From 634d39b171db7c9c231ac7e58e672c2ef75c76aa Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 24 2013 21:12:23 +0000 Subject: - Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setschedule - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys fo - Allow cobbler to execute apache with domain transition --- diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index a0ed9aa..70c00d3 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2236,3 +2236,10 @@ pki = module # policy for smsd # smsd = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9edad61..5de1404 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2373,7 +2373,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..4065a9a 100644 +index d555767..ce0c1b4 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2413,7 +2413,7 @@ index d555767..4065a9a 100644 type crack_t; type crack_exec_t; -@@ -42,18 +43,21 @@ type groupadd_t; +@@ -42,18 +43,22 @@ type groupadd_t; type groupadd_exec_t; domain_obj_id_change_exemption(groupadd_t) init_system_domain(groupadd_t, groupadd_exec_t) @@ -2424,6 +2424,7 @@ index d555767..4065a9a 100644 type passwd_t; type passwd_exec_t; domain_obj_id_change_exemption(passwd_t) ++domain_system_change_exemption(passwd_t) application_domain(passwd_t, passwd_exec_t) -role passwd_roles types passwd_t; +#role passwd_roles types passwd_t; @@ -2438,7 +2439,7 @@ index d555767..4065a9a 100644 type sysadm_passwd_tmp_t; files_tmp_file(sysadm_passwd_tmp_t) -@@ -61,8 +65,13 @@ files_tmp_file(sysadm_passwd_tmp_t) +@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; domain_obj_id_change_exemption(useradd_t) @@ -2453,7 +2454,7 @@ index d555767..4065a9a 100644 ######################################## # -@@ -86,6 +95,7 @@ allow chfn_t self:unix_stream_socket connectto; +@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) kernel_read_kernel_sysctls(chfn_t) @@ -2461,7 +2462,7 @@ index d555767..4065a9a 100644 selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) -@@ -94,25 +104,29 @@ selinux_compute_create_context(chfn_t) +@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -2497,7 +2498,7 @@ index d555767..4065a9a 100644 files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) files_dontaudit_search_home(chfn_t) -@@ -120,19 +134,29 @@ files_dontaudit_search_home(chfn_t) +@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) @@ -2530,7 +2531,7 @@ index d555767..4065a9a 100644 ######################################## # # Crack local policy -@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t) +@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -2541,7 +2542,7 @@ index d555767..4065a9a 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t) +@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t) domain_use_interactive_fds(groupadd_t) @@ -2551,7 +2552,7 @@ index d555767..4065a9a 100644 files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) -@@ -229,14 +253,15 @@ corecmd_exec_bin(groupadd_t) +@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) @@ -2570,7 +2571,7 @@ index d555767..4065a9a 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -253,7 +278,8 @@ optional_policy(` +@@ -253,7 +279,8 @@ optional_policy(` ') optional_policy(` @@ -2580,7 +2581,7 @@ index d555767..4065a9a 100644 ') optional_policy(` -@@ -285,6 +311,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -2588,7 +2589,7 @@ index d555767..4065a9a 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -293,6 +320,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -2596,7 +2597,7 @@ index d555767..4065a9a 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -307,26 +335,38 @@ selinux_compute_create_context(passwd_t) +@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -2640,7 +2641,7 @@ index d555767..4065a9a 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -335,12 +375,11 @@ init_use_fds(passwd_t) +@@ -335,12 +376,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -2654,7 +2655,7 @@ index d555767..4065a9a 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -349,9 +388,15 @@ userdom_read_user_tmp_files(passwd_t) +@@ -349,9 +389,15 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2671,7 +2672,7 @@ index d555767..4065a9a 100644 ') ######################################## -@@ -398,9 +443,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -398,9 +444,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -2684,7 +2685,7 @@ index d555767..4065a9a 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -413,7 +459,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -413,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -2692,7 +2693,7 @@ index d555767..4065a9a 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -423,19 +468,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -423,19 +469,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -2714,7 +2715,7 @@ index d555767..4065a9a 100644 ') ######################################## -@@ -443,7 +486,8 @@ optional_policy(` +@@ -443,7 +487,8 @@ optional_policy(` # Useradd local policy # @@ -2724,7 +2725,7 @@ index d555767..4065a9a 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -458,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -458,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -2735,7 +2736,7 @@ index d555767..4065a9a 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t) +@@ -465,36 +514,36 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -2784,7 +2785,7 @@ index d555767..4065a9a 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t) +@@ -505,33 +554,36 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -2835,7 +2836,7 @@ index d555767..4065a9a 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +593,12 @@ optional_policy(` +@@ -542,7 +594,12 @@ optional_policy(` ') optional_policy(` @@ -2849,7 +2850,7 @@ index d555767..4065a9a 100644 ') optional_policy(` -@@ -550,6 +606,11 @@ optional_policy(` +@@ -550,6 +607,11 @@ optional_policy(` ') optional_policy(` @@ -2861,7 +2862,7 @@ index d555767..4065a9a 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +620,12 @@ optional_policy(` +@@ -559,3 +621,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -12254,16 +12255,17 @@ index 148d87a..822f6be 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..3035829 100644 +index cda5588..924f856 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,9 +1,13 @@ +@@ -1,9 +1,12 @@ +-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/cgroup/.* <> +# ecryptfs does not support xattr +HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) + - /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - /cgroup/.* <> ++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) /dev/hugepages(/.*)? <> @@ -12272,10 +12274,13 @@ index cda5588..3035829 100644 /dev/shm/.* <> /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -@@ -14,3 +18,10 @@ +@@ -12,5 +15,11 @@ + /lib/udev/devices/shm/.* <> + # for systemd systems: - /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - /sys/fs/cgroup/.* <> +-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/sys/fs/cgroup/.* <> ++/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> @@ -12284,7 +12289,7 @@ index cda5588..3035829 100644 +/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..7170125 100644 +index 8416beb..2216778 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -13087,7 +13092,32 @@ index 8416beb..7170125 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3137,6 +3677,24 @@ interface(`fs_nfs_domtrans',` + + ######################################## + ## ++## Mount on nfsd_fs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_nfsd_fs', ` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ allow $1 nfsd_fs_t:dir mounton; ++') ++ ++######################################## ++## + ## Mount a NFS server pseudo filesystem. + ## + ## +@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -13112,7 +13142,7 @@ index 8416beb..7170125 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -13137,7 +13167,7 @@ index 8416beb..7170125 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -13146,7 +13176,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -13155,7 +13185,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -13164,7 +13194,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -13189,7 +13219,7 @@ index 8416beb..7170125 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +4520,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -13198,7 +13228,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4528,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -13219,7 +13249,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +4546,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -13240,7 +13270,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +4564,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -13280,7 +13310,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +4601,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -13336,7 +13366,7 @@ index 8416beb..7170125 100644 ') ######################################## -@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +4753,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -13345,7 +13375,7 @@ index 8416beb..7170125 100644 ') ######################################## -@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4813,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -13370,7 +13400,7 @@ index 8416beb..7170125 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +4868,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -13379,7 +13409,7 @@ index 8416beb..7170125 100644 ## ## ## -@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +4887,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -13440,7 +13470,7 @@ index 8416beb..7170125 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +4998,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -13485,7 +13515,7 @@ index 8416beb..7170125 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5055,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -13511,7 +13541,7 @@ index 8416beb..7170125 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5280,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -13520,7 +13550,7 @@ index 8416beb..7170125 100644 ') ######################################## -@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5328,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -13529,7 +13559,7 @@ index 8416beb..7170125 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5375,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -13556,7 +13586,7 @@ index 8416beb..7170125 100644 ## Get the quotas of all filesystems. ## ## -@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +5711,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -19310,7 +19340,7 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..3063a17 100644 +index 76d9f66..5cb2095 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,4 +1,15 @@ @@ -19329,12 +19359,13 @@ index 76d9f66..3063a17 100644 /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -8,9 +19,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) ++/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -20604,7 +20635,7 @@ index 5fc0391..994eec2 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..156a29f 100644 +index d1f64a0..8f50bb9 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -20694,7 +20725,7 @@ index d1f64a0..156a29f 100644 + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) -+/usr/bin/razor-lightdm-* -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -30891,7 +30922,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..5c935e3 100644 +index e8c59a5..d2df072 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -30953,17 +30984,17 @@ index e8c59a5..5c935e3 100644 corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) -@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t) +@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t) logging_send_syslog_msg(clvmd_t) -miscfiles_read_localization(clvmd_t) - +- -seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) -@@ -141,6 +148,11 @@ ifdef(`distro_redhat',` +@@ -141,6 +147,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30975,7 +31006,7 @@ index e8c59a5..5c935e3 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -30983,17 +31014,19 @@ index e8c59a5..5c935e3 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms; +@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms; allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; +allow lvm_t lvm_unit_file_t:file manage_file_perms; +systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) ++systemd_create_unit_file_dirs(lvm_t) ++systemd_create_unit_file_lnk(lvm_t) + manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) -@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -31006,7 +31039,7 @@ index e8c59a5..5c935e3 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -31018,7 +31051,7 @@ index e8c59a5..5c935e3 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -31026,7 +31059,7 @@ index e8c59a5..5c935e3 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -31041,7 +31074,7 @@ index e8c59a5..5c935e3 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -31049,7 +31082,7 @@ index e8c59a5..5c935e3 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -31072,7 +31105,7 @@ index e8c59a5..5c935e3 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -31081,7 +31114,7 @@ index e8c59a5..5c935e3 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -31105,7 +31138,7 @@ index e8c59a5..5c935e3 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +348,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +349,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31117,7 +31150,7 @@ index e8c59a5..5c935e3 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +373,26 @@ optional_policy(` +@@ -333,14 +374,26 @@ optional_policy(` ') optional_policy(` @@ -31145,7 +31178,7 @@ index e8c59a5..5c935e3 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..a70c055 100644 +index 9fe8e01..5985e0f 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -31188,8 +31221,12 @@ index 9fe8e01..a70c055 100644 /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -77,7 +76,7 @@ ifdef(`distro_redhat',` +@@ -75,9 +74,11 @@ ifdef(`distro_redhat',` + + /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ++/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) ++ /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) @@ -31197,7 +31234,7 @@ index 9fe8e01..a70c055 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +89,7 @@ ifdef(`distro_debian',` +@@ -90,6 +91,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -31555,7 +31592,7 @@ index 7449974..6375786 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a49e28..1d374a0 100644 +index 7a49e28..de1dcdd 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) @@ -31695,10 +31732,12 @@ index 7a49e28..1d374a0 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -151,30 +162,37 @@ files_read_etc_runtime_files(insmod_t) +@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) ++# users installing vbox put kernel modules in /var/lib ++files_read_var_lib_files(insmod_t) +files_read_kernel_symbol_table(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) @@ -31727,7 +31766,7 @@ index 7a49e28..1d374a0 100644 logging_search_logs(insmod_t) -miscfiles_read_localization(insmod_t) - +- seutil_read_file_contexts(insmod_t) -userdom_use_user_terminals(insmod_t) @@ -31736,7 +31775,7 @@ index 7a49e28..1d374a0 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +202,33 @@ optional_policy(` +@@ -184,28 +203,33 @@ optional_policy(` ') optional_policy(` @@ -31760,24 +31799,24 @@ index 7a49e28..1d374a0 100644 optional_policy(` - mount_domtrans(insmod_t) + hal_write_log(insmod_t) -+') -+ -+optional_policy(` -+ hotplug_search_config(insmod_t) ') optional_policy(` - nis_use_ypbind(insmod_t) -+ kdump_manage_kdumpctl_tmp_files(insmod_t) ++ hotplug_search_config(insmod_t) ') optional_policy(` - nscd_use(insmod_t) ++ kdump_manage_kdumpctl_tmp_files(insmod_t) ++') ++ ++optional_policy(` + mount_domtrans(insmod_t) ') optional_policy(` -@@ -225,6 +248,7 @@ optional_policy(` +@@ -225,6 +249,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -31785,7 +31824,7 @@ index 7a49e28..1d374a0 100644 ') optional_policy(` -@@ -233,6 +257,10 @@ optional_policy(` +@@ -233,6 +258,10 @@ optional_policy(` ') optional_policy(` @@ -31796,7 +31835,7 @@ index 7a49e28..1d374a0 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -34862,10 +34901,10 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..2e5b822 +index 0000000..6862d53 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1195 @@ +@@ -0,0 +1,1231 @@ +## SELinux policy for systemd components + +###################################### @@ -35747,6 +35786,42 @@ index 0000000..2e5b822 + filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) +') + ++####################################### ++## ++## Create a directory in the /usr/lib/systemd/system directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_file_dirs',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ ++####################################### ++## ++## Create a link in the /usr/lib/systemd/system directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_unit_file_lnk',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ +######################################## +## +## Transition to systemd named content @@ -38094,7 +38169,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..08ce1e5 100644 +index 3c5dba7..4f43578 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40601,16 +40676,34 @@ index 3c5dba7..08ce1e5 100644 ') ######################################## -@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3864,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to open user ptys. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_open_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ dontaudit $1 user_devpts_t:chr_file open; ') ######################################## -@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3937,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -40676,7 +40769,7 @@ index 3c5dba7..08ce1e5 100644 ') ######################################## -@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4012,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -40685,7 +40778,7 @@ index 3c5dba7..08ce1e5 100644 ') ######################################## -@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4031,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -40693,7 +40786,7 @@ index 3c5dba7..08ce1e5 100644 kernel_search_proc($1) ') -@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4108,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -40736,7 +40829,7 @@ index 3c5dba7..08ce1e5 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4164,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -40761,7 +40854,7 @@ index 3c5dba7..08ce1e5 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4215,1455 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 2e38254..25a1ae2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2572,10 +2572,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..36cb011 +index 0000000..badbc17 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,252 @@ +@@ -0,0 +1,256 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2669,6 +2669,7 @@ index 0000000..36cb011 +manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) +manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) +manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t) ++files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file}) + +can_exec(antivirus_domain, antivirus_exec_t) + @@ -2716,6 +2717,9 @@ index 0000000..36cb011 +corenet_tcp_connect_http_port(antivirus_domain) +corenet_tcp_sendrecv_http_port(antivirus_domain) + ++corenet_sendrecv_snmp_client_packets(antivirus_domain) ++corenet_tcp_connect_snmp_port(antivirus_domain) ++ +corenet_sendrecv_squid_client_packets(antivirus_domain) +corenet_tcp_connect_squid_port(antivirus_domain) +corenet_tcp_sendrecv_squid_port(antivirus_domain) @@ -11974,7 +11978,7 @@ index c223f81..3bcdf6a 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 2a71346..c1eef8d 100644 +index 2a71346..9f877a1 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -11994,7 +11998,13 @@ index 2a71346..c1eef8d 100644 corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) -@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t) +@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) + corenet_tcp_connect_http_port(cobblerd_t) + corenet_sendrecv_http_client_packets(cobblerd_t) + ++dev_read_sysfs(cobblerd_t) + dev_read_urand(cobblerd_t) + files_list_boot(cobblerd_t) files_list_tmp(cobblerd_t) files_read_boot_files(cobblerd_t) @@ -12004,7 +12014,7 @@ index 2a71346..c1eef8d 100644 fs_getattr_all_fs(cobblerd_t) fs_read_iso9660_files(cobblerd_t) -@@ -128,6 +127,8 @@ selinux_get_enforce_mode(cobblerd_t) +@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t) term_use_console(cobblerd_t) @@ -12013,7 +12023,24 @@ index 2a71346..c1eef8d 100644 logging_send_syslog_msg(cobblerd_t) miscfiles_read_localization(cobblerd_t) -@@ -193,12 +194,11 @@ optional_policy(` +@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',` + ') + + optional_policy(` ++ apache_domtrans(cobblerd_t) + apache_search_sys_content(cobblerd_t) + ') + +@@ -188,17 +191,20 @@ optional_policy(` + ') + + optional_policy(` ++ libs_exec_ldconfig(cobblerd_t) ++') ++ ++optional_policy(` + rpm_exec(cobblerd_t) + ') optional_policy(` rsync_read_config(cobblerd_t) @@ -12987,7 +13014,7 @@ index 3fe3cb8..b8e08c6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..2af6e1e 100644 +index 3f2b672..c0501e0 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -13071,7 +13098,16 @@ index 3f2b672..2af6e1e 100644 optional_policy(` mta_send_mail(condor_master_t) -@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; + + kernel_read_network_state(condor_collector_t) + ++corenet_tcp_bind_http_port(condor_collector_t) ++ + ##################################### + # + # Negotiator local policy +@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13080,7 +13116,7 @@ index 3f2b672..2af6e1e 100644 ###################################### # # Procd local policy -@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13089,7 +13125,7 @@ index 3f2b672..2af6e1e 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13098,7 +13134,7 @@ index 3f2b672..2af6e1e 100644 ##################################### # # Startd local policy -@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13111,7 +13147,7 @@ index 3f2b672..2af6e1e 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +260,7 @@ optional_policy(` +@@ -249,3 +262,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -13120,24 +13156,15 @@ index 3f2b672..2af6e1e 100644 + unconfined_domain(condor_startd_t) +') diff --git a/consolekit.fc b/consolekit.fc -index 23c9558..ee585a7 100644 +index 23c9558..29e5fd3 100644 --- a/consolekit.fc +++ b/consolekit.fc -@@ -1,7 +1,9 @@ --/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) -+#/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) - --/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -+#/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - --/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) --/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) --/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+#/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) + -+#/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -+#/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+#/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) + + /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff --git a/consolekit.if b/consolekit.if index 5b830ec..0647a3b 100644 --- a/consolekit.if @@ -16384,10 +16411,18 @@ index b25b01d..4f7d237 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 6ce66e7..1d0337a 100644 +index 6ce66e7..f2a7a61 100644 --- a/ctdb.te +++ b/ctdb.te -@@ -85,12 +85,10 @@ dev_read_urand(ctdbd_t) +@@ -75,6 +75,7 @@ corenet_tcp_bind_generic_node(ctdbd_t) + + corenet_sendrecv_ctdb_server_packets(ctdbd_t) + corenet_tcp_bind_ctdb_port(ctdbd_t) ++corenet_udp_bind_ctdb_port(ctdbd_t) + corenet_tcp_sendrecv_ctdb_port(ctdbd_t) + + corecmd_exec_bin(ctdbd_t) +@@ -85,12 +86,10 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -16400,7 +16435,7 @@ index 6ce66e7..1d0337a 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +107,7 @@ optional_policy(` +@@ -109,6 +108,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -20417,10 +20452,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..1a57396 +index 0000000..05c070d --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,193 @@ +@@ -0,0 +1,194 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -20512,6 +20547,7 @@ index 0000000..1a57396 +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) +allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; + ++kernel_read_network_state(dirsrv_t) +kernel_read_system_state(dirsrv_t) +kernel_read_kernel_sysctls(dirsrv_t) + @@ -29820,10 +29856,18 @@ index 57304e4..46e5e3d 100644 optional_policy(` tgtd_manage_semaphores(iscsid_t) diff --git a/isns.te b/isns.te -index bc11034..e393434 100644 +index bc11034..107ed2f 100644 --- a/isns.te +++ b/isns.te -@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) + allow isnsd_t self:capability kill; + allow isnsd_t self:process signal; + allow isnsd_t self:fifo_file rw_fifo_file_perms; ++allow isnsd_t self:tcp_socket { listen }; + allow isnsd_t self:udp_socket { accept listen }; + allow isnsd_t self:unix_stream_socket { accept listen }; + +@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) @@ -37645,10 +37689,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..bb33a48 100644 +index 6ffaba2..99d4eeb 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,65 @@ +@@ -1,38 +1,66 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -37688,6 +37732,7 @@ index 6ffaba2..bb33a48 100644 +HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + @@ -37749,7 +37794,7 @@ index 6ffaba2..bb33a48 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..af1201e 100644 +index 6194b80..5fe7031 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38388,7 +38433,7 @@ index 6194b80..af1201e 100644 ## ## ## -@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -38457,6 +38502,7 @@ index 6194b80..af1201e 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") @@ -44418,7 +44464,7 @@ index 0e8508c..0b68b86 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..f3320a3 100644 +index 0b48a30..c71f8e5 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -44567,7 +44613,7 @@ index 0b48a30..f3320a3 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -44580,11 +44626,12 @@ index 0b48a30..f3320a3 100644 +files_read_etc_runtime_files(NetworkManager_t) +files_read_system_conf_files(NetworkManager_t) +files_read_usr_src_files(NetworkManager_t) ++files_read_isid_type_files(NetworkManager_t) + storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -44597,7 +44644,7 @@ index 0b48a30..f3320a3 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -44634,7 +44681,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -196,10 +222,6 @@ optional_policy(` +@@ -196,10 +223,6 @@ optional_policy(` ') optional_policy(` @@ -44645,7 +44692,7 @@ index 0b48a30..f3320a3 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +232,11 @@ optional_policy(` +@@ -210,16 +233,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -44664,7 +44711,7 @@ index 0b48a30..f3320a3 100644 ') ') -@@ -231,18 +248,19 @@ optional_policy(` +@@ -231,18 +249,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -44687,7 +44734,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -250,6 +268,10 @@ optional_policy(` +@@ -250,6 +269,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -44698,7 +44745,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -257,11 +279,10 @@ optional_policy(` +@@ -257,11 +280,10 @@ optional_policy(` ') optional_policy(` @@ -44714,7 +44761,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -274,10 +295,17 @@ optional_policy(` +@@ -274,10 +296,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -44732,7 +44779,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -289,6 +317,7 @@ optional_policy(` +@@ -289,6 +318,7 @@ optional_policy(` ') optional_policy(` @@ -44740,7 +44787,7 @@ index 0b48a30..f3320a3 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +325,7 @@ optional_policy(` +@@ -296,7 +326,7 @@ optional_policy(` ') optional_policy(` @@ -44749,7 +44796,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -307,6 +336,7 @@ optional_policy(` +@@ -307,6 +337,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -44757,7 +44804,7 @@ index 0b48a30..f3320a3 100644 ') optional_policy(` -@@ -320,13 +350,15 @@ optional_policy(` +@@ -320,13 +351,19 @@ optional_policy(` ') optional_policy(` @@ -44772,17 +44819,21 @@ index 0b48a30..f3320a3 100644 optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) ++ ssh_exec(NetworkManager_t) ++') ++ ++optional_policy(` + udev_exec(NetworkManager_t) + udev_read_db(NetworkManager_t) ') optional_policy(` -@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) -miscfiles_read_localization(wpa_cli_t) - +- term_dontaudit_use_console(wpa_cli_t) diff --git a/nis.fc b/nis.fc index 8aa1bfa..cd0e015 100644 @@ -51929,10 +51980,10 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..9515043 100644 +index dfd46e4..173813f 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,12 @@ +@@ -1,15 +1,15 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - @@ -51954,6 +52005,9 @@ index dfd46e4..9515043 100644 +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++ ++#openlmi agents ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52055,7 +52109,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..ebc50dc 100644 +index 7bcf327..fa856e9 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52143,7 +52197,8 @@ index 7bcf327..ebc50dc 100644 allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; dontaudit pegasus_t self:capability sys_tty_config; - allow pegasus_t self:process signal; +-allow pegasus_t self:process signal; ++allow pegasus_t self:process { setsched signal }; allow pegasus_t self:fifo_file rw_fifo_file_perms; -allow pegasus_t self:unix_stream_socket { connectto accept listen }; -allow pegasus_t self:tcp_socket { accept listen }; @@ -52298,6 +52353,176 @@ index 7bcf327..ebc50dc 100644 ') optional_policy(` +diff --git a/pesign.fc b/pesign.fc +new file mode 100644 +index 0000000..7b54c39 +--- /dev/null ++++ b/pesign.fc +@@ -0,0 +1,6 @@ ++/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0) ++ ++/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0) ++ ++/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0) ++/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) +diff --git a/pesign.if b/pesign.if +new file mode 100644 +index 0000000..c20674c +--- /dev/null ++++ b/pesign.if +@@ -0,0 +1,103 @@ ++ ++## pesign utility for signing UEFI binaries as well as other associated tools ++ ++######################################## ++## ++## Execute TEMPLATE in the pesign domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pesign_domtrans',` ++ gen_require(` ++ type pesign_t, pesign_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pesign_exec_t, pesign_t) ++') ++######################################## ++## ++## Read pesign PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pesign_read_pid_files',` ++ gen_require(` ++ type pesign_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t) ++') ++ ++######################################## ++## ++## Execute pesign server in the pesign domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pesign_systemctl',` ++ gen_require(` ++ type pesign_t; ++ type pesign_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 pesign_unit_file_t:file read_file_perms; ++ allow $1 pesign_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pesign_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pesign environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`pesign_admin',` ++ gen_require(` ++ type pesign_t; ++ type pesign_var_run_t; ++ type pesign_unit_file_t; ++ ') ++ ++ allow $1 pesign_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pesign_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, pesign_var_run_t) ++ ++ pesign_systemctl($1) ++ admin_pattern($1, pesign_unit_file_t) ++ allow $1 pesign_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/pesign.te b/pesign.te +new file mode 100644 +index 0000000..513887d +--- /dev/null ++++ b/pesign.te +@@ -0,0 +1,43 @@ ++policy_module(pesign, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pesign_t; ++type pesign_exec_t; ++init_daemon_domain(pesign_t, pesign_exec_t) ++ ++type pesign_var_run_t; ++files_pid_file(pesign_var_run_t) ++ ++type pesign_unit_file_t; ++systemd_unit_file(pesign_unit_file_t) ++ ++######################################## ++# ++# pesign local policy ++# ++ ++allow pesign_t self:capability { setgid setuid }; ++allow pesign_t self:process setsched; ++allow pesign_t self:fifo_file rw_fifo_file_perms; ++allow pesign_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t) ++files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir }) ++ ++dev_read_urand(pesign_t) ++ ++files_dontaudit_list_tmp(pesign_t) ++ ++auth_use_nsswitch(pesign_t) ++ ++logging_send_syslog_msg(pesign_t) ++ ++miscfiles_read_certs(pesign_t) ++miscfiles_read_localization(pesign_t) diff --git a/pingd.if b/pingd.if index 21a6ecb..b99e4cb 100644 --- a/pingd.if @@ -53297,10 +53522,10 @@ index 0000000..0c167b7 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..e1d3320 +index 0000000..6329c9c --- /dev/null +++ b/pki.if -@@ -0,0 +1,272 @@ +@@ -0,0 +1,273 @@ + +## policy for pki +######################################## @@ -53572,6 +53797,7 @@ index 0000000..e1d3320 + ') + + read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) +') diff --git a/pki.te b/pki.te new file mode 100644 @@ -64656,7 +64882,7 @@ index 951db7f..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..e67ea1b 100644 +index 2c1730b..0e15502 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; @@ -64702,8 +64928,11 @@ index 2c1730b..e67ea1b 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t) +@@ -49,19 +57,23 @@ corecmd_exec_shell(mdadm_t) + dev_rw_sysfs(mdadm_t) + dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) ++dev_read_crash(mdadm_t) dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) +dev_read_nvram(mdadm_t) @@ -64725,7 +64954,7 @@ index 2c1730b..e67ea1b 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,16 +82,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -69574,7 +69803,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..74f3e1b 100644 +index e5212e6..df782bf 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -69785,7 +70014,7 @@ index e5212e6..74f3e1b 100644 ') ######################################## -@@ -195,41 +141,55 @@ optional_policy(` +@@ -195,41 +141,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -69826,6 +70055,7 @@ index e5212e6..74f3e1b 100644 files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) ++fs_mounton_nfsd_fs(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) fs_getattr_all_dirs(nfsd_t) @@ -69848,7 +70078,7 @@ index e5212e6..74f3e1b 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -69856,7 +70086,7 @@ index e5212e6..74f3e1b 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -69871,7 +70101,7 @@ index e5212e6..74f3e1b 100644 ') ######################################## -@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -69879,7 +70109,7 @@ index e5212e6..74f3e1b 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +239,29 @@ kernel_signal(gssd_t) +@@ -279,25 +240,29 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -69912,7 +70142,7 @@ index e5212e6..74f3e1b 100644 ') optional_policy(` -@@ -306,8 +270,11 @@ optional_policy(` +@@ -306,8 +271,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -74773,10 +75003,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..cb720ee +index 0000000..5021551 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,465 @@ +@@ -0,0 +1,467 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -75146,6 +75376,7 @@ index 0000000..cb720ee +corenet_sendrecv_ftp_client_packets(sandbox_web_type) +corenet_sendrecv_ipp_client_packets(sandbox_web_type) +corenet_sendrecv_generic_client_packets(sandbox_web_type) ++corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type) + +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) @@ -75242,6 +75473,7 @@ index 0000000..cb720ee + mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') ++userdom_dontaudit_open_user_ptys(sandbox_x_domain) diff --git a/sanlock.fc b/sanlock.fc index 3df2a0f..9059165 100644 --- a/sanlock.fc @@ -75820,7 +76052,7 @@ index 98c9e0a..df51942 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..bc26091 100644 +index 4a23d84..49c7362 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3) @@ -75850,7 +76082,7 @@ index 4a23d84..bc26091 100644 corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain) -@@ -44,12 +37,6 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) +@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) dev_read_sysfs(sblim_domain) @@ -75863,6 +76095,15 @@ index 4a23d84..bc26091 100644 ######################################## # # Gatherd local policy + # + +-allow sblim_gatherd_t self:capability dac_override; +-allow sblim_gatherd_t self:process signal; ++allow sblim_gatherd_t self:capability { dac_override sys_nice }; ++allow sblim_gatherd_t self:process { setsched signal }; + allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; + allow sblim_gatherd_t self:unix_stream_socket { accept listen }; + @@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t) @@ -78661,6 +78902,100 @@ index cbfe369..085ac13 100644 ######################################## ## ## All of the rules required to +diff --git a/snapper.fc b/snapper.fc +new file mode 100644 +index 0000000..3f412d5 +--- /dev/null ++++ b/snapper.fc +@@ -0,0 +1 @@ ++/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) +diff --git a/snapper.if b/snapper.if +new file mode 100644 +index 0000000..94105ee +--- /dev/null ++++ b/snapper.if +@@ -0,0 +1,42 @@ ++ ++## policy for snapperd ++ ++######################################## ++## ++## Execute TEMPLATE in the snapperd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`snapper_domtrans',` ++ gen_require(` ++ type snapperd_t, snapperd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, snapperd_exec_t, snapperd_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## snapperd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snapper_dbus_chat',` ++ gen_require(` ++ type snapperd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 snapperd_t:dbus send_msg; ++ allow snapperd_t $1:dbus send_msg; ++') +diff --git a/snapper.te b/snapper.te +new file mode 100644 +index 0000000..ad232be +--- /dev/null ++++ b/snapper.te +@@ -0,0 +1,33 @@ ++policy_module(snapper, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type snapperd_t; ++type snapperd_exec_t; ++init_daemon_domain(snapperd_t, snapperd_exec_t) ++ ++######################################## ++# ++# snapperd local policy ++# ++ ++allow snapperd_t self:fifo_file rw_fifo_file_perms; ++allow snapperd_t self:unix_stream_socket create_stream_socket_perms; ++ ++storage_raw_read_fixed_disk(snapperd_t) ++ ++auth_use_nsswitch(snapperd_t) ++ ++miscfiles_read_localization(snapperd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(snapperd_t) ++ dbus_connect_system_bus(snapperd_t) ++') ++ ++optional_policy(` ++ mount_domtrans(snapperd_t) ++') diff --git a/snmp.fc b/snmp.fc index c73fa24..408ff61 100644 --- a/snmp.fc @@ -86781,10 +87116,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..f3e9b6d 100644 +index c30da4c..e97572f 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,85 @@ +@@ -1,52 +1,86 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -86834,6 +87169,7 @@ index c30da4c..f3e9b6d 100644 -/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 116a81e..4571417 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 54%{?dist} +Release: 56%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -535,6 +535,42 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 24 2013 Miroslav Grepl 3.12.1-56 +- Allow lvm_t to create default targets for filesystem handling +- Fix labeling for razor-lightdm binaries +- Allow insmod_t to read any file labeled var_lib_t +- Add policy for pesign +- Activate policy for cmpiLMI_Account-cimprovagt +- Allow isnsd syscall=listen +- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler +- Allow ctdbd to use udp/4379 +- gatherd wants sys_nice and setsched +- Add support for texlive2012 +- Allow NM to read file_t (usb stick with no labels used to transfer keys for example) +- Allow cobbler to execute apache with domain transition + +* Fri Jun 21 2013 Miroslav Grepl 3.12.1-55 +- condor_collector uses tcp/9000 +- Label /usr/sbin/virtlockd as virtd_exec_t for now +- Allow cobbler to execute ldconfig +- Allow NM to execute ssh +- Allow mdadm to read /dev/crash +- Allow antivirus domains to connect to snmp port +- Make amavisd-snmp working correctly +- Allow nfsd_t to mounton nfsd_fs_t +- Add initial snapper policy +- We still need to have consolekit policy +- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t +- Dontaudit sandbox apps attempting to open user_devpts_t +- Allow dirsrv to read network state +- Fix pki_read_tomcat_lib_files +- Add labeling for /usr/libexec/nm-ssh-service +- Add label cert_t for /var/lib/ipa/pki-ca/publish +- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant +- Allow nfsd_t to mounton nfsd_fs_t +- Dontaudit sandbox apps attempting to open user_devpts_t +- Allow passwd_t to change role to system_r from unconfined_r + * Wed Jun 19 2013 Miroslav Grepl 3.12.1-54 - Don't audit access checks by sandbox xserver on xdb var_lib - Allow ntop to read usbmon devices