From 810314f2c9e346a5190d05cff3e0e9617988a408 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 27 2013 06:04:19 +0000 Subject: - Make DSPAM to act as a LDA working - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - condor_collector uses tcp/9000 - Add mandb_filetrans_named_home_content() - Allow gnomesystem to manage /root/.config - Allow ntop to read usbmon devices - Allow colord to list directories inthe users homedir - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow snmpd to run smartctl in fsadm_t domain - Allow blueman to read bluetooth conf - Add iscsi_filetrans_named_content() interface - For now we need to allow openshift_app_t to read the /etc/passwd file - Allow wine to manage wine home content - Fix labeling of mailman - Allow blueman to write ip_forward - Allow chrome processes to look at each other - Add labeling for /run/nm-xl2tpd.con - Allow apache to stream connect to thin - Allow sys_ptrace for abrt_t - Add support for abrt-uefioops-oops - Allow polkitd to getattr on al fs - Dontaudit pppd to search gnome config - Add mozilla_plugin_use_gps boolean - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant --- diff --git a/policy-f18-base.patch b/policy-f18-base.patch index 44edbb3..dea9a27 100644 --- a/policy-f18-base.patch +++ b/policy-f18-base.patch @@ -114889,7 +114889,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 02b7ac1..b30f7b8 100644 +index 02b7ac1..1fc53d1 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,14 +15,17 @@ @@ -114923,7 +114923,25 @@ index 02b7ac1..b30f7b8 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -125,13 +131,15 @@ ifdef(`distro_suse', ` +@@ -103,6 +109,7 @@ + /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) + /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) +@@ -115,6 +122,9 @@ + ifdef(`distro_suse', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) + ') ++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) + /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) + /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +@@ -125,13 +135,15 @@ ifdef(`distro_suse', ` /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -114940,7 +114958,7 @@ index 02b7ac1..b30f7b8 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -195,12 +203,22 @@ ifdef(`distro_debian',` +@@ -195,12 +207,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -114966,7 +114984,7 @@ index 02b7ac1..b30f7b8 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index d820975..a8b5aa9 100644 +index d820975..3566762 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -115668,18 +115686,105 @@ index d820975..a8b5aa9 100644 ## ## # -@@ -2956,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2884,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',` + + ######################################## + ## +-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). (Deprecated) + ## + ## + ##

+-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). This interface has + ## been deprecated, dev_rw_mtrr() should be + ## used instead. + ##

+ ##

+ ## The MTRR device ioctls can be used for +-## reading and writing; thus, read access to the +-## device cannot be separated from write access. ++## reading and writing; thus, write access to the ++## device cannot be separated from read access. + ##

+ ## + ## +@@ -2906,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',` + ## + ## + # +-interface(`dev_read_mtrr',` ++interface(`dev_write_mtrr',` + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) + ') + + ######################################## + ## +-## Write the memory type range +-## registers (MTRR). (Deprecated) ++## Do not audit attempts to write the memory type ++## range registers (MTRR). + ## +-## +-##

+-## Write the memory type range +-## registers (MTRR). This interface has +-## been deprecated, dev_rw_mtrr() should be +-## used instead. +-##

+-##

+-## The MTRR device ioctls can be used for +-## reading and writing; thus, write access to the +-## device cannot be separated from read access. +-##

+-## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_mtrr',` +- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') +- dev_rw_mtrr($1) ++interface(`dev_dontaudit_write_mtrr',` ++ gen_require(` ++ type mtrr_device_t; ++ ') ++ ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write the memory type ++## Do not audit attempts to read the memory type + ## range registers (MTRR). + ## + ## +@@ -2951,13 +3236,13 @@ interface(`dev_write_mtrr',` + ## + ## + # +-interface(`dev_dontaudit_write_mtrr',` ++interface(`dev_dontaudit_read_mtrr',` + gen_require(` type mtrr_device_t; ') - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; -+ dontaudit $1 mtrr_device_t:file write_file_perms; -+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ++ dontaudit $1 mtrr_device_t:file { open read }; ++ dontaudit $1 mtrr_device_t:chr_file { open read }; ') ######################################## -@@ -3125,6 +3419,42 @@ interface(`dev_create_null_dev',` +@@ -3125,6 +3410,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -115722,7 +115827,7 @@ index d820975..a8b5aa9 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3235,7 +3565,25 @@ interface(`dev_rw_printer',` +@@ -3235,7 +3556,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -115749,7 +115854,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -3243,12 +3591,13 @@ interface(`dev_rw_printer',` +@@ -3243,12 +3582,13 @@ interface(`dev_rw_printer',` ## ## # @@ -115766,7 +115871,7 @@ index d820975..a8b5aa9 100644 ') ######################################## -@@ -3836,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3836,6 +4176,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -115809,7 +115914,7 @@ index d820975..a8b5aa9 100644 ## Search the sysfs directories. ## ## -@@ -3885,6 +4270,7 @@ interface(`dev_list_sysfs',` +@@ -3885,6 +4261,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -115817,7 +115922,7 @@ index d820975..a8b5aa9 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3927,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3927,23 +4304,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -115838,7 +115943,7 @@ index d820975..a8b5aa9 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; + ') + @@ -115857,7 +115962,7 @@ index d820975..a8b5aa9 100644 +## +# +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -115871,7 +115976,7 @@ index d820975..a8b5aa9 100644 ######################################## ## ## Read hardware state information. -@@ -3997,6 +4409,62 @@ interface(`dev_rw_sysfs',` +@@ -3997,6 +4400,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -115934,7 +116039,7 @@ index d820975..a8b5aa9 100644 ## Read and write the TPM device. ## ## -@@ -4094,6 +4562,25 @@ interface(`dev_write_urand',` +@@ -4094,6 +4553,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -115960,7 +116065,7 @@ index d820975..a8b5aa9 100644 ## Getattr generic the USB devices. ## ## -@@ -4128,6 +4615,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4128,6 +4606,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -115985,7 +116090,7 @@ index d820975..a8b5aa9 100644 ######################################## ## ## Read generic the USB devices. -@@ -4520,6 +5025,24 @@ interface(`dev_rw_vhost',` +@@ -4520,6 +5016,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -116010,7 +116115,7 @@ index d820975..a8b5aa9 100644 ## Read and write VMWare devices. ## ## -@@ -4725,6 +5248,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4725,6 +5239,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -116037,7 +116142,7 @@ index d820975..a8b5aa9 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4814,3 +5357,917 @@ interface(`dev_unconfined',` +@@ -4814,3 +5348,917 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -116956,7 +117061,7 @@ index d820975..a8b5aa9 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 06eda45..ed26516 100644 +index 06eda45..8d63993 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -117021,7 +117126,17 @@ index 06eda45..ed26516 100644 # # Type for /dev/tpm # -@@ -265,6 +283,7 @@ dev_node(v4l_device_t) +@@ -257,6 +275,9 @@ dev_node(usbmon_device_t) + type userio_device_t; + dev_node(userio_device_t) + ++type vfio_device_t; ++dev_node(vfio_device_t) ++ + type v4l_device_t; + dev_node(v4l_device_t) + +@@ -265,6 +286,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -117029,7 +117144,7 @@ index 06eda45..ed26516 100644 # Type for vmware devices. type vmware_device_t; -@@ -310,5 +329,5 @@ files_associate_tmp(device_node) +@@ -310,5 +332,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -117177,7 +117292,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..7d9575d 100644 +index cf04cb5..0aea17d 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -117305,7 +117420,7 @@ index cf04cb5..7d9575d 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,307 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -117321,6 +117436,18 @@ index cf04cb5..7d9575d 100644 +files_config_all_files(unconfined_domain_type) +dev_config_null_dev_service(unconfined_domain_type) + ++optional_policy(` ++ locallogin_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ mandb_filetrans_named_home_content(unconfined_domain_type) ++') ++ ++#optional_policy(` ++# seutil_filetrans_named_content(unconfined_domain_type) ++#') ++ +storage_filetrans_all_named_dev(unconfined_domain_type) + +term_filetrans_all_named_dev(unconfined_domain_type) @@ -117363,6 +117490,10 @@ index cf04cb5..7d9575d 100644 +') + +optional_policy(` ++ clock_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + cups_filetrans_named_content(unconfined_domain_type) +') + @@ -117387,6 +117518,10 @@ index cf04cb5..7d9575d 100644 +') + +optional_policy(` ++ iscsi_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + kerberos_filetrans_named_content(unconfined_domain_type) +') + @@ -117395,6 +117530,10 @@ index cf04cb5..7d9575d 100644 +') + +optional_policy(` ++ mplayer_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + modules_filetrans_named_content(unconfined_domain_type) +') + @@ -117448,6 +117587,7 @@ index cf04cb5..7d9575d 100644 + systemd_login_reboot(unconfined_domain_type) + systemd_login_halt(unconfined_domain_type) + systemd_login_undefined(unconfined_domain_type) ++ #systemd_filetrans_named_hostname(unconfined_domain_type) +') + +optional_policy(` @@ -117464,12 +117604,12 @@ index cf04cb5..7d9575d 100644 +') + +optional_policy(` -+ virt_filetrans_named_content(unconfined_domain_type) -+ virt_filetrans_home_content(unconfined_domain_type) ++ ssh_filetrans_admin_home_content(unconfined_domain_type) +') + +optional_policy(` -+ ssh_filetrans_admin_home_content(unconfined_domain_type) ++ virt_filetrans_named_content(unconfined_domain_type) ++ virt_filetrans_home_content(unconfined_domain_type) +') + +selinux_getattr_fs(domain) @@ -120440,28 +120580,34 @@ index 52ef84e..45cb0bc 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..91d1e25 100644 +index cda5588..0ea6c27 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,3 +1,7 @@ +@@ -1,5 +1,8 @@ +-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/cgroup/.* <> +# ecryptfs does not support xattr +HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) + - /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - /cgroup/.* <> ++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + + /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) + /dev/hugepages(/.*)? <> +@@ -12,5 +15,9 @@ + /lib/udev/devices/shm/.* <> -@@ -14,3 +18,8 @@ # for systemd systems: - /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - /sys/fs/cgroup/.* <> +-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +-/sys/fs/cgroup/.* <> ++/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..6ceb348 100644 +index 7c6b791..a05daec 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -121144,12 +121290,10 @@ index 7c6b791..6ceb348 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,42 +3049,97 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3049,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## --## Append files --## on a NFS filesystem. +## Make general progams in nfs an entrypoint for +## the specified domain. +## @@ -121169,109 +121313,136 @@ index 7c6b791..6ceb348 100644 + +######################################## +## -+## Append files -+## on a NFS filesystem. + ## Append files + ## on a NFS filesystem. + ## +@@ -2569,7 +3088,7 @@ interface(`fs_append_nfs_files',` + + ######################################## + ## +-## dontaudit Append files ++## Do not audit attempts to append files + ## on a NFS filesystem. + ## + ## +@@ -2589,6 +3108,42 @@ interface(`fs_dontaudit_append_nfs_files',` + + ######################################## + ## ++## Read inherited files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`fs_append_nfs_files',` ++interface(`fs_read_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ append_files_pattern($1, nfs_t, nfs_t) ++ allow $1 nfs_t:file read_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to append files -+## on a NFS filesystem. ++## Read/write inherited files on a NFS filesystem. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## -+## +# -+interface(`fs_dontaudit_append_nfs_files',` ++interface(`fs_rw_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ dontaudit $1 nfs_t:file append_file_perms; ++ allow $1 nfs_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Read inherited files on a NFS filesystem. + ## Do not audit attempts to read or + ## write files on a NFS filesystem. ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_append_nfs_files',` -+interface(`fs_read_inherited_nfs_files',` - gen_require(` +@@ -2603,7 +3158,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') -- append_files_pattern($1, nfs_t, nfs_t) -+ allow $1 nfs_t:file read_inherited_file_perms; +- dontaudit $1 nfs_t:file rw_file_perms; ++ dontaudit $1 nfs_t:file rw_inherited_file_perms; ') ######################################## +@@ -2627,7 +3182,7 @@ interface(`fs_read_nfs_symlinks',` + + ######################################## ## --## dontaudit Append files --## on a NFS filesystem. -+## Read/write inherited files on a NFS filesystem. +-## Dontaudit read symbolic links on a NFS filesystem. ++## Do not audit attempts to read symbolic links on a NFS filesystem. ## ## ## --## Domain to not audit. -+## Domain allowed access. - ## - ## --## - # --interface(`fs_dontaudit_append_nfs_files',` -+interface(`fs_rw_inherited_nfs_files',` - gen_require(` - type nfs_t; +@@ -2695,28 +3250,48 @@ interface(`fs_getattr_rpc_dirs',` + type rpc_pipefs_t; ') -- dontaudit $1 nfs_t:file append_file_perms; -+ allow $1 nfs_t:file rw_inherited_file_perms; +- allow $1 rpc_pipefs_t:dir getattr; +- ++ allow $1 rpc_pipefs_t:dir getattr; ++ ++') ++ ++######################################## ++## ++## Search directories of RPC file system pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_search_rpc',` ++ gen_require(` ++ type rpc_pipefs_t; ++ ') ++ ++ allow $1 rpc_pipefs_t:dir search_dir_perms; ') ######################################## -@@ -2603,7 +3158,7 @@ interface(`fs_dontaudit_rw_nfs_files',` - type nfs_t; + ## +-## Search directories of RPC file system pipes. ++## Do not audit attempts to list removable storage directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_search_rpc',` ++interface(`fs_list_pstorefs',` + gen_require(` +- type rpc_pipefs_t; ++ type pstorefs_t; ') -- dontaudit $1 nfs_t:file rw_file_perms; -+ dontaudit $1 nfs_t:file rw_inherited_file_perms; +- allow $1 rpc_pipefs_t:dir search_dir_perms; ++ allow $1 pstorefs_t:dir list_dir_perms; ') - ######################################## -@@ -2627,7 +3182,7 @@ interface(`fs_read_nfs_symlinks',` - ++ ++ ######################################## ## --## Dontaudit read symbolic links on a NFS filesystem. -+## Do not audit attempts to read symbolic links on a NFS filesystem. - ## - ## - ## -@@ -2741,7 +3296,7 @@ interface(`fs_search_removable',` + ## Search removable storage directories. +@@ -2741,7 +3316,7 @@ interface(`fs_search_removable',` ## ## ## @@ -121280,7 +121451,7 @@ index 7c6b791..6ceb348 100644 ## ## # -@@ -2777,7 +3332,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3352,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -121289,7 +121460,7 @@ index 7c6b791..6ceb348 100644 ## ## # -@@ -2970,6 +3525,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3545,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -121297,7 +121468,7 @@ index 7c6b791..6ceb348 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3566,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3586,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -121305,7 +121476,7 @@ index 7c6b791..6ceb348 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3607,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3627,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -121313,7 +121484,7 @@ index 7c6b791..6ceb348 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3841,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -121338,7 +121509,7 @@ index 7c6b791..6ceb348 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3879,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -121363,7 +121534,7 @@ index 7c6b791..6ceb348 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4006,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -121372,7 +121543,7 @@ index 7c6b791..6ceb348 100644 ## ## ## -@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4043,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -121381,7 +121552,7 @@ index 7c6b791..6ceb348 100644 ## ## ## -@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4061,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -121390,7 +121561,7 @@ index 7c6b791..6ceb348 100644 ## ## ## -@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4429,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -121415,7 +121586,7 @@ index 7c6b791..6ceb348 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3963,6 +4575,60 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3963,6 +4595,60 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -121476,7 +121647,7 @@ index 7c6b791..6ceb348 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4069,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4069,7 +4755,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -121485,7 +121656,7 @@ index 7c6b791..6ceb348 100644 ') ######################################## -@@ -4129,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4129,6 +4815,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -121510,7 +121681,7 @@ index 7c6b791..6ceb348 100644 ## Read tmpfs link files. ## ## -@@ -4166,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4166,7 +4870,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -121519,7 +121690,7 @@ index 7c6b791..6ceb348 100644 ## ## ## -@@ -4185,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4185,6 +4889,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -121580,7 +121751,7 @@ index 7c6b791..6ceb348 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4242,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4242,6 +5000,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -121625,7 +121796,7 @@ index 7c6b791..6ceb348 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4261,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4261,6 +5057,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -121651,7 +121822,7 @@ index 7c6b791..6ceb348 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4467,6 +5262,8 @@ interface(`fs_mount_all_fs',` +@@ -4467,6 +5282,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -121660,7 +121831,7 @@ index 7c6b791..6ceb348 100644 ') ######################################## -@@ -4513,7 +5310,7 @@ interface(`fs_unmount_all_fs',` +@@ -4513,7 +5330,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -121669,7 +121840,7 @@ index 7c6b791..6ceb348 100644 ## Example attributes: ##

##
    -@@ -4560,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4560,6 +5377,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -121696,7 +121867,7 @@ index 7c6b791..6ceb348 100644 ## Get the quotas of all filesystems. ## ## -@@ -4876,3 +5693,43 @@ interface(`fs_unconfined',` +@@ -4876,3 +5713,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -125023,7 +125194,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 44c198a..4555c4b 100644 +index 44c198a..baabe59 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.0) @@ -125138,7 +125309,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -110,6 +139,10 @@ optional_policy(` +@@ -110,11 +139,17 @@ optional_policy(` ') optional_policy(` @@ -125149,7 +125320,14 @@ index 44c198a..4555c4b 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -122,11 +155,20 @@ optional_policy(` + optional_policy(` + clock_run(sysadm_t, sysadm_r) ++ clock_manage_adjtime(sysadm_t) ++ clock_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -122,11 +157,20 @@ optional_policy(` ') optional_policy(` @@ -125172,7 +125350,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -140,6 +182,10 @@ optional_policy(` +@@ -140,6 +184,10 @@ optional_policy(` ') optional_policy(` @@ -125183,7 +125361,7 @@ index 44c198a..4555c4b 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +202,15 @@ optional_policy(` +@@ -156,11 +204,15 @@ optional_policy(` ') optional_policy(` @@ -125200,7 +125378,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -179,6 +229,13 @@ optional_policy(` +@@ -179,6 +231,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -125214,7 +125392,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -186,15 +243,20 @@ optional_policy(` +@@ -186,15 +245,20 @@ optional_policy(` ') optional_policy(` @@ -125238,7 +125416,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -214,22 +276,20 @@ optional_policy(` +@@ -214,22 +278,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -125267,7 +125445,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -241,25 +301,47 @@ optional_policy(` +@@ -241,25 +303,47 @@ optional_policy(` ') optional_policy(` @@ -125315,7 +125493,7 @@ index 44c198a..4555c4b 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +352,36 @@ optional_policy(` +@@ -270,31 +354,36 @@ optional_policy(` ') optional_policy(` @@ -125359,7 +125537,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -319,12 +406,18 @@ optional_policy(` +@@ -319,12 +408,18 @@ optional_policy(` ') optional_policy(` @@ -125379,7 +125557,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -349,7 +442,18 @@ optional_policy(` +@@ -349,7 +444,18 @@ optional_policy(` ') optional_policy(` @@ -125399,7 +125577,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -360,19 +464,15 @@ optional_policy(` +@@ -360,19 +466,15 @@ optional_policy(` ') optional_policy(` @@ -125421,7 +125599,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -384,10 +484,6 @@ optional_policy(` +@@ -384,10 +486,6 @@ optional_policy(` ') optional_policy(` @@ -125432,7 +125610,7 @@ index 44c198a..4555c4b 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +491,9 @@ optional_policy(` +@@ -395,6 +493,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -125442,7 +125620,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -402,31 +501,34 @@ optional_policy(` +@@ -402,31 +503,34 @@ optional_policy(` ') optional_policy(` @@ -125483,7 +125661,7 @@ index 44c198a..4555c4b 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +541,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +543,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -125494,7 +125672,7 @@ index 44c198a..4555c4b 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -460,6 +558,7 @@ ifndef(`distro_redhat',` +@@ -460,6 +560,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -125502,7 +125680,7 @@ index 44c198a..4555c4b 100644 ') optional_policy(` -@@ -467,11 +566,66 @@ ifndef(`distro_redhat',` +@@ -467,11 +568,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -128718,7 +128896,7 @@ index b17e27a..e700e11 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..71fd2e9 100644 +index fc86b7c..a7b3129 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -128777,7 +128955,7 @@ index fc86b7c..71fd2e9 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,25 +76,29 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,25 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -128804,6 +128982,8 @@ index fc86b7c..71fd2e9 100644 /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -128813,7 +128993,7 @@ index fc86b7c..71fd2e9 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -90,24 +124,47 @@ ifndef(`distro_debian',` +@@ -90,24 +126,47 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -128822,14 +129002,14 @@ index fc86b7c..71fd2e9 100644 +/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -+ -+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++ +/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) @@ -128868,7 +129048,7 @@ index fc86b7c..71fd2e9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..6d63773 100644 +index 130ced9..ff0f72a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -129297,18 +129477,19 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -724,11 +827,71 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +827,72 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t, xdm_tmp_t, xdm_var_run_t; ++ type xdm_dbusd_t; ') files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) -+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } ) +') + +######################################## @@ -129371,7 +129552,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -752,6 +915,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +916,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -129397,7 +129578,7 @@ index 130ced9..6d63773 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +947,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +948,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -129424,7 +129605,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -805,7 +1005,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +1006,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -129452,7 +129633,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -828,6 +1047,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +1048,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -129477,7 +129658,7 @@ index 130ced9..6d63773 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1134,26 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1135,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -129505,7 +129686,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -916,7 +1172,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1173,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -129514,7 +129695,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -963,6 +1219,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1220,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -129560,7 +129741,7 @@ index 130ced9..6d63773 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1271,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1272,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -129569,7 +129750,7 @@ index 130ced9..6d63773 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1333,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1334,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -129612,7 +129793,7 @@ index 130ced9..6d63773 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1383,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1384,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -129621,7 +129802,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -1070,8 +1401,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1402,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -129633,7 +129814,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -1169,27 +1502,27 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1169,27 +1503,27 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -129671,7 +129852,7 @@ index 130ced9..6d63773 100644 ## ## ## -@@ -1197,9 +1530,48 @@ interface(`xserver_stream_connect',` +@@ -1197,9 +1531,48 @@ interface(`xserver_stream_connect',` ## ## # @@ -129722,7 +129903,7 @@ index 130ced9..6d63773 100644 ') allow $1 xserver_tmp_t:file read_file_perms; -@@ -1210,7 +1582,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1583,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -129731,7 +129912,7 @@ index 130ced9..6d63773 100644 ## ## ## -@@ -1220,13 +1592,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1593,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -129756,7 +129937,7 @@ index 130ced9..6d63773 100644 ') ######################################## -@@ -1243,10 +1625,625 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1626,625 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -130385,7 +130566,7 @@ index 130ced9..6d63773 100644 + allow $1 xdm_t:lnk_file read_lnk_file_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..9ace67b 100644 +index d40f750..e169452 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -130622,7 +130803,7 @@ index d40f750..9ace67b 100644 ') ######################################## -@@ -247,45 +314,81 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,45 +314,85 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -130710,11 +130891,15 @@ index d40f750..9ace67b 100644 +') + +optional_policy(` ++ gnome_delete_home_config(xauth_t) ++') ++ ++optional_policy(` + nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ') optional_policy(` -@@ -299,64 +402,108 @@ optional_policy(` +@@ -299,64 +406,108 @@ optional_policy(` # XDM Local policy # @@ -130833,7 +131018,7 @@ index d40f750..9ace67b 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +512,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -130863,7 +131048,7 @@ index d40f750..9ace67b 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +542,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -130916,7 +131101,7 @@ index d40f750..9ace67b 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +594,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +598,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -130945,7 +131130,7 @@ index d40f750..9ace67b 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +624,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -130992,7 +131177,7 @@ index d40f750..9ace67b 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +669,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +673,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -131042,7 +131227,7 @@ index d40f750..9ace67b 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +719,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +723,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -131069,7 +131254,7 @@ index d40f750..9ace67b 100644 ') optional_policy(` -@@ -514,12 +746,72 @@ optional_policy(` +@@ -514,12 +750,72 @@ optional_policy(` ') optional_policy(` @@ -131142,7 +131327,7 @@ index d40f750..9ace67b 100644 hostname_exec(xdm_t) ') -@@ -537,28 +829,78 @@ optional_policy(` +@@ -537,28 +833,78 @@ optional_policy(` ') optional_policy(` @@ -131230,7 +131415,7 @@ index d40f750..9ace67b 100644 ') optional_policy(` -@@ -570,6 +912,14 @@ optional_policy(` +@@ -570,6 +916,14 @@ optional_policy(` ') optional_policy(` @@ -131245,7 +131430,7 @@ index d40f750..9ace67b 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +944,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +948,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -131258,7 +131443,7 @@ index d40f750..9ace67b 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +961,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +965,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -131274,7 +131459,7 @@ index d40f750..9ace67b 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +977,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +981,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -131285,7 +131470,7 @@ index d40f750..9ace67b 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +992,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +996,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -131307,7 +131492,7 @@ index d40f750..9ace67b 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1012,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1016,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -131321,7 +131506,7 @@ index d40f750..9ace67b 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1038,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1042,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -131331,6 +131516,7 @@ index d40f750..9ace67b 100644 # raw memory access is needed if not using the frame buffer dev_read_raw_memory(xserver_t) dev_wx_raw_memory(xserver_t) ++dev_read_urand(xserver_t) # for other device nodes such as the NVidia binary-only driver -dev_rw_xserver_misc(xserver_t) +dev_manage_xserver_misc(xserver_t) @@ -131353,7 +131539,7 @@ index d40f750..9ace67b 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1070,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1075,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -131371,7 +131557,7 @@ index d40f750..9ace67b 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1093,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1098,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -131395,7 +131581,7 @@ index d40f750..9ace67b 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1158,40 @@ optional_policy(` +@@ -775,16 +1163,40 @@ optional_policy(` ') optional_policy(` @@ -131437,7 +131623,7 @@ index d40f750..9ace67b 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1200,10 @@ optional_policy(` +@@ -793,6 +1205,10 @@ optional_policy(` ') optional_policy(` @@ -131448,7 +131634,7 @@ index d40f750..9ace67b 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1219,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1224,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -131462,7 +131648,7 @@ index d40f750..9ace67b 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1230,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1235,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -131471,7 +131657,7 @@ index d40f750..9ace67b 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1243,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1248,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -131506,7 +131692,7 @@ index d40f750..9ace67b 100644 ') optional_policy(` -@@ -859,6 +1265,10 @@ optional_policy(` +@@ -859,6 +1270,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -131517,7 +131703,7 @@ index d40f750..9ace67b 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1312,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1317,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -131526,7 +131712,7 @@ index d40f750..9ace67b 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1366,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1371,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -131558,7 +131744,7 @@ index d40f750..9ace67b 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1412,44 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1417,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -131858,7 +132044,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index f416ce9..80df5a7 100644 +index f416ce9..8027bc4 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -131880,7 +132066,13 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -57,6 +63,8 @@ interface(`auth_use_pam',` +@@ -53,10 +59,13 @@ interface(`auth_use_pam',` + auth_read_login_records($1) + auth_append_login_records($1) + auth_rw_lastlog($1) +- auth_rw_faillog($1) ++ auth_create_lastlog($1) ++ auth_manage_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) @@ -131889,7 +132081,7 @@ index f416ce9..80df5a7 100644 logging_send_audit_msgs($1) logging_send_syslog_msg($1) -@@ -78,8 +86,19 @@ interface(`auth_use_pam',` +@@ -78,8 +87,19 @@ interface(`auth_use_pam',` ') optional_policy(` @@ -131909,7 +132101,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -95,48 +114,21 @@ interface(`auth_use_pam',` +@@ -95,48 +115,21 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -131964,7 +132156,7 @@ index f416ce9..80df5a7 100644 mls_file_read_all_levels($1) mls_file_write_all_levels($1) -@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',` +@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',` mls_fd_share_all_levels($1) auth_use_pam($1) @@ -132016,7 +132208,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -132042,7 +132234,7 @@ index f416ce9..80df5a7 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -395,13 +431,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -395,13 +432,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -132059,7 +132251,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -132085,7 +132277,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -132093,7 +132285,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -132104,7 +132296,7 @@ index f416ce9..80df5a7 100644 ') ####################################### -@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -132156,8 +132348,30 @@ index f416ce9..80df5a7 100644 ') ####################################### -@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',` + allow $1 lastlog_t:file { rw_file_perms lock setattr }; + ') ++####################################### ++## ++## Manage create logins log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_create_lastlog',` ++ gen_require(` ++ type lastlog_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 lastlog_t:file create; ++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") ++') ++ ######################################## ## -## Execute pam programs in the pam domain. @@ -132165,7 +132379,7 @@ index f416ce9..80df5a7 100644 ## ## ## -@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -132196,7 +132410,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -132215,7 +132429,7 @@ index f416ce9..80df5a7 100644 ## ## ## -@@ -875,13 +993,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',` ## ## # @@ -132253,7 +132467,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -132287,7 +132501,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -132298,7 +132512,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1157,6 +1341,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -132306,7 +132520,7 @@ index f416ce9..80df5a7 100644 ') ####################################### -@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',` +@@ -1526,6 +1711,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -132332,7 +132546,7 @@ index f416ce9..80df5a7 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',` +@@ -1676,24 +1880,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -132358,7 +132572,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',` +@@ -1717,11 +1904,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -132375,7 +132589,7 @@ index f416ce9..80df5a7 100644 ') ######################################## -@@ -1755,3 +1923,219 @@ interface(`auth_unconfined',` +@@ -1755,3 +1944,219 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -133044,7 +133258,7 @@ index c5e05ca..c9ddbee 100644 +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if -index e2f6d93..c78ccc6 100644 +index e2f6d93..1bc2ccc 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',` @@ -133073,6 +133287,47 @@ index e2f6d93..c78ccc6 100644 ## Read and write clock drift adjustments. ## ## +@@ -98,3 +117,40 @@ interface(`clock_rw_adjtime',` + allow $1 adjtime_t:file rw_file_perms; + files_list_etc($1) + ') ++ ++######################################## ++## ++## Manage clock drift adjustments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_manage_adjtime',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ allow $1 adjtime_t:file manage_file_perms; ++ files_list_etc($1) ++') ++ ++######################################## ++## ++## Transition to systemd clock content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_filetrans_named_content',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ files_etc_filetrans($1, adjtime_t, file, "adjtime" ) ++') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index b9ed25b..91e25b5 100644 --- a/policy/modules/system/clock.te @@ -136260,7 +136515,7 @@ index 0d4c8d3..0c32fb4 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index a30840c..77206a0 100644 +index a30840c..7fdc6c9 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,13 +73,15 @@ role system_r types setkey_t; @@ -136276,7 +136531,7 @@ index a30840c..77206a0 100644 allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t self:netlink_selinux_socket create_socket_perms; -+allow ipsec_t self:unix_stream_socket create_stream_socket_perms; ++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; @@ -136341,20 +136596,30 @@ index a30840c..77206a0 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,9 +194,9 @@ optional_policy(` +@@ -186,10 +194,10 @@ optional_policy(` # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; +-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; - allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; ++allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) + allow ipsec_mgmt_t self:key_socket create_socket_perms; +@@ -209,6 +217,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; + files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) + + manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) ++manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) + manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) + + allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; +@@ -245,6 +254,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -136371,7 +136636,7 @@ index a30840c..77206a0 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -254,6 +273,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -136380,7 +136645,7 @@ index a30840c..77206a0 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -136392,7 +136657,7 @@ index a30840c..77206a0 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -289,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -289,15 +311,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -136405,6 +136670,8 @@ index a30840c..77206a0 100644 sysnet_etc_filetrans_config(ipsec_mgmt_t) -userdom_use_user_terminals(ipsec_mgmt_t) ++systemd_exec_systemctl(ipsec_mgmt_t) ++ +userdom_use_inherited_user_terminals(ipsec_mgmt_t) + +optional_policy(` @@ -136414,7 +136681,7 @@ index a30840c..77206a0 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -369,13 +391,12 @@ kernel_request_load_module(racoon_t) +@@ -369,13 +394,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -136434,7 +136701,7 @@ index a30840c..77206a0 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -400,10 +421,11 @@ locallogin_use_fds(racoon_t) +@@ -400,10 +424,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -136447,7 +136714,7 @@ index a30840c..77206a0 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -437,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -437,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -136709,7 +136976,7 @@ index 0646ee7..da1337a 100644 ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index ef8bbaf..5cc272f 100644 +index ef8bbaf..7133fca 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -136863,7 +137130,7 @@ index ef8bbaf..5cc272f 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +307,149 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +307,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -136895,6 +137162,7 @@ index ef8bbaf..5cc272f 100644 -/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) +/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -137017,6 +137285,8 @@ index ef8bbaf..5cc272f 100644 +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/talkplugin/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/google/[^/]*/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if @@ -143580,10 +143850,10 @@ index 0000000..96a1a74 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..292b53b +index 0000000..4dce27b --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,670 @@ +@@ -0,0 +1,671 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -144175,7 +144445,8 @@ index 0000000..292b53b +') + +optional_policy(` -+ clock_read_adjtime(systemd_timedated_t) ++ clock_manage_adjtime(systemd_timedated_t) ++ clock_filetrans_named_content(systemd_timedated_t) + clock_domtrans(systemd_timedated_t) +') + diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index f709429..8df3918 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index 1bd5812..94697ea 100644 +index 1bd5812..cd073d2 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,20 +1,38 @@ +@@ -1,20 +1,39 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -12,6 +12,7 @@ index 1bd5812..94697ea 100644 -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) ++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) @@ -367,7 +368,7 @@ index 0b827c5..cce58bb 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..1246994 100644 +index 30861ec..53d5f7b 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0) @@ -475,7 +476,7 @@ index 30861ec..1246994 100644 # -allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; -+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; ++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace }; dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { signal signull setsched getsched }; +allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; @@ -680,7 +681,7 @@ index 30861ec..1246994 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +334,151 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +334,152 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -801,6 +802,7 @@ index 30861ec..1246994 100644 +domain_use_interactive_fds(abrt_dump_oops_t) + +fs_list_inotifyfs(abrt_dump_oops_t) ++fs_list_pstorefs(abrt_dump_oops_t) + +logging_read_generic_logs(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) @@ -3360,7 +3362,7 @@ index 6480167..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..30dd0b8 100644 +index 0833afb..e9f3f7f 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3781,7 +3783,7 @@ index 0833afb..30dd0b8 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +583,14 @@ dev_rw_crypto(httpd_t) +@@ -385,72 +583,129 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3796,7 +3798,9 @@ index 0833afb..30dd0b8 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +599,112 @@ domain_use_interactive_fds(httpd_t) + + domain_use_interactive_fds(httpd_t) ++domain_dontaudit_read_all_domains_state(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3917,7 +3921,7 @@ index 0833afb..30dd0b8 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +715,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +716,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3981,7 +3985,7 @@ index 0833afb..30dd0b8 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +779,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +780,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -4004,7 +4008,7 @@ index 0833afb..30dd0b8 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,23 +814,39 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,23 +815,39 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -4049,7 +4053,7 @@ index 0833afb..30dd0b8 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -540,6 +859,24 @@ optional_policy(` +@@ -540,6 +860,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -4074,7 +4078,7 @@ index 0833afb..30dd0b8 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +886,24 @@ optional_policy(` +@@ -549,13 +887,24 @@ optional_policy(` ') optional_policy(` @@ -4100,7 +4104,7 @@ index 0833afb..30dd0b8 100644 ') optional_policy(` -@@ -573,7 +921,25 @@ optional_policy(` +@@ -573,7 +922,25 @@ optional_policy(` ') optional_policy(` @@ -4126,7 +4130,7 @@ index 0833afb..30dd0b8 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +950,7 @@ optional_policy(` +@@ -584,6 +951,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -4134,7 +4138,7 @@ index 0833afb..30dd0b8 100644 ') optional_policy(` -@@ -594,6 +961,46 @@ optional_policy(` +@@ -594,6 +962,46 @@ optional_policy(` ') optional_policy(` @@ -4181,7 +4185,7 @@ index 0833afb..30dd0b8 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +1015,11 @@ optional_policy(` +@@ -608,11 +1016,20 @@ optional_policy(` ') optional_policy(` @@ -4193,7 +4197,16 @@ index 0833afb..30dd0b8 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +1032,12 @@ optional_policy(` + + optional_policy(` ++ thin_stream_connect(httpd_t) ++') ++ ++optional_policy(` + udev_read_db(httpd_t) + ') + +@@ -620,6 +1037,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -4206,7 +4219,7 @@ index 0833afb..30dd0b8 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1051,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1056,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -4223,7 +4236,6 @@ index 0833afb..30dd0b8 100644 + allow httpd_t self:process setexec; + + files_dontaudit_getattr_all_files(httpd_t) -+ domain_dontaudit_read_all_domains_state(httpd_t) + domain_getpgid_all_domains(httpd_t) +') + @@ -4251,7 +4263,7 @@ index 0833afb..30dd0b8 100644 ######################################## # -@@ -671,28 +1125,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1129,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -4295,7 +4307,7 @@ index 0833afb..30dd0b8 100644 ') ######################################## -@@ -702,6 +1158,7 @@ optional_policy(` +@@ -702,6 +1162,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -4303,7 +4315,7 @@ index 0833afb..30dd0b8 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1173,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1177,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4332,7 +4344,7 @@ index 0833afb..30dd0b8 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1203,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1207,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -4350,7 +4362,7 @@ index 0833afb..30dd0b8 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1221,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1225,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -4383,7 +4395,7 @@ index 0833afb..30dd0b8 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1268,25 @@ optional_policy(` +@@ -786,6 +1272,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4409,7 +4421,7 @@ index 0833afb..30dd0b8 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1307,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1311,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4427,7 +4439,7 @@ index 0833afb..30dd0b8 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1326,51 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1330,51 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4487,7 +4499,7 @@ index 0833afb..30dd0b8 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1378,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1382,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4528,7 +4540,7 @@ index 0833afb..30dd0b8 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,15 +1418,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +@@ -854,15 +1422,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) @@ -4555,7 +4567,7 @@ index 0833afb..30dd0b8 100644 ') ######################################## -@@ -878,11 +1453,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1457,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4567,7 +4579,7 @@ index 0833afb..30dd0b8 100644 ######################################## # -@@ -908,11 +1481,143 @@ optional_policy(` +@@ -908,11 +1485,143 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -6603,10 +6615,10 @@ index 6b081c4..bd44bc6 100644 ######################################## diff --git a/blueman.te b/blueman.te -index 70969fa..24a4ba7 100644 +index 70969fa..a869c5d 100644 --- a/blueman.te +++ b/blueman.te -@@ -7,40 +7,76 @@ policy_module(blueman, 1.0.0) +@@ -7,40 +7,81 @@ policy_module(blueman, 1.0.0) type blueman_t; type blueman_exec_t; @@ -6637,6 +6649,7 @@ index 70969fa..24a4ba7 100644 +manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) +files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) + ++kernel_rw_net_sysctls(blueman_t) kernel_read_system_state(blueman_t) +kernel_request_load_module(blueman_t) +kernel_read_net_sysctls(blueman_t) @@ -6666,6 +6679,10 @@ index 70969fa..24a4ba7 100644 ') + +optional_policy(` ++ bluetooth_read_config(blueman_t) ++') ++ ++optional_policy(` + dbus_system_domain(blueman_t, blueman_exec_t) +') + @@ -9226,10 +9243,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..701862d +index 0000000..89dc790 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,204 @@ +@@ -0,0 +1,205 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -9411,6 +9428,7 @@ index 0000000..701862d + +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) +ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t) + +kernel_read_state(chrome_sandbox_nacl_t) +kernel_read_system_state(chrome_sandbox_nacl_t) @@ -10329,10 +10347,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..b73fed6 +index 0000000..ac38b2b --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,201 @@ +@@ -0,0 +1,202 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -10514,6 +10532,7 @@ index 0000000..b73fed6 + +corenet_tcp_bind_generic_node(mongod_t) +corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_mongod_port(mongod_t) +corenet_tcp_connect_postgresql_port(mongod_t) + +kernel_read_vm_sysctls(mongod_t) @@ -11422,7 +11441,7 @@ index 733e4e6..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 74505cc..cfd4c13 100644 +index 74505cc..3859fab 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.0) @@ -11480,7 +11499,7 @@ index 74505cc..cfd4c13 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -62,22 +77,41 @@ dev_rw_generic_usb_dev(colord_t) +@@ -62,22 +77,42 @@ dev_rw_generic_usb_dev(colord_t) domain_use_interactive_fds(colord_t) files_list_mnt(colord_t) @@ -11513,6 +11532,7 @@ index 74505cc..cfd4c13 100644 -sysnet_dns_name_resolve(colord_t) +userdom_home_reader(colord_t) ++userdom_list_user_home_content(colord_t) +userdom_read_inherited_user_home_content_files(colord_t) tunable_policy(`use_nfs_home_dirs',` @@ -11525,7 +11545,7 @@ index 74505cc..cfd4c13 100644 fs_read_cifs_files(colord_t) ') -@@ -86,6 +120,13 @@ optional_policy(` +@@ -86,6 +121,13 @@ optional_policy(` cups_read_rw_config(colord_t) cups_stream_connect(colord_t) cups_dbus_chat(colord_t) @@ -11539,7 +11559,7 @@ index 74505cc..cfd4c13 100644 ') optional_policy(` -@@ -96,5 +137,20 @@ optional_policy(` +@@ -96,5 +138,20 @@ optional_policy(` ') optional_policy(` @@ -12017,10 +12037,10 @@ index 0000000..8424fdb +') diff --git a/condor.te b/condor.te new file mode 100644 -index 0000000..f31a2e8 +index 0000000..d101e57 --- /dev/null +++ b/condor.te -@@ -0,0 +1,264 @@ +@@ -0,0 +1,266 @@ +policy_module(condor, 1.0.0) + +######################################## @@ -12190,6 +12210,8 @@ index 0000000..f31a2e8 + +kernel_read_network_state(condor_collector_t) + ++corenet_tcp_bind_http_port(condor_collector_t) ++ +##################################### +# +# condor negotiator local policy @@ -21164,10 +21186,10 @@ index 0000000..a446210 +') diff --git a/dspam.te b/dspam.te new file mode 100644 -index 0000000..0b4f332 +index 0000000..16a781c --- /dev/null +++ b/dspam.te -@@ -0,0 +1,114 @@ +@@ -0,0 +1,136 @@ + +policy_module(dspam, 1.0.0) + @@ -21282,6 +21304,28 @@ index 0000000..0b4f332 + mysql_stream_connect(httpd_dspam_script_t) + ') +') ++ ++optional_policy(` ++ mysql_stream_connect(dspam_t) ++ mysql_read_config(dspam_t) ++ ++ mysql_tcp_connect(dspam_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(dspam_t) ++ postgresql_unpriv_client(dspam_t) ++ ++ postgresql_tcp_connect(dspam_t) ++') ++ ++optional_policy(` ++ postfix_rw_master_pipes(dspam_t) ++') ++ ++optional_policy(` ++ procmail_domtrans(dspam_t) ++') diff --git a/entropyd.te b/entropyd.te index b6ac808..6235eb0 100644 --- a/entropyd.te @@ -26383,7 +26427,7 @@ index f5afe78..4a90668 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/gnome.te b/gnome.te -index 783c5fb..08de5ad 100644 +index 783c5fb..f680d03 100644 --- a/gnome.te +++ b/gnome.te @@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0) @@ -26552,7 +26596,7 @@ index 783c5fb..08de5ad 100644 +') + +optional_policy(` -+ gnome_read_home_config(gnomesystemmm_t) ++ gnome_manage_home_config(gnomesystemmm_t) +') + +optional_policy(` @@ -28634,6 +28678,76 @@ index 14d9670..e94b352 100644 +/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +diff --git a/iscsi.if b/iscsi.if +index 4cae92a..ae1b9ec 100644 +--- a/iscsi.if ++++ b/iscsi.if +@@ -74,3 +74,65 @@ interface(`iscsi_read_lib_files',` + allow $1 iscsi_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) + ') ++ ++######################################## ++## ++## Transition to iscsi named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iscsi_filetrans_named_content',` ++ gen_require(` ++ type iscsi_lock_t; ++ ') ++ ++ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") ++') ++ ++ ++######################################## ++## ++## All of the rules required to ++## administrate an iscsi environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`iscsi_admin',` ++ gen_require(` ++ type iscsid_t, iscsi_lock_t, iscsi_log_t; ++ type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; ++ type iscsi_unit_file_t; ++ ') ++ ++ allow $1 iscsid_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, iscsid_t) ++ ++ systemd_exec_systemctl($1) ++ allow $1 iscsi_unit_file_t:file manage_file_perms; ++ allow $1 iscsi_unit_file_t:service manage_service_perms; ++ ++ logging_search_logs($1) ++ admin_pattern($1, iscsi_log_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, iscsi_lock_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, iscsi_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, iscsi_var_run_t) ++ ++ files_search_tmp($1) ++ admin_pattern($1, iscsi_tmp_t) ++') ++>>>>>>> f7a594a... Add iscsi_filetrans_named_content() interface diff --git a/iscsi.te b/iscsi.te index 8bcfa2f..ed4f703 100644 --- a/iscsi.te @@ -33635,10 +33749,10 @@ index a03b63a..99e8d96 100644 + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) +') diff --git a/mailman.fc b/mailman.fc -index 1083f98..c7daa85 100644 +index 1083f98..0a9e3e1 100644 --- a/mailman.fc +++ b/mailman.fc -@@ -1,11 +1,14 @@ +@@ -1,11 +1,16 @@ -/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) @@ -33647,12 +33761,14 @@ index 1083f98..c7daa85 100644 -/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) -/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) -/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) -+/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0 ++/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)) +/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + -+/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ++/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) +/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) +/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) +/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0) @@ -33660,7 +33776,7 @@ index 1083f98..c7daa85 100644 # # distro_debian -@@ -23,12 +26,12 @@ ifdef(`distro_debian', ` +@@ -23,12 +28,12 @@ ifdef(`distro_debian', ` # distro_redhat # ifdef(`distro_redhat', ` @@ -34231,21 +34347,23 @@ index 0000000..29b79eb +') diff --git a/mandb.fc b/mandb.fc new file mode 100644 -index 0000000..df710ae +index 0000000..d4482e4 --- /dev/null +++ b/mandb.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) + +/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) ++ ++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if new file mode 100644 -index 0000000..4a4e899 +index 0000000..6ad1354 --- /dev/null +++ b/mandb.if -@@ -0,0 +1,187 @@ +@@ -0,0 +1,206 @@ + +## policy for mandb + @@ -34405,6 +34523,25 @@ index 0000000..4a4e899 + manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) +') + ++######################################## ++## ++## Create configuration files in user ++## home directories with a named file ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mandb_filetrans_named_home_content',` ++ gen_require(` ++ type mandb_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath") ++') + +######################################## +## @@ -34435,10 +34572,10 @@ index 0000000..4a4e899 +') diff --git a/mandb.te b/mandb.te new file mode 100644 -index 0000000..dbeac05 +index 0000000..a7df7d5 --- /dev/null +++ b/mandb.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,49 @@ +policy_module(mandb, 1.0.0) + +######################################## @@ -34454,6 +34591,9 @@ index 0000000..dbeac05 +type mandb_cache_t; +files_type(mandb_cache_t) + ++type mandb_home_t; ++userdom_user_home_content(mandb_home_t) ++ +type mandb_lock_t; +files_lock_file(mandb_lock_t) + @@ -34470,6 +34610,9 @@ index 0000000..dbeac05 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) + ++userdom_search_user_home_dirs(mandb_t) ++allow mandb_t mandb_home_t:file read_file_perms; ++ +allow mandb_t mandb_lock_t:file manage_file_perms; +files_lock_filetrans(mandb_t, mandb_lock_t, file) + @@ -35890,10 +36033,10 @@ index 6647a35..f3b35e1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 3a73e74..c5b8df7 100644 +index 3a73e74..77c8857 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -2,8 +2,24 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0 +@@ -2,8 +2,26 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0 HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -35907,6 +36050,8 @@ index 3a73e74..c5b8df7 100644 +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -35918,7 +36063,7 @@ index 3a73e74..c5b8df7 100644 # # /bin -@@ -16,6 +32,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +@@ -16,6 +34,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -35931,7 +36076,7 @@ index 3a73e74..c5b8df7 100644 ifdef(`distro_debian',` /usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) ') -@@ -23,11 +45,20 @@ ifdef(`distro_debian',` +@@ -23,11 +47,20 @@ ifdef(`distro_debian',` # # /lib # @@ -35959,7 +36104,7 @@ index 3a73e74..c5b8df7 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index b397fde..791639c 100644 +index b397fde..1831369 100644 --- a/mozilla.if +++ b/mozilla.if @@ -18,10 +18,11 @@ @@ -36109,7 +36254,7 @@ index b397fde..791639c 100644 ## ## ## -@@ -275,28 +361,124 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -275,28 +361,125 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -36231,6 +36376,7 @@ index b397fde..791639c 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") @@ -36242,10 +36388,10 @@ index b397fde..791639c 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..900cca4 100644 +index d4fcb75..20b133f 100644 --- a/mozilla.te +++ b/mozilla.te -@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) +@@ -7,19 +7,41 @@ policy_module(mozilla, 2.6.0) ## ##

    @@ -36269,6 +36415,13 @@ index d4fcb75..900cca4 100644 +## +gen_tunable(mozilla_plugin_enable_homedirs, false) + ++## ++##

    ++## Allow mozilla plugin to support GPS. ++##

    ++##     ++gen_tunable(mozilla_plugin_use_gps, false) ++ +#attribute_role mozilla_roles; type mozilla_t; @@ -36282,7 +36435,7 @@ index d4fcb75..900cca4 100644 type mozilla_conf_t; files_config_file(mozilla_conf_t) -@@ -32,14 +47,26 @@ userdom_user_home_content(mozilla_home_t) +@@ -32,14 +54,26 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) @@ -36310,7 +36463,7 @@ index d4fcb75..900cca4 100644 type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -79,7 +106,8 @@ allow mozilla_t mozilla_conf_t:file read_file_perms; +@@ -79,7 +113,8 @@ allow mozilla_t mozilla_conf_t:file read_file_perms; manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) @@ -36320,7 +36473,7 @@ index d4fcb75..900cca4 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -100,7 +128,6 @@ corecmd_exec_shell(mozilla_t) +@@ -100,7 +135,6 @@ corecmd_exec_shell(mozilla_t) corecmd_exec_bin(mozilla_t) # Browse the web, connect to printer @@ -36328,7 +36481,7 @@ index d4fcb75..900cca4 100644 corenet_all_recvfrom_netlabel(mozilla_t) corenet_tcp_sendrecv_generic_if(mozilla_t) corenet_raw_sendrecv_generic_if(mozilla_t) -@@ -110,6 +137,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) +@@ -110,6 +144,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) corenet_tcp_sendrecv_squid_port(mozilla_t) corenet_tcp_sendrecv_ftp_port(mozilla_t) @@ -36336,7 +36489,7 @@ index d4fcb75..900cca4 100644 corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -140,7 +168,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t) +@@ -140,7 +175,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) @@ -36344,7 +36497,7 @@ index d4fcb75..900cca4 100644 # /var/lib files_read_var_lib_files(mozilla_t) # interacting with gstreamer -@@ -151,42 +178,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t) +@@ -151,42 +185,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t) fs_dontaudit_getattr_all_fs(mozilla_t) fs_search_auto_mountpoints(mozilla_t) fs_list_inotifyfs(mozilla_t) @@ -36397,7 +36550,7 @@ index d4fcb75..900cca4 100644 # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -263,6 +282,7 @@ optional_policy(` +@@ -263,6 +289,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -36405,7 +36558,7 @@ index d4fcb75..900cca4 100644 ') optional_policy(` -@@ -283,7 +303,8 @@ optional_policy(` +@@ -283,7 +310,8 @@ optional_policy(` ') optional_policy(` @@ -36415,7 +36568,7 @@ index d4fcb75..900cca4 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,65 +318,108 @@ optional_policy(` +@@ -297,65 +325,109 @@ optional_policy(` # mozilla_plugin local policy # @@ -36534,12 +36687,13 @@ index d4fcb75..900cca4 100644 # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) +dev_rwx_zero(mozilla_plugin_t) ++dev_dontaudit_read_mtrr(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,55 +427,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,55 +435,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -36602,12 +36756,12 @@ index d4fcb75..900cca4 100644 -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process { execmem execstack }; -') -- ++userdom_home_manager(mozilla_plugin_t) + -tunable_policy(`allow_execstack',` - allow mozilla_plugin_t self:process { execstack }; -') -+userdom_home_manager(mozilla_plugin_t) - +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) @@ -36623,7 +36777,7 @@ index d4fcb75..900cca4 100644 ') optional_policy(` -@@ -420,37 +491,169 @@ optional_policy(` +@@ -420,37 +499,174 @@ optional_policy(` ') optional_policy(` @@ -36679,9 +36833,9 @@ index d4fcb75..900cca4 100644 + pulseaudio_manage_home_dirs(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) + pulseaudio_manage_home_symlinks(mozilla_plugin_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + pcscd_stream_connect(mozilla_plugin_t) +') + @@ -36691,9 +36845,9 @@ index d4fcb75..900cca4 100644 + +optional_policy(` + udev_read_db(mozilla_plugin_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) + xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) xserver_read_xdm_pid(mozilla_plugin_t) @@ -36796,6 +36950,11 @@ index d4fcb75..900cca4 100644 + +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(mozilla_plugin_t) ++') ++ ++tunable_policy(`mozilla_plugin_use_gps',` ++ fs_manage_dos_dirs(mozilla_plugin_t) ++ fs_manage_dos_files(mozilla_plugin_t) ') diff --git a/mpd.fc b/mpd.fc index ddc14d6..5c34d21 100644 @@ -40368,7 +40527,7 @@ index abf25da..bad6973 100644 sysnet_read_config(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index 386543b..8fe1d63 100644 +index 386543b..82f8ae6 100644 --- a/networkmanager.fc +++ b/networkmanager.fc @@ -1,6 +1,19 @@ @@ -40392,7 +40551,7 @@ index 386543b..8fe1d63 100644 /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -12,15 +25,19 @@ +@@ -12,15 +25,20 @@ /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -40411,6 +40570,7 @@ index 386543b..8fe1d63 100644 /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if @@ -40649,7 +40809,7 @@ index 2324d9e..b9c69d2 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") ') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..6943a2c 100644 +index 0619395..5d1b5a1 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -40746,7 +40906,7 @@ index 0619395..6943a2c 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +147,10 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,12 +147,13 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -40758,8 +40918,11 @@ index 0619395..6943a2c 100644 +files_read_system_conf_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) ++files_read_isid_type_files(NetworkManager_t) + + storage_getattr_fixed_disk_dev(NetworkManager_t) -@@ -128,35 +162,51 @@ init_domtrans_script(NetworkManager_t) +@@ -128,35 +163,51 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -40814,7 +40977,7 @@ index 0619395..6943a2c 100644 ') optional_policy(` -@@ -176,10 +226,17 @@ optional_policy(` +@@ -176,10 +227,17 @@ optional_policy(` ') optional_policy(` @@ -40832,7 +40995,7 @@ index 0619395..6943a2c 100644 ') ') -@@ -191,6 +248,7 @@ optional_policy(` +@@ -191,6 +249,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -40840,7 +41003,7 @@ index 0619395..6943a2c 100644 ') optional_policy(` -@@ -202,23 +260,56 @@ optional_policy(` +@@ -202,23 +261,56 @@ optional_policy(` ') optional_policy(` @@ -40897,7 +41060,7 @@ index 0619395..6943a2c 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +325,10 @@ optional_policy(` +@@ -234,6 +326,10 @@ optional_policy(` ') optional_policy(` @@ -40908,7 +41071,7 @@ index 0619395..6943a2c 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +336,7 @@ optional_policy(` +@@ -241,6 +337,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -40916,7 +41079,7 @@ index 0619395..6943a2c 100644 ') optional_policy(` -@@ -254,6 +350,13 @@ optional_policy(` +@@ -254,6 +351,13 @@ optional_policy(` ') optional_policy(` @@ -40930,7 +41093,7 @@ index 0619395..6943a2c 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +366,7 @@ optional_policy(` +@@ -263,6 +367,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -40938,7 +41101,7 @@ index 0619395..6943a2c 100644 ') ######################################## -@@ -284,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -284,6 +389,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -43084,7 +43247,7 @@ index 0000000..a333e40 + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index ded9fb6..6b11681 100644 +index ded9fb6..abe7d0e 100644 --- a/ntop.te +++ b/ntop.te @@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(ntop_t) @@ -43095,7 +43258,12 @@ index ded9fb6..6b11681 100644 corenet_all_recvfrom_netlabel(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t) corenet_udp_sendrecv_generic_if(ntop_t) -@@ -85,7 +84,6 @@ dev_rw_generic_usb_dev(ntop_t) +@@ -82,10 +81,11 @@ corenet_sendrecv_ntop_server_packets(ntop_t) + + dev_read_sysfs(ntop_t) + dev_rw_generic_usb_dev(ntop_t) ++dev_read_usbmon_dev(ntop_t) ++dev_write_usbmon_dev(ntop_t) domain_use_interactive_fds(ntop_t) @@ -43103,7 +43271,7 @@ index ded9fb6..6b11681 100644 files_read_usr_files(ntop_t) fs_getattr_all_fs(ntop_t) -@@ -95,7 +93,6 @@ auth_use_nsswitch(ntop_t) +@@ -95,7 +95,6 @@ auth_use_nsswitch(ntop_t) logging_send_syslog_msg(ntop_t) @@ -44448,10 +44616,10 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..6e20e72 +index 0000000..2ced8f1 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,644 @@ +@@ -0,0 +1,645 @@ + +## policy for openshift + @@ -44908,6 +45076,7 @@ index 0000000..6e20e72 + domain_user_exemption_target($1_app_t) + domain_obj_id_change_exemption($1_app_t) + domain_dyntrans_type($1_app_t) ++ auth_use_nsswitch($1_app_t) + + kernel_read_system_state($1_app_t) + @@ -49448,7 +49617,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 44db896..6e3b3fd 100644 +index 44db896..fc9b593 100644 --- a/policykit.te +++ b/policykit.te @@ -1,51 +1,67 @@ @@ -49532,7 +49701,7 @@ index 44db896..6e3b3fd 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +72,116 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +72,117 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -49546,6 +49715,7 @@ index 44db896..6e3b3fd 100644 +files_dontaudit_search_all_mountpoints(policykit_t) + +fs_list_inotifyfs(policykit_t) ++fs_getattr_all_fs(policykit_t) auth_use_nsswitch(policykit_t) @@ -49660,7 +49830,7 @@ index 44db896..6e3b3fd 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +194,26 @@ optional_policy(` +@@ -118,14 +195,26 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -49689,7 +49859,7 @@ index 44db896..6e3b3fd 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -142,22 +230,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -142,22 +231,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -49717,7 +49887,7 @@ index 44db896..6e3b3fd 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +255,8 @@ optional_policy(` +@@ -167,9 +256,8 @@ optional_policy(` # polkit_resolve local policy # @@ -49729,7 +49899,7 @@ index 44db896..6e3b3fd 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -182,17 +269,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t +@@ -182,17 +270,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t can_exec(policykit_resolve_t, policykit_resolve_exec_t) corecmd_search_bin(policykit_resolve_t) @@ -52066,7 +52236,7 @@ index de4bdb7..a4cad0b 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..e5a4252 100644 +index bcbf9ac..d4cf764 100644 --- a/ppp.te +++ b/ppp.te @@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) @@ -52285,6 +52455,17 @@ index bcbf9ac..e5a4252 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) +@@ -301,6 +321,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_search_config(pppd_t) ++') ++ ++optional_policy(` + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` diff --git a/prelink.fc b/prelink.fc index ec0e76a..62af9a4 100644 --- a/prelink.fc @@ -60785,7 +60966,7 @@ index 951d8f6..2363592 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/rpm.te b/rpm.te -index 60149a5..705935e 100644 +index 60149a5..1e1eef7 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,11 @@ @@ -60826,7 +61007,15 @@ index 60149a5..705935e 100644 role system_r types rpm_script_t; type rpm_script_tmp_t; -@@ -80,6 +78,9 @@ allow rpm_t self:shm create_shm_perms; +@@ -64,6 +62,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) + # rpm Local policy + # + ++allow rpm_t self:capability2 block_suspend; + allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; + allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; + allow rpm_t self:process { getattr setexec setfscreate setrlimit }; +@@ -80,6 +79,9 @@ allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; @@ -60836,7 +61025,7 @@ index 60149a5..705935e 100644 allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -105,17 +106,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) +@@ -105,17 +107,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -60858,7 +61047,7 @@ index 60149a5..705935e 100644 corenet_all_recvfrom_netlabel(rpm_t) corenet_tcp_sendrecv_generic_if(rpm_t) corenet_raw_sendrecv_generic_if(rpm_t) -@@ -131,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t) +@@ -131,6 +135,19 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -60878,7 +61067,7 @@ index 60149a5..705935e 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -158,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t) +@@ -158,8 +175,8 @@ storage_raw_read_fixed_disk(rpm_t) term_list_ptys(rpm_t) @@ -60889,7 +61078,7 @@ index 60149a5..705935e 100644 auth_dontaudit_read_shadow(rpm_t) auth_use_nsswitch(rpm_t) -@@ -168,7 +184,6 @@ rpm_domtrans_script(rpm_t) +@@ -168,7 +185,6 @@ rpm_domtrans_script(rpm_t) domain_read_all_domains_state(rpm_t) domain_getattr_all_domains(rpm_t) @@ -60897,7 +61086,7 @@ index 60149a5..705935e 100644 domain_use_interactive_fds(rpm_t) domain_dontaudit_getattr_all_pipes(rpm_t) domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -@@ -177,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -177,23 +193,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -60926,7 +61115,7 @@ index 60149a5..705935e 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -211,14 +229,15 @@ optional_policy(` +@@ -211,14 +230,15 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -60944,7 +61133,7 @@ index 60149a5..705935e 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -229,7 +248,8 @@ optional_policy(` +@@ -229,7 +249,8 @@ optional_policy(` # rpm-script Local policy # @@ -60954,7 +61143,7 @@ index 60149a5..705935e 100644 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; -@@ -261,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -261,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -60973,7 +61162,7 @@ index 60149a5..705935e 100644 dev_list_sysfs(rpm_script_t) # ideally we would not need this -@@ -286,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t) +@@ -286,7 +313,6 @@ fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) mcs_killall(rpm_script_t) @@ -60981,7 +61170,7 @@ index 60149a5..705935e 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -303,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -303,19 +329,20 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -61006,7 +61195,7 @@ index 60149a5..705935e 100644 domain_use_interactive_fds(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) -@@ -328,35 +354,45 @@ files_relabel_all_files(rpm_script_t) +@@ -328,35 +355,45 @@ files_relabel_all_files(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) @@ -61062,7 +61251,7 @@ index 60149a5..705935e 100644 ') optional_policy(` -@@ -364,7 +400,7 @@ optional_policy(` +@@ -364,7 +401,7 @@ optional_policy(` ') optional_policy(` @@ -61071,7 +61260,7 @@ index 60149a5..705935e 100644 ') optional_policy(` -@@ -372,8 +408,17 @@ optional_policy(` +@@ -372,8 +409,17 @@ optional_policy(` ') optional_policy(` @@ -61091,7 +61280,7 @@ index 60149a5..705935e 100644 ') optional_policy(` -@@ -381,7 +426,7 @@ optional_policy(` +@@ -381,7 +427,7 @@ optional_policy(` ') optional_policy(` @@ -61100,7 +61289,7 @@ index 60149a5..705935e 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -394,6 +439,6 @@ optional_policy(` +@@ -394,6 +440,6 @@ optional_policy(` ') optional_policy(` @@ -66783,7 +66972,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 56f074c..4909ce8 100644 +index 56f074c..0b3d7ca 100644 --- a/snmp.te +++ b/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0) @@ -66894,7 +67083,7 @@ index 56f074c..4909ce8 100644 optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) -@@ -131,6 +133,10 @@ optional_policy(` +@@ -131,6 +133,14 @@ optional_policy(` ') optional_policy(` @@ -66902,10 +67091,14 @@ index 56f074c..4909ce8 100644 +') + +optional_policy(` ++ fstools_domtrans(snmpd_t) ++') ++ ++optional_policy(` cups_read_rw_config(snmpd_t) ') -@@ -140,6 +146,10 @@ optional_policy(` +@@ -140,6 +150,10 @@ optional_policy(` ') optional_policy(` @@ -70382,10 +70575,10 @@ index 0000000..7f4bce8 +/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) diff --git a/thin.if b/thin.if new file mode 100644 -index 0000000..d000122 +index 0000000..b9f811d --- /dev/null +++ b/thin.if -@@ -0,0 +1,44 @@ +@@ -0,0 +1,66 @@ +## thin policy + +####################################### @@ -70430,12 +70623,34 @@ index 0000000..d000122 + + can_exec($1, thin_exec_t) +') ++ ++##################################### ++## ++## Connect to thin over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thin_stream_connect',` ++ gen_require(` ++ type thin_t, thin_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t) ++') ++ ++ diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..2b878d8 +index 0000000..c99a406 --- /dev/null +++ b/thin.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,115 @@ +policy_module(thin, 1.0) + +######################################## @@ -70501,6 +70716,10 @@ index 0000000..2b878d8 +kernel_read_kernel_sysctls(thin_domain) + +optional_policy(` ++ apache_read_sys_content(thin_domain) ++') ++ ++optional_policy(` + sysnet_read_config(thin_domain) +') + @@ -70520,6 +70739,7 @@ index 0000000..2b878d8 +logging_log_filetrans(thin_t, thin_log_t, { file dir }) + +manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) +files_pid_filetrans(thin_t, thin_var_run_t, { file }) + +corenet_tcp_bind_ntop_port(thin_t) @@ -76471,7 +76691,7 @@ index f9a73d0..4b83bb0 100644 xserver_role($1_r, $1_wine_t) ') diff --git a/wine.te b/wine.te -index 7a17516..371077e 100644 +index 7a17516..de18269 100644 --- a/wine.te +++ b/wine.te @@ -17,6 +17,9 @@ type wine_exec_t; @@ -76484,17 +76704,19 @@ index 7a17516..371077e 100644 type wine_tmp_t; userdom_user_tmp_file(wine_tmp_t) -@@ -30,6 +33,9 @@ allow wine_t self:fifo_file manage_fifo_file_perms; +@@ -30,6 +33,11 @@ allow wine_t self:fifo_file manage_fifo_file_perms; can_exec(wine_t, wine_exec_t) ++manage_files_pattern(wine_t, wine_home_t, wine_home_t) ++manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) +userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +userdom_tmpfs_filetrans(wine_t, file) + manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -@@ -38,7 +44,7 @@ domain_mmap_low(wine_t) +@@ -38,7 +46,7 @@ domain_mmap_low(wine_t) files_execmod_all_files(wine_t) @@ -76503,7 +76725,7 @@ index 7a17516..371077e 100644 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; -@@ -53,6 +59,10 @@ optional_policy(` +@@ -53,6 +61,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 5bd51a0..0b52254 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 97%{?dist} +Release: 98%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,32 @@ SELinux Reference policy mls base module. %endif %Changelog +* Tue Jun 27 2013 Miroslav Grepl 3.11.1-97 +- Make DSPAM to act as a LDA working +- Allow NM to read file_t (usb stick with no labels used to transfer keys for example) +- condor_collector uses tcp/9000 +- Add mandb_filetrans_named_home_content() +- Allow gnomesystem to manage /root/.config +- Allow ntop to read usbmon devices +- Allow colord to list directories inthe users homedir +- Lest dontaudit apache read all domains, so passenger will not cause this avc +- Allow snmpd to run smartctl in fsadm_t domain +- Allow blueman to read bluetooth conf +- Add iscsi_filetrans_named_content() interface +- For now we need to allow openshift_app_t to read the /etc/passwd file +- Allow wine to manage wine home content +- Fix labeling of mailman +- Allow blueman to write ip_forward +- Allow chrome processes to look at each other +- Add labeling for /run/nm-xl2tpd.con +- Allow apache to stream connect to thin +- Allow sys_ptrace for abrt_t +- Add support for abrt-uefioops-oops +- Allow polkitd to getattr on al fs +- Dontaudit pppd to search gnome config +- Add mozilla_plugin_use_gps boolean +- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant + * Tue May 28 2013 Miroslav Grepl 3.11.1-97 - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file()