b1d 100644 ') optional_policy(` -@@ -406,28 +422,36 @@ allow nagios_system_plugin_t self:capability dac_override; +@@ -406,28 +496,36 @@ allow nagios_system_plugin_t self:capability dac_override; dontaudit nagios_system_plugin_t self:capability { setuid setgid }; read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) @@ -54283,7 +54781,7 @@ index 7b3e682..2aa3b1d 100644 ####################################### # # Event local policy -@@ -442,9 +466,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,9 +540,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -54611,7 +55109,7 @@ index 94b9734..448a7e8 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..0c72c4d 100644 +index 86dc29d..970bf8a 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -55063,10 +55561,10 @@ index 86dc29d..0c72c4d 100644 +# +interface(`networkmanager_sigchld',` + gen_require(` -+ type networkmanager_t; ++ type NetworkManager_t; + ') + -+ allow $1 networkmanager_t:process sigchld; ++ allow $1 NetworkManager_t:process sigchld; +') +######################################## +## @@ -55086,16 +55584,16 @@ index 86dc29d..0c72c4d 100644 - files_search_tmp($1) - admin_pattern($1, NetworkManager_tmp_t) -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf") -+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf") @@ -55112,7 +55610,7 @@ index 86dc29d..0c72c4d 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..694f99e 100644 +index 55f2009..0d4e38a 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -55137,7 +55635,7 @@ index 55f2009..694f99e 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,25 +42,54 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,55 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -55192,6 +55690,7 @@ index 55f2009..694f99e 100644 +list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) ++read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -55201,7 +55700,7 @@ index 55f2009..694f99e 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +100,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +101,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -55209,7 +55708,7 @@ index 55f2009..694f99e 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +114,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +115,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -55229,7 +55728,7 @@ index 55f2009..694f99e 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +133,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +134,16 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -55252,10 +55751,11 @@ index 55f2009..694f99e 100644 -corecmd_exec_shell(NetworkManager_t) -corecmd_exec_bin(NetworkManager_t) - ++dev_access_check_sysfs(NetworkManager_t) dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +149,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +151,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -55269,7 +55769,7 @@ index 55f2009..694f99e 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +157,33 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +159,35 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -55286,6 +55786,8 @@ index 55f2009..694f99e 100644 + storage_getattr_fixed_disk_dev(NetworkManager_t) ++term_open_unallocated_ttys(NetworkManager_t) ++ init_read_utmp(NetworkManager_t) init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) @@ -55304,7 +55806,7 @@ index 55f2009..694f99e 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +198,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +202,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -55342,7 +55844,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -196,10 +239,6 @@ optional_policy(` +@@ -196,10 +243,6 @@ optional_policy(` ') optional_policy(` @@ -55353,7 +55855,7 @@ index 55f2009..694f99e 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +249,11 @@ optional_policy(` +@@ -210,17 +253,16 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -55364,15 +55866,19 @@ index 55f2009..694f99e 100644 optional_policy(` consolekit_dbus_chat(NetworkManager_t) -- ') -- -- optional_policy(` -- policykit_dbus_chat(NetworkManager_t) + consolekit_read_pid_files(NetworkManager_t) ') ++') + +- optional_policy(` +- policykit_dbus_chat(NetworkManager_t) +- ') ++optional_policy(` ++ dnssec_trigger_domtrans(NetworkManager_t) ') -@@ -231,10 +265,11 @@ optional_policy(` + optional_policy(` +@@ -231,10 +273,11 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -55385,7 +55891,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -246,10 +281,26 @@ optional_policy(` +@@ -246,10 +289,26 @@ optional_policy(` ') optional_policy(` @@ -55412,7 +55918,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -257,15 +308,19 @@ optional_policy(` +@@ -257,15 +316,19 @@ optional_policy(` ') optional_policy(` @@ -55434,7 +55940,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -274,10 +329,17 @@ optional_policy(` +@@ -274,10 +337,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -55452,7 +55958,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -286,9 +348,12 @@ optional_policy(` +@@ -286,9 +356,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -55465,7 +55971,7 @@ index 55f2009..694f99e 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +361,7 @@ optional_policy(` +@@ -296,7 +369,7 @@ optional_policy(` ') optional_policy(` @@ -55474,7 +55980,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -307,6 +372,7 @@ optional_policy(` +@@ -307,6 +380,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -55482,7 +55988,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -320,14 +386,20 @@ optional_policy(` +@@ -320,14 +394,20 @@ optional_policy(` ') optional_policy(` @@ -55508,7 +56014,7 @@ index 55f2009..694f99e 100644 ') optional_policy(` -@@ -357,6 +429,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +437,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -58570,7 +59076,7 @@ index af3c91e..3e5f9cf 100644 /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/ntp.if b/ntp.if -index e96a309..3dbc18c 100644 +index e96a309..4245308 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -58756,7 +59262,7 @@ index e96a309..3dbc18c 100644 logging_list_logs($1) admin_pattern($1, ntpd_log_t) -@@ -186,5 +289,30 @@ interface(`ntp_admin',` +@@ -186,5 +289,53 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -58766,7 +59272,7 @@ index e96a309..3dbc18c 100644 + allow $1 ntpd_unit_file_t:service all_service_perms; + + ntp_filetrans_named_content($1) -+') + ') + +######################################## +## @@ -58787,9 +59293,32 @@ index e96a309..3dbc18c 100644 + files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") + files_etc_filetrans($1, ntp_conf_t, dir, "ntp") + files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") - ') ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## ntp log content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_manage_log',` ++ gen_require(` ++ type ntpd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t) ++ manage_files_pattern($1, ntpd_log_t, ntpd_log_t) ++ manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t) ++') ++ diff --git a/ntp.te b/ntp.te -index f81b113..6f94328 100644 +index f81b113..ab4d914 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -58872,6 +59401,25 @@ index f81b113..6f94328 100644 userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_user_home_dirs(ntpd_t) +@@ -152,9 +150,18 @@ optional_policy(` + ') + + optional_policy(` ++ ptp4l_rw_shm(ntpd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ntpd_t) + ') + + optional_policy(` ++ timemaster_read_pid_files(ntpd_t) ++ timemaster_rw_shm(ntpd_t) ++') ++ ++optional_policy(` + udev_read_db(ntpd_t) + ') diff --git a/numad.fc b/numad.fc index 3488bb0..1f97624 100644 --- a/numad.fc @@ -62636,7 +63184,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..c57aab5 100644 +index 44dbc99..c343cd3 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -62735,7 +63283,7 @@ index 44dbc99..c57aab5 100644 fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) -+auth_read_passwd(openvswitch_t) ++auth_use_nsswitch(openvswitch_t) + logging_send_syslog_msg(openvswitch_t) @@ -64216,10 +64764,10 @@ index 0000000..b33d6ca + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..8b45156 +index 0000000..8ec1e54 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,235 @@ +@@ -0,0 +1,236 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -64278,6 +64826,7 @@ index 0000000..8b45156 + +manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) +manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++manage_sock_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) +exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) +files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir}) + @@ -65990,7 +66539,7 @@ index 69be2aa..2d7b3f6 100644 admin_pattern($1, pkcs_slotd_var_run_t) diff --git a/pkcs.te b/pkcs.te -index 8eb3f7b..e04f9e1 100644 +index 8eb3f7b..ee837c6 100644 --- a/pkcs.te +++ b/pkcs.te @@ -7,21 +7,31 @@ policy_module(pkcs, 1.0.1) @@ -66041,7 +66590,7 @@ index 8eb3f7b..e04f9e1 100644 -fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir) +fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir }) + -+auth_read_passwd(pkcs_slotd_t) ++auth_use_nsswitch(pkcs_slotd_t) -files_read_etc_files(pkcs_slotd_t) +files_search_locks(pkcs_slotd_t) @@ -66407,7 +66956,7 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..995cc23 +index 0000000..bdeebb9 --- /dev/null +++ b/pki.te @@ -0,0 +1,281 @@ @@ -66498,7 +67047,7 @@ index 0000000..995cc23 +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) -+allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms; ++allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms; + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) @@ -74202,7 +74751,7 @@ index 7cb8b1f..9422c90 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..4dd18a3 100644 +index 618dcfe..1cd6fca 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -74264,7 +74813,7 @@ index 618dcfe..4dd18a3 100644 type puppetmaster_t; type puppetmaster_exec_t; -@@ -56,161 +62,158 @@ files_tmp_file(puppetmaster_tmp_t) +@@ -56,161 +62,162 @@ files_tmp_file(puppetmaster_tmp_t) ######################################## # @@ -74459,43 +75008,47 @@ index 618dcfe..4dd18a3 100644 + +tunable_policy(`puppetagent_manage_all_files',` + files_manage_non_security_files(puppetagent_t) ++') ++ ++optional_policy(` ++ mysql_stream_connect(puppetagent_t) ') optional_policy(` - cfengine_read_lib_files(puppet_t) -+ mysql_stream_connect(puppetagent_t) ++ postgresql_stream_connect(puppetagent_t) ') optional_policy(` - consoletype_exec(puppet_t) -+ postgresql_stream_connect(puppetagent_t) ++ cfengine_read_lib_files(puppetagent_t) ') optional_policy(` - hostname_exec(puppet_t) -+ cfengine_read_lib_files(puppetagent_t) ++ consoletype_exec(puppetagent_t) ') optional_policy(` - mount_domtrans(puppet_t) -+ consoletype_exec(puppetagent_t) ++ hostname_exec(puppetagent_t) ') optional_policy(` - mta_send_mail(puppet_t) -+ hostname_exec(puppetagent_t) ++ mount_domtrans(puppetagent_t) ') optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) -+ mount_domtrans(puppetagent_t) ++ mta_send_mail(puppetagent_t) ') optional_policy(` - files_rw_var_files(puppet_t) -+ mta_send_mail(puppetagent_t) ++ firewalld_dbus_chat(puppetagent_t) +') - rpm_domtrans(puppet_t) @@ -74539,7 +75092,7 @@ index 618dcfe..4dd18a3 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +224,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +228,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -74547,7 +75100,7 @@ index 618dcfe..4dd18a3 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +233,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +237,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -74563,7 +75116,7 @@ index 618dcfe..4dd18a3 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +247,48 @@ optional_policy(` +@@ -246,38 +251,48 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -74628,7 +75181,7 @@ index 618dcfe..4dd18a3 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,23 +300,24 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +304,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -74659,7 +75212,7 @@ index 618dcfe..4dd18a3 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +326,31 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +330,31 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -74696,7 +75249,7 @@ index 618dcfe..4dd18a3 100644 ') optional_policy(` -@@ -342,3 +359,9 @@ optional_policy(` +@@ -342,3 +363,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -78265,7 +78818,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..e8ba49e 100644 +index 403a4fe..0ff0178 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -78302,7 +78855,7 @@ index 403a4fe..e8ba49e 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,12 +75,21 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,12 +75,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) @@ -78320,11 +78873,12 @@ index 403a4fe..e8ba49e 100644 +corenet_sendrecv_radsec_server_packets(radiusd_t) +corenet_tcp_bind_radsec_port(radiusd_t) +corenet_udp_bind_radsec_port(radiusd_t) ++corenet_tcp_connect_radsec_port(radiusd_t) + corenet_sendrecv_snmp_client_packets(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) -@@ -97,7 +107,6 @@ domain_use_interactive_fds(radiusd_t) +@@ -97,7 +108,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -78332,7 +78886,7 @@ index 403a4fe..e8ba49e 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +118,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +119,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -78340,7 +78894,7 @@ index 403a4fe..e8ba49e 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -122,6 +130,11 @@ optional_policy(` +@@ -122,6 +131,11 @@ optional_policy(` ') optional_policy(` @@ -78352,7 +78906,7 @@ index 403a4fe..e8ba49e 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +153,10 @@ optional_policy(` +@@ -140,5 +154,10 @@ optional_policy(` ') optional_policy(` @@ -81087,10 +81641,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..7bed6ad 100644 +index 47de2d6..eb08783 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,92 @@ +@@ -1,31 +1,93 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -81205,6 +81759,7 @@ index 47de2d6..7bed6ad 100644 +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if index c8bdea2..bf60580 100644 @@ -82031,7 +82586,7 @@ index c8bdea2..bf60580 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..a70327a 100644 +index 6cf79c4..448a0c5 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -82070,7 +82625,7 @@ index 6cf79c4..a70327a 100644 attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -44,34 +73,281 @@ type foghorn_initrc_exec_t; +@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) rhcs_domain_template(gfs_controld) @@ -82223,6 +82778,8 @@ index 6cf79c4..a70327a 100644 +init_rw_script_tmp_files(cluster_t) +init_manage_script_status_files(cluster_t) + ++systemd_dbus_chat_logind(cluster_t) ++ +userdom_delete_user_tmp_files(cluster_t) +userdom_rw_user_tmp_files(cluster_t) +userdom_kill_all_users(cluster_t) @@ -82356,7 +82913,7 @@ index 6cf79c4..a70327a 100644 ') ##################################### -@@ -79,13 +355,14 @@ optional_policy(` +@@ -79,13 +357,14 @@ optional_policy(` # dlm_controld local policy # @@ -82373,7 +82930,7 @@ index 6cf79c4..a70327a 100644 kernel_rw_net_sysctls(dlm_controld_t) corecmd_exec_bin(dlm_controld_t) -@@ -98,16 +375,30 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -82407,7 +82964,7 @@ index 6cf79c4..a70327a 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +409,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -82419,7 +82976,7 @@ index 6cf79c4..a70327a 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -140,6 +430,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) +@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) @@ -82428,7 +82985,7 @@ index 6cf79c4..a70327a 100644 corenet_tcp_sendrecv_zented_port(fenced_t) corenet_sendrecv_http_client_packets(fenced_t) -@@ -148,9 +440,8 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +442,8 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -82440,7 +82997,7 @@ index 6cf79c4..a70327a 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +451,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -82449,7 +83006,7 @@ index 6cf79c4..a70327a 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +473,8 @@ optional_policy(` +@@ -182,7 +475,8 @@ optional_policy(` ') optional_policy(` @@ -82459,7 +83016,7 @@ index 6cf79c4..a70327a 100644 ') optional_policy(` -@@ -190,12 +482,13 @@ optional_policy(` +@@ -190,12 +484,13 @@ optional_policy(` ') optional_policy(` @@ -82476,7 +83033,7 @@ index 6cf79c4..a70327a 100644 ') optional_policy(` -@@ -203,6 +496,13 @@ optional_policy(` +@@ -203,6 +498,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -82490,7 +83047,7 @@ index 6cf79c4..a70327a 100644 ####################################### # # foghorn local policy -@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +523,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -82511,7 +83068,7 @@ index 6cf79c4..a70327a 100644 snmp_stream_connect(foghorn_t) ') -@@ -247,16 +549,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ +@@ -247,16 +551,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -82533,7 +83090,7 @@ index 6cf79c4..a70327a 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +581,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +583,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -82593,7 +83150,7 @@ index 6cf79c4..a70327a 100644 ###################################### # # qdiskd local policy -@@ -292,7 +645,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +@@ -292,7 +647,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) @@ -82601,7 +83158,7 @@ index 6cf79c4..a70327a 100644 kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) -@@ -321,6 +673,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -83449,7 +84006,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..581e801 100644 +index d32e1a2..96227fa 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -83488,7 +84045,7 @@ index d32e1a2..581e801 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,69 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,71 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -83527,6 +84084,8 @@ index d32e1a2..581e801 100644 + +miscfiles_manage_generic_cert_files(rhsmcertd_t) +miscfiles_manage_generic_cert_dirs(rhsmcertd_t) ++ ++nis_use_ypbind(rhsmcertd_t) sysnet_dns_name_resolve(rhsmcertd_t) @@ -84928,7 +85487,7 @@ index 0bf13c2..8236a71 100644 type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; diff --git a/rpc.te b/rpc.te -index 2da9fca..b225fea 100644 +index 2da9fca..876a4e7 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1) @@ -85217,7 +85776,7 @@ index 2da9fca..b225fea 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +311,30 @@ kernel_signal(gssd_t) +@@ -288,25 +311,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -85235,6 +85794,7 @@ index 2da9fca..b225fea 100644 +auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) ++auth_login_manage_key(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -85251,7 +85811,7 @@ index 2da9fca..b225fea 100644 ') optional_policy(` -@@ -314,9 +342,12 @@ optional_policy(` +@@ -314,9 +343,12 @@ optional_policy(` ') optional_policy(` @@ -85420,10 +85980,31 @@ index 3b5e9ee..ff1163f 100644 + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index 54de77c..cb05fbf 100644 +index 54de77c..db58475 100644 --- a/rpcbind.te +++ b/rpcbind.te -@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t) +@@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t) + type rpcbind_initrc_exec_t; + init_script_file(rpcbind_initrc_exec_t) + ++type rpcbind_tmp_t; ++files_tmp_file(rpcbind_tmp_t) ++ + type rpcbind_var_run_t; + files_pid_file(rpcbind_var_run_t) + init_daemon_run_dir(rpcbind_var_run_t, "rpcbind") +@@ -29,6 +32,10 @@ allow rpcbind_t self:fifo_file rw_fifo_file_perms; + allow rpcbind_t self:unix_stream_socket { accept listen }; + allow rpcbind_t self:tcp_socket { accept listen }; + ++manage_files_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t) ++manage_dirs_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t) ++files_tmp_filetrans(rpcbind_t, rpcbind_tmp_t, { file dir }) ++ + manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) + manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) + files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) +@@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) kernel_request_load_module(rpcbind_t) @@ -85431,7 +86012,7 @@ index 54de77c..cb05fbf 100644 corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) corenet_udp_sendrecv_generic_if(rpcbind_t) -@@ -68,7 +67,11 @@ auth_use_nsswitch(rpcbind_t) +@@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t) logging_send_syslog_msg(rpcbind_t) @@ -85445,10 +86026,10 @@ index 54de77c..cb05fbf 100644 ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..fc8f8ac 100644 +index ebe91fc..913587c 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,75 @@ +@@ -1,61 +1,78 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -85466,12 +86047,15 @@ index ebe91fc..fc8f8ac 100644 -/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/dnf-automatic -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/dnf-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/yum-deprecated -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -86185,7 +86769,7 @@ index ef3b225..d481e0a 100644 admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) diff --git a/rpm.te b/rpm.te -index 6fc360e..75415ab 100644 +index 6fc360e..77ca468 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -86527,7 +87111,7 @@ index 6fc360e..75415ab 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,73 +331,125 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,73 +331,129 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -86572,11 +87156,11 @@ index 6fc360e..75415ab 100644 +logging_send_audit_msgs(rpm_script_t) -miscfiles_read_localization(rpm_script_t) -+miscfiles_filetrans_named_content(rpm_script_t) - +- -modutils_run_depmod(rpm_script_t, rpm_roles) -modutils_run_insmod(rpm_script_t, rpm_roles) -- ++miscfiles_filetrans_named_content(rpm_script_t) + -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) @@ -86619,6 +87203,10 @@ index 6fc360e..75415ab 100644 +') + +optional_policy(` ++ glusterd_filetrans_named_pid(rpm_script_t) ++') ++ ++optional_policy(` + sblim_filetrans_named_content(rpm_script_t) ') @@ -86673,7 +87261,7 @@ index 6fc360e..75415ab 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +461,6 @@ optional_policy(` +@@ -409,6 +465,6 @@ optional_policy(` ') optional_policy(` @@ -87135,7 +87723,7 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..7c1f218 100644 +index abeb302..85582ef 100644 --- a/rsync.te +++ b/rsync.te @@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) @@ -87151,24 +87739,40 @@ index abeb302..7c1f218 100644 +##

## -gen_tunable(rsync_use_cifs, false) +- +-## +-##

+-## Determine whether rsync can +-## use fuse file systems. +-##

+-## +-gen_tunable(rsync_use_fusefs, false) +- +-## +-##

+-## Determine whether rsync can use +-## nfs file systems. +-##

+-## +-gen_tunable(rsync_use_nfs, false) +gen_tunable(rsync_client, false) ## -##

-## Determine whether rsync can --## use fuse file systems. +-## run as a client -##

+##

+## Allow rsync to export any files/directories read only. +##

## --gen_tunable(rsync_use_fusefs, false) +-gen_tunable(rsync_client, false) +gen_tunable(rsync_export_all_ro, false) ## -##

--## Determine whether rsync can use --## nfs file systems. +-## Determine whether rsync can +-## export all content read only. -##

+##

+## Allow rsync to modify public files @@ -87176,37 +87780,21 @@ index abeb302..7c1f218 100644 +## labeled public_content_rw_t. +##

## --gen_tunable(rsync_use_nfs, false) +-gen_tunable(rsync_export_all_ro, false) +gen_tunable(rsync_anon_write, false) ## ##

--## Determine whether rsync can --## run as a client -+## Allow rsync server to manage all files/directories on the system. - ##

- ## --gen_tunable(rsync_client, false) -+gen_tunable(rsync_full_access, false) - --## --##

--## Determine whether rsync can --## export all content read only. --##

--## --gen_tunable(rsync_export_all_ro, false) -- --## --##

-## Determine whether rsync can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. --##

--## ++## Allow rsync server to manage all files/directories on the system. + ##

+ ## -gen_tunable(allow_rsync_anon_write, false) -- ++gen_tunable(rsync_full_access, false) + -attribute_role rsync_roles; type rsync_t; @@ -87232,14 +87820,14 @@ index abeb302..7c1f218 100644 -allow rsync_t self:tcp_socket { accept listen }; +allow rsync_t self:tcp_socket create_stream_socket_perms; +allow rsync_t self:udp_socket connected_socket_perms; -+ + +-allow rsync_t rsync_etc_t:file read_file_perms; +# for identd +# cjp: this should probably only be inetd_child_t rules? +# search home and kerberos also. +allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +#end for identd - --allow rsync_t rsync_etc_t:file read_file_perms; ++ +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_data_t:dir list_dir_perms; @@ -87256,7 +87844,7 @@ index abeb302..7c1f218 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +96,84 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -87293,68 +87881,76 @@ index abeb302..7c1f218 100644 -tunable_policy(`allow_rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) +-') +userdom_home_manager(rsync_t) -+ -+optional_policy(` -+ daemontools_service_domain(rsync_t, rsync_exec_t) - ') -tunable_policy(`rsync_client',` - corenet_sendrecv_rsync_client_packets(rsync_t) - corenet_tcp_connect_rsync_port(rsync_t) +optional_policy(` -+ kerberos_use(rsync_t) ++ daemontools_service_domain(rsync_t, rsync_exec_t) +') - corenet_sendrecv_ssh_client_packets(rsync_t) - corenet_tcp_connect_ssh_port(rsync_t) - corenet_tcp_sendrecv_ssh_port(rsync_t) +optional_policy(` -+ inetd_service_domain(rsync_t, rsync_exec_t) ++ kerberos_use(rsync_t) +') - manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+tunable_policy(`rsync_anon_write',` -+ miscfiles_manage_public_files(rsync_t) -+') -+ -+tunable_policy(`rsync_full_access',` -+ allow rsync_t self:capability { dac_override dac_read_search }; -+ files_manage_non_auth_files(rsync_t) ++optional_policy(` ++ inetd_service_domain(rsync_t, rsync_exec_t) ') - tunable_policy(`rsync_export_all_ro',` +-tunable_policy(`rsync_export_all_ro',` - fs_read_noxattr_fs_files(rsync_t) -+ files_getattr_all_pipes(rsync_t) -+ fs_read_noxattr_fs_files(rsync_t) - fs_read_nfs_files(rsync_t) +- fs_read_nfs_files(rsync_t) - fs_read_fusefs_files(rsync_t) - fs_read_cifs_files(rsync_t) +- fs_read_cifs_files(rsync_t) - files_list_non_auth_dirs(rsync_t) - files_read_non_auth_files(rsync_t) - files_read_non_auth_symlinks(rsync_t) -+ files_read_non_security_files(rsync_t) - auth_tunable_read_shadow(rsync_t) +- auth_tunable_read_shadow(rsync_t) ++optional_policy(` ++ mta_send_mail(rsync_t) ') -tunable_policy(`rsync_use_cifs',` - fs_list_cifs(rsync_t) - fs_read_cifs_files(rsync_t) - fs_read_cifs_symlinks(rsync_t) --') -- ++tunable_policy(`rsync_anon_write',` ++ miscfiles_manage_public_files(rsync_t) + ') + -tunable_policy(`rsync_use_fusefs',` - fs_search_fusefs(rsync_t) - fs_read_fusefs_files(rsync_t) - fs_read_fusefs_symlinks(rsync_t) --') -- ++tunable_policy(`rsync_full_access',` ++ allow rsync_t self:capability { dac_override dac_read_search }; ++ files_manage_non_auth_files(rsync_t) + ') + -tunable_policy(`rsync_use_nfs',` - fs_list_nfs(rsync_t) -- fs_read_nfs_files(rsync_t) ++tunable_policy(`rsync_export_all_ro',` ++ files_getattr_all_pipes(rsync_t) ++ fs_read_noxattr_fs_files(rsync_t) + fs_read_nfs_files(rsync_t) - fs_read_nfs_symlinks(rsync_t) ++ fs_read_cifs_files(rsync_t) ++ files_read_non_security_files(rsync_t) ++ auth_tunable_read_shadow(rsync_t) + ') + +-optional_policy(` +- tunable_policy(`rsync_client',` +- ssh_exec(rsync_t) +- ') +tunable_policy(`rsync_client',` + corenet_tcp_connect_rsync_port(rsync_t) + corenet_tcp_connect_ssh_port(rsync_t) @@ -87364,17 +87960,13 @@ index abeb302..7c1f218 100644 ') optional_policy(` - tunable_policy(`rsync_client',` -- ssh_exec(rsync_t) +- daemontools_service_domain(rsync_t, rsync_exec_t) ++ tunable_policy(`rsync_client',` + ssh_exec(rsync_t) - ') ++ ') ') -optional_policy(` -- daemontools_service_domain(rsync_t, rsync_exec_t) --') -- --optional_policy(` - kerberos_use(rsync_t) -') +auth_can_read_shadow_passwords(rsync_t) @@ -87793,7 +88385,7 @@ index 0360ff0..e6cb34f 100644 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te -index 7fb75f4..ba5e778 100644 +index 7fb75f4..9ccbd95 100644 --- a/rwho.te +++ b/rwho.te @@ -16,7 +16,7 @@ type rwho_log_t; @@ -87813,7 +88405,7 @@ index 7fb75f4..ba5e778 100644 corenet_all_recvfrom_netlabel(rwho_t) corenet_udp_sendrecv_generic_if(rwho_t) corenet_udp_sendrecv_generic_node(rwho_t) -@@ -50,15 +49,14 @@ corenet_udp_sendrecv_rwho_port(rwho_t) +@@ -50,15 +49,16 @@ corenet_udp_sendrecv_rwho_port(rwho_t) domain_use_interactive_fds(rwho_t) @@ -87823,10 +88415,12 @@ index 7fb75f4..ba5e778 100644 init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) - logging_send_syslog_msg(rwho_t) +-logging_send_syslog_msg(rwho_t) ++auth_use_nsswitch(rwho_t) -miscfiles_read_localization(rwho_t) -- ++logging_send_syslog_msg(rwho_t) + sysnet_dns_name_resolve(rwho_t) -# userdom_getattr_user_terminals(rwho_t) @@ -88680,10 +89274,10 @@ index 50d07fb..59296a2 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..114b2be 100644 +index 2b7c441..9f3c662 100644 --- a/samba.te +++ b/samba.te -@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) +@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) # ## @@ -88816,11 +89410,16 @@ index 2b7c441..114b2be 100644 - -attribute_role winbind_helper_roles; -roleattribute system_r winbind_helper_roles; -- ++## ++##

++## Allow smbd to load libgfapi from gluster. ++##

++## ++gen_tunable(samba_load_libgfapi, false) + type nmbd_t; type nmbd_exec_t; - init_daemon_domain(nmbd_t, nmbd_exec_t) -@@ -113,13 +93,16 @@ files_config_file(samba_etc_t) +@@ -113,13 +100,16 @@ files_config_file(samba_etc_t) type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) @@ -88838,7 +89437,7 @@ index 2b7c441..114b2be 100644 type samba_net_tmp_t; files_tmp_file(samba_net_tmp_t) -@@ -130,13 +113,16 @@ files_type(samba_secrets_t) +@@ -130,13 +120,16 @@ files_type(samba_secrets_t) type samba_share_t; # customizable files_type(samba_share_t) @@ -88856,7 +89455,7 @@ index 2b7c441..114b2be 100644 type smbd_t; type smbd_exec_t; -@@ -148,13 +134,17 @@ files_type(smbd_keytab_t) +@@ -148,13 +141,17 @@ files_type(smbd_keytab_t) type smbd_tmp_t; files_tmp_file(smbd_tmp_t) @@ -88876,7 +89475,7 @@ index 2b7c441..114b2be 100644 type swat_t; type swat_exec_t; -@@ -173,28 +163,29 @@ type winbind_exec_t; +@@ -173,28 +170,29 @@ type winbind_exec_t; init_daemon_domain(winbind_t, winbind_exec_t) type winbind_helper_t; @@ -88914,7 +89513,7 @@ index 2b7c441..114b2be 100644 allow samba_net_t samba_etc_t:file read_file_perms; -@@ -210,17 +201,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) +@@ -210,17 +208,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") @@ -88941,7 +89540,7 @@ index 2b7c441..114b2be 100644 dev_read_urand(samba_net_t) -@@ -233,15 +229,16 @@ auth_manage_cache(samba_net_t) +@@ -233,15 +236,16 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -88962,7 +89561,7 @@ index 2b7c441..114b2be 100644 ') optional_policy(` -@@ -249,46 +246,58 @@ optional_policy(` +@@ -249,46 +253,58 @@ optional_policy(` ') optional_policy(` @@ -89033,7 +89632,7 @@ index 2b7c441..114b2be 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -298,65 +307,71 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -298,65 +314,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -89072,6 +89671,7 @@ index 2b7c441..114b2be 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) ++kernel_read_net_sysctls(smbd_t) kernel_read_fs_sysctls(smbd_t) kernel_read_kernel_sysctls(smbd_t) +kernel_read_usermodehelper_state(smbd_t) @@ -89129,7 +89729,7 @@ index 2b7c441..114b2be 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) -@@ -366,44 +381,53 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +389,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -89195,7 +89795,7 @@ index 2b7c441..114b2be 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +443,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +451,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -89218,7 +89818,7 @@ index 2b7c441..114b2be 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +455,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +463,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -89226,7 +89826,7 @@ index 2b7c441..114b2be 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +463,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,15 +471,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -89239,20 +89839,22 @@ index 2b7c441..114b2be 100644 -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(smbd_t) - files_manage_non_auth_files(smbd_t) --') -- - optional_policy(` - ccs_read_config(smbd_t) ++tunable_policy(`samba_load_libgfapi',` ++ corenet_tcp_connect_all_ports(smbd_t) ++ corenet_tcp_bind_all_ports(smbd_t) ++ corenet_sendrecv_all_packets(smbd_t) ') -@@ -466,6 +470,7 @@ optional_policy(` + + optional_policy(` +@@ -466,6 +484,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) -+ ctdbd_manage_var_files(smbd_t) ++ ctdbd_manage_lib_dirs(smbd_t) ') optional_policy(` -@@ -474,11 +479,25 @@ optional_policy(` +@@ -474,11 +493,30 @@ optional_policy(` ') optional_policy(` @@ -89265,6 +89867,11 @@ index 2b7c441..114b2be 100644 +') + +optional_policy(` ++ glusterd_read_conf(smbd_t) ++ glusterd_rw_lib(smbd_t) ++') ++ ++optional_policy(` kerberos_read_keytab(smbd_t) kerberos_use(smbd_t) ') @@ -89278,7 +89885,7 @@ index 2b7c441..114b2be 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +507,10 @@ optional_policy(` +@@ -488,6 +526,10 @@ optional_policy(` ') optional_policy(` @@ -89289,7 +89896,7 @@ index 2b7c441..114b2be 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +522,48 @@ optional_policy(` +@@ -499,9 +541,48 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -89339,7 +89946,7 @@ index 2b7c441..114b2be 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +574,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +593,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -89354,7 +89961,7 @@ index 2b7c441..114b2be 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +590,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +609,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -89378,7 +89985,7 @@ index 2b7c441..114b2be 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +606,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +625,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -89442,12 +90049,12 @@ index 2b7c441..114b2be 100644 - files_manage_non_auth_files(nmbd_t) +optional_policy(` + ctdbd_stream_connect(nmbd_t) -+ ctdbd_manage_var_files(nmbd_t) ++ ctdbd_manage_lib_dirs(nmbd_t) + ctdbd_manage_lib_files(nmbd_t) ') optional_policy(` -@@ -606,16 +656,22 @@ optional_policy(` +@@ -606,16 +675,22 @@ optional_policy(` ######################################## # @@ -89474,7 +90081,7 @@ index 2b7c441..114b2be 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +683,13 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +702,13 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -89493,7 +90100,7 @@ index 2b7c441..114b2be 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +697,23 @@ optional_policy(` +@@ -644,22 +716,23 @@ optional_policy(` ######################################## # @@ -89525,7 +90132,7 @@ index 2b7c441..114b2be 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +722,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +741,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -89561,19 +90168,19 @@ index 2b7c441..114b2be 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +749,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +768,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) -auth_use_nsswitch(smbmount_t) +corecmd_list_bin(smbmount_t) - --miscfiles_read_localization(smbmount_t) ++ +files_list_mnt(smbmount_t) +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_etc_filetrans_etc_runtime(smbmount_t, file) -+ + +-miscfiles_read_localization(smbmount_t) +auth_use_nsswitch(smbmount_t) -mount_use_fds(smbmount_t) @@ -89653,7 +90260,7 @@ index 2b7c441..114b2be 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +828,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +847,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -89677,7 +90284,7 @@ index 2b7c441..114b2be 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +842,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +861,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -89720,7 +90327,7 @@ index 2b7c441..114b2be 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +872,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +891,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -89734,7 +90341,7 @@ index 2b7c441..114b2be 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +895,20 @@ optional_policy(` +@@ -840,17 +914,20 @@ optional_policy(` # Winbind local policy # @@ -89746,7 +90353,7 @@ index 2b7c441..114b2be 100644 allow winbind_t self:fifo_file rw_fifo_file_perms; -allow winbind_t self:unix_stream_socket { accept listen }; -allow winbind_t self:tcp_socket { accept listen }; -+allow winbind_t self:unix_dgram_socket create_socket_perms; ++allow winbind_t self:unix_dgram_socket { create_socket_perms sendto }; +allow winbind_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_t self:tcp_socket create_stream_socket_perms; +allow winbind_t self:udp_socket create_socket_perms; @@ -89760,7 +90367,7 @@ index 2b7c441..114b2be 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +918,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +937,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -89771,7 +90378,7 @@ index 2b7c441..114b2be 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +929,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +948,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -89824,7 +90431,7 @@ index 2b7c441..114b2be 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +971,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +990,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -89865,7 +90472,7 @@ index 2b7c441..114b2be 100644 optional_policy(` ctdbd_stream_connect(winbind_t) ctdbd_manage_lib_files(winbind_t) -+ ctdbd_manage_var_files(winbind_t) ++ ctdbd_manage_lib_dirs(winbind_t) +') + + @@ -89883,7 +90490,7 @@ index 2b7c441..114b2be 100644 ') optional_policy(` -@@ -959,31 +1032,35 @@ optional_policy(` +@@ -959,31 +1051,35 @@ optional_policy(` # Winbind helper local policy # @@ -89905,7 +90512,7 @@ index 2b7c441..114b2be 100644 -domain_use_interactive_fds(winbind_helper_t) - -files_list_var_lib(winbind_helper_t) -+dev_read_urand(winbind_t) ++dev_read_urand(winbind_helper_t) term_list_ptys(winbind_helper_t) @@ -89926,7 +90533,7 @@ index 2b7c441..114b2be 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1074,38 @@ optional_policy(` +@@ -997,25 +1093,38 @@ optional_policy(` ######################################## # @@ -94297,7 +94904,7 @@ index e0644b5..ea347cc 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9cf6582..bc33dd7 100644 +index 9cf6582..db6cc30 100644 --- a/smartmon.te +++ b/smartmon.te @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) @@ -94352,7 +94959,7 @@ index 9cf6582..bc33dd7 100644 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) userdom_dontaudit_search_user_home_dirs(fsdaemon_t) -+userdom_use_user_ptys(fsdaemon_t) ++userdom_use_user_terminals(fsdaemon_t) tunable_policy(`smartmon_3ware',` allow fsdaemon_t self:process setfscreate; @@ -95473,7 +96080,7 @@ index 634c6b4..f6db7a7 100644 +') + diff --git a/sosreport.te b/sosreport.te -index f2f507d..b3f8d3b 100644 +index f2f507d..4dd29c9 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -95630,7 +96237,7 @@ index f2f507d..b3f8d3b 100644 fstools_domtrans(sosreport_t) ') -@@ -136,6 +186,10 @@ optional_policy(` +@@ -136,6 +186,14 @@ optional_policy(` optional_policy(` hal_dbus_chat(sosreport_t) ') @@ -95638,10 +96245,14 @@ index f2f507d..b3f8d3b 100644 + optional_policy(` + rpm_dbus_chat(sosreport_t) + ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(sosreport_t) ++ ') ') optional_policy(` -@@ -147,13 +201,35 @@ optional_policy(` +@@ -147,13 +205,35 @@ optional_policy(` ') optional_policy(` @@ -97980,10 +98591,10 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..26fb335 100644 +index 2d8db1f..aafd7c8 100644 --- a/sssd.te +++ b/sssd.te -@@ -28,9 +28,17 @@ logging_log_file(sssd_var_log_t) +@@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t) type sssd_var_run_t; files_pid_file(sssd_var_run_t) @@ -98001,8 +98612,9 @@ index 2d8db1f..26fb335 100644 +# sssd local policy # - allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -@@ -38,7 +46,7 @@ allow sssd_t self:capability2 block_suspend; +-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; ++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; + allow sssd_t self:capability2 block_suspend; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:key manage_key_perms; @@ -98083,7 +98695,7 @@ index 2d8db1f..26fb335 100644 init_read_utmp(sssd_t) -@@ -112,18 +120,56 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +120,58 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -98119,17 +98731,19 @@ index 2d8db1f..26fb335 100644 +optional_policy(` + ldap_stream_connect(sssd_t) + ldap_read_certs(sssd_t) - ') ++') + +optional_policy(` + systemd_login_read_pid_files(sssd_t) -+') + ') + +######################################## +# +# sssd SELinux manager local policy +# + ++allow sssd_selinux_manager_t self:capability { setgid setuid }; ++ +domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t) + +logging_send_audit_msgs(sssd_selinux_manager_t) @@ -101642,7 +102256,7 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..10d7105 100644 +index 585a77f..529c97a 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1) @@ -101737,6 +102351,15 @@ index 585a77f..10d7105 100644 ') optional_policy(` +@@ -89,3 +110,8 @@ optional_policy(` + optional_policy(` + rpm_manage_cache(tmpreaper_t) + ') ++ ++optional_policy(` ++ ntp_manage_log(tmpreaper_t) ++') ++ diff --git a/tomcat.fc b/tomcat.fc new file mode 100644 index 0000000..ae28ea3 @@ -104161,10 +104784,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..b3bd64f 100644 +index a4f20bc..374e8ef 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,99 @@ +@@ -1,51 +1,101 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -104182,6 +104805,8 @@ index a4f20bc..b3bd64f 100644 +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) @@ -104303,7 +104928,7 @@ index a4f20bc..b3bd64f 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..814626a 100644 +index facdee8..a6dcaaa 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,226 @@ @@ -105910,7 +106535,7 @@ index facdee8..814626a 100644 ## ## ## -@@ -1069,21 +1180,28 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1180,29 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -105936,6 +106561,7 @@ index facdee8..814626a 100644 + gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") + gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") + gnome_data_filetrans($1, svirt_home_t, dir, "images") ++ gnome_data_filetrans($1, svirt_home_t, dir, "boot") + ') ') @@ -105947,7 +106573,7 @@ index facdee8..814626a 100644 ## ## ## -@@ -1091,36 +1209,188 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1210,188 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -106154,7 +106780,7 @@ index facdee8..814626a 100644 ## ## ## -@@ -1136,50 +1406,53 @@ interface(`virt_manage_images',` +@@ -1136,50 +1407,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -106243,7 +106869,7 @@ index facdee8..814626a 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..6fb7d3f 100644 +index f03dcf5..fffd1f5 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -106443,7 +107069,7 @@ index f03dcf5..6fb7d3f 100644 +## Allow sandbox containers to use all capabilities +##

+## -+gen_tunable(virt_sandbox_use_all_caps, false) ++gen_tunable(virt_sandbox_use_all_caps, true) -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; @@ -107333,7 +107959,7 @@ index f03dcf5..6fb7d3f 100644 -can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - ++ +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -107494,7 +108120,7 @@ index f03dcf5..6fb7d3f 100644 +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; -+ + +ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) @@ -107576,10 +108202,10 @@ index f03dcf5..6fb7d3f 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -107743,7 +108369,7 @@ index f03dcf5..6fb7d3f 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1171,314 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1171,325 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -107799,6 +108425,15 @@ index f03dcf5..6fb7d3f 100644 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; +allow svirt_sandbox_domain self:filesystem associate; ++allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ ++dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ++ ++fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++ ++tunable_policy(`deny_ptrace',`',` ++ allow svirt_sandbox_domain self:process ptrace; ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -107882,14 +108517,6 @@ index f03dcf5..6fb7d3f 100644 -miscfiles_read_fonts(svirt_lxc_domain) - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) -+ -+fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) -+ -+tunable_policy(`deny_ptrace',`',` -+ allow svirt_sandbox_domain self:process ptrace; -+') -+ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -107928,6 +108555,7 @@ index f03dcf5..6fb7d3f 100644 +files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) +files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) +files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) ++files_search_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) +files_entrypoint_all_files(svirt_sandbox_domain) @@ -107968,28 +108596,28 @@ index f03dcf5..6fb7d3f 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -108009,6 +108637,15 @@ index f03dcf5..6fb7d3f 100644 + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ #docker_read_share_files(svirt_sandbox_domain) ++ #docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ #docker_use_ptys(svirt_sandbox_domain) ++ #docker_spc_stream_connect(svirt_sandbox_domain) ++ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ') ######################################## @@ -108199,7 +108836,7 @@ index f03dcf5..6fb7d3f 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1491,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1502,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -108214,7 +108851,7 @@ index f03dcf5..6fb7d3f 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1509,8 @@ optional_policy(` +@@ -1192,9 +1520,8 @@ optional_policy(` ######################################## # @@ -108225,7 +108862,7 @@ index f03dcf5..6fb7d3f 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1523,240 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1534,240 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index bdb34e8..c01a4fc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 127%{?dist} +Release: 128%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,106 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jun 09 2015 Miroslav Grepl 3.13.1-128 +- Add ipsec_rw_inherited_pipes() interface. +- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. +- Label /usr/libexec/Xorg.wrap as xserver_exec_t. +- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. +- Add fixes for selinux userspace moving the policy store to /var/lib/selinux. +- Remove optional else block for dhcp ping (needed by CIL) +- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly. +- Access required to run with unconfine.pp disabled +- Fix selinux_search_fs() interface. +- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. +- Add seutil_search_config() interface. +- Make ssh-keygen as nsswitch domain to access SSSD. +- Label ctdb events scripts as bin_t. +- Add support for /usr/sbin/lvmpolld. +- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint. +- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. +- Allow login_pgm domains to access kernel keyring for nsswitch domains. +- Allow hypervkvp to read /dev/urandom and read addition states/config files. +- Add cgdcbxd policy. +- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain. +- Add labeling for pacemaker.log. +- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom. +- Allow lsmd plugin to connect to tcp/5989 by default. +- Allow lsmd plugin to connect to tcp/5988 by default. +- Allow setuid/setgid for selinux_child. +- Allow radiusd to connect to radsec ports. +- ALlow bind to read/write inherited ipsec pipes. +- Allow fowner capability for sssd because of selinux_child handling. +- Allow pki-tomcat relabel pki_tomcat_etc_rw_t. +- Allow cluster domain to dbus chat with systemd-logind. +- Allow tmpreaper_t to manage ntp log content +- Allow openvswitch_t to communicate with sssd. +- Allow isnsd_t to communicate with sssd. +- Allow rwho_t to communicate with sssd. +- Allow pkcs_slotd_t to communicate with sssd. +- Add httpd_var_lib_t label for roundcubemail +- Allow puppetagent_t to transfer firewalld messages over dbus. +- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick. +- Update rules related to glusterd_brick_t. +- Allow glusterd to execute lvm tools in the lvm_t target domain. +- Allow glusterd to execute xfs_growfs in the target domain. +- Allow sysctl to have running under hypervkvp_t domain. +- Allow smartdnotify to use user terminals. +- Allow pcp domains to create root.socket in /var/lip/pcp directroy. +- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. +- Allow rpcbind to create rpcbind.xdr as a temporary file. +- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. +- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. +- rsync server can be setup to send mail +- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. +- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type. +- Fix samba_load_libgfapi decl in samba.te. +- Fix typo in nagios_run_sudo() boolean. +- remove duplicate declaration from hypervkvp.te. +- Move ctdd_domtrans() from ctdbd to gluster. +- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0. +- Glusterd wants to manage samba config files if they are setup together. +- ALlow NM to do access check on /sys. +- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel. +- Allow NetworkManager nm-dispacher to read links. +- Allow gluster hooks scripts to transition to ctdbd_t. +- Allow glusterd to read/write samba config files. +- Update mysqld rules related to mysqld log files. +- Add fixes for hypervkvp realed to ifdown/ifup scripts. +- Update netlink_route_socket for ptp4l. +- Allow glusterd to connect to /var/run/dbus/system_bus_socket. +- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration. +- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default. +- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration. +- Allow glusterd to read /dev/random. +- Update nagios_run_sudo boolean to allow run chkpwd. +- Allow docker and container tools to control caps, don't rely on SELinux for now. Since there is no easy way for SELinux modification of policy as far as caps. docker run --cap-add will work now +- Allow sosreport to dbus chat with NM. +- Allow anaconda to run iscsid in own domain. BZ(1220948). +- Allow rhsmcetd to use the ypbind service to access NIS services. +- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios. +- Allow ctdb to create rawip socket. +- Allow ctdbd to bind smbd port. +- Make ctdbd as userdom_home_reader. +- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958) +- Allow net_admin cap for dnssec-trigger to make wifi reconnect working. +- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046) +- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. +- Add glusterd_filetrans_named_pid() interface. +- Allow antivirus_t to read system state info. +- Dontaudit use console for chrome-sandbox. +- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. +- Clamd needs to have fsetid capability. +- Allow cinder-backup to dbus chat with systemd-logind. +- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files. +- Allow gssd to access kernel keyring for login_pgm domains. +- Add more fixes related to timemaster+ntp+ptp4l. +- Allow docker sandbox domains to search all mountpoiunts +- update winbind_t rules to allow IPC for winbind. +- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3. +- Allow inet_gethost called by couchdb to access /proc/net/unix. +- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so +- Label /usr/bin/yum-deprecated as rpm_exec_t. + * Tue May 05 2015 Lukas Vrabec 3.13.1-127 - Add missing typealiases in apache_content_template() for script domain/executable. - Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.