From 92e9b347de4f942419726f7c049e2a71f8de4074 Mon Sep 17 00:00:00 2001 From: rhatdan Date: Oct 31 2012 15:27:30 +0000 Subject: Merge branch 'f18' of ssh://pkgs.fedoraproject.org/selinux-policy into f18 --- diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf index 6d19ebf..eacb29a 100644 --- a/modules-mls-contrib.conf +++ b/modules-mls-contrib.conf @@ -425,13 +425,6 @@ dictd = module # distcc = off -# Layer: services -# Module: dkim -# -# DKIM signing and verifying filter for MTAs -# -dkim = module - # Layer: admin # Module: dmidecode # diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 8e49feb..03eea28 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -579,13 +579,6 @@ dirsrv = module # distcc = off -# Layer: services -# Module: dkim -# -# DKIM signing and verifying filter for MTAs -# -dkim = module - # Layer: admin # Module: dmidecode # diff --git a/permissivedomains.pp b/permissivedomains.pp index ea16f06..71adce4 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/permissivedomains.te b/permissivedomains.te index 904ffa3..099990f 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -10,14 +10,6 @@ optional_policy(` optional_policy(` gen_require(` - type dkim_t; - ') - - permissive dkim_t; -') - -optional_policy(` - gen_require(` type rngd_t; ') diff --git a/policy-rawhide.patch b/policy-rawhide.patch index b8161ff..aa40274 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -108998,10 +108998,10 @@ index d218387..c406594 100644 # used by netlabel to restrict normal domains to same level connections mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 7a6f06f..530d2df 100644 +index 7a6f06f..bf04b0a 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc -@@ -1,9 +1,14 @@ +@@ -1,9 +1,16 @@ - +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) @@ -109013,12 +109013,14 @@ index 7a6f06f..530d2df 100644 /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) - --/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++ +/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) + +-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index a778bb1..5e914db 100644 --- a/policy/modules/admin/bootloader.if @@ -109105,7 +109107,7 @@ index a778bb1..5e914db 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index ab0439a..3ee2ca5 100644 +index ab0439a..803bd27 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) @@ -109119,7 +109121,7 @@ index ab0439a..3ee2ca5 100644 # # boot_runtime_t is the type for /boot/kernel.h, -@@ -19,14 +19,18 @@ files_type(boot_runtime_t) +@@ -19,14 +19,21 @@ files_type(boot_runtime_t) type bootloader_t; type bootloader_exec_t; application_domain(bootloader_t, bootloader_exec_t) @@ -109129,6 +109131,9 @@ index ab0439a..3ee2ca5 100644 + +type bootloader_var_run_t; +files_pid_file(bootloader_var_run_t) ++ ++type bootloader_var_lib_t; ++files_type(bootloader_var_lib_t) # # bootloader_etc_t is the configuration file, @@ -109140,7 +109145,7 @@ index ab0439a..3ee2ca5 100644 # # The temp file is used for initrd creation; -@@ -41,7 +45,7 @@ dev_node(bootloader_tmp_t) +@@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # @@ -109149,7 +109154,7 @@ index ab0439a..3ee2ca5 100644 allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -@@ -59,6 +63,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file +@@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) @@ -109157,10 +109162,15 @@ index ab0439a..3ee2ca5 100644 +manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) +files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file }) + ++manage_dirs_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) ++manage_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) ++manage_lnk_files_pattern(bootloader_t, bootloader_var_lib_t, bootloader_var_lib_t) ++files_var_lib_filetrans(bootloader_t, bootloader_var_lib_t, {dir file }) ++ kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) -@@ -81,6 +89,8 @@ dev_rw_nvram(bootloader_t) +@@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t) fs_getattr_xattr_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) @@ -109169,7 +109179,7 @@ index ab0439a..3ee2ca5 100644 fs_read_tmpfs_symlinks(bootloader_t) #Needed for ia64 fs_manage_dos_files(bootloader_t) -@@ -89,7 +99,9 @@ mls_file_read_all_levels(bootloader_t) +@@ -89,7 +107,9 @@ mls_file_read_all_levels(bootloader_t) mls_file_write_all_levels(bootloader_t) term_getattr_all_ttys(bootloader_t) @@ -109179,7 +109189,7 @@ index ab0439a..3ee2ca5 100644 corecmd_exec_all_executables(bootloader_t) -@@ -98,12 +110,14 @@ domain_use_interactive_fds(bootloader_t) +@@ -98,12 +118,14 @@ domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) files_manage_boot_files(bootloader_t) files_manage_boot_symlinks(bootloader_t) @@ -109194,7 +109204,7 @@ index ab0439a..3ee2ca5 100644 # for nscd files_dontaudit_search_pids(bootloader_t) # for blkid.tab -@@ -111,6 +125,7 @@ files_manage_etc_runtime_files(bootloader_t) +@@ -111,6 +133,7 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) @@ -109202,7 +109212,7 @@ index ab0439a..3ee2ca5 100644 init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) -@@ -118,19 +133,21 @@ init_rw_script_pipes(bootloader_t) +@@ -118,19 +141,21 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) @@ -109227,7 +109237,7 @@ index ab0439a..3ee2ca5 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -166,7 +183,8 @@ ifdef(`distro_redhat',` +@@ -166,7 +191,8 @@ ifdef(`distro_redhat',` files_manage_isid_type_chr_files(bootloader_t) # for mke2fs @@ -109237,7 +109247,7 @@ index ab0439a..3ee2ca5 100644 optional_policy(` unconfined_domain(bootloader_t) -@@ -174,6 +192,10 @@ ifdef(`distro_redhat',` +@@ -174,6 +200,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -109248,7 +109258,7 @@ index ab0439a..3ee2ca5 100644 fstools_exec(bootloader_t) ') -@@ -183,6 +205,14 @@ optional_policy(` +@@ -183,6 +213,14 @@ optional_policy(` ') optional_policy(` @@ -109263,7 +109273,7 @@ index ab0439a..3ee2ca5 100644 kudzu_domtrans(bootloader_t) ') -@@ -195,15 +225,13 @@ optional_policy(` +@@ -195,17 +233,19 @@ optional_policy(` optional_policy(` modutils_exec_insmod(bootloader_t) @@ -109273,14 +109283,18 @@ index ab0439a..3ee2ca5 100644 modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) modutils_exec_update_mods(bootloader_t) --') -- --optional_policy(` -- nscd_socket_use(bootloader_t) + modutils_domtrans_insmod_uncond(bootloader_t) ') optional_policy(` +- nscd_socket_use(bootloader_t) ++ rpm_rw_pipes(bootloader_t) + ') + + optional_policy(` +- rpm_rw_pipes(bootloader_t) ++ udev_read_pid_files(bootloader_t) + ') diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc index b7f053b..5d4fc31 100644 --- a/policy/modules/admin/consoletype.fc @@ -115320,7 +115334,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..a8f9817 100644 +index cf04cb5..4a81c65 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.11.0) @@ -115437,7 +115451,7 @@ index cf04cb5..a8f9817 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +218,258 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +218,262 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -115560,6 +115574,10 @@ index cf04cb5..a8f9817 100644 +') + +optional_policy(` ++ rpcbind_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + sysnet_filetrans_named_content(unconfined_domain_type) +') + @@ -128379,7 +128397,7 @@ index c6fdab7..32f45fa 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..38016b7 100644 +index 28ad538..dac7844 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,25 @@ @@ -128391,7 +128409,8 @@ index 28ad538..38016b7 100644 /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) +-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) -/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -131309,7 +131328,7 @@ index d26fe81..98fad18 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..52b1afc 100644 +index 4a88fa1..533881b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -131537,10 +131556,10 @@ index 4a88fa1..52b1afc 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) ++ ++userdom_use_user_ttys(init_t) -miscfiles_read_localization(init_t) -+userdom_use_user_ttys(init_t) -+ +allow init_t self:process setsched; ifdef(`distro_gentoo',` @@ -131573,14 +131592,15 @@ index 4a88fa1..52b1afc 100644 + +optional_policy(` + gnome_filetrans_home_content(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_aliases(init_t) @@ -131702,14 +131722,13 @@ index 4a88fa1..52b1afc 100644 + +optional_policy(` + lvm_rw_pipes(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -131730,10 +131749,14 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -213,6 +446,22 @@ optional_policy(` +@@ -213,6 +446,26 @@ optional_policy(` ') optional_policy(` ++ rpcbind_filetrans_named_content(init_t) ++') ++ ++optional_policy(` + systemd_filetrans_named_content(init_t) +') + @@ -131753,7 +131776,7 @@ index 4a88fa1..52b1afc 100644 unconfined_domain(init_t) ') -@@ -222,8 +471,9 @@ optional_policy(` +@@ -222,8 +475,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -131765,7 +131788,7 @@ index 4a88fa1..52b1afc 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -251,12 +501,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -251,12 +505,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -131782,7 +131805,7 @@ index 4a88fa1..52b1afc 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -272,23 +526,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -272,23 +530,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -131825,7 +131848,7 @@ index 4a88fa1..52b1afc 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -296,6 +563,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -296,6 +567,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -131833,7 +131856,7 @@ index 4a88fa1..52b1afc 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -306,8 +574,10 @@ dev_write_framebuffer(initrc_t) +@@ -306,8 +578,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -131844,7 +131867,7 @@ index 4a88fa1..52b1afc 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -315,17 +585,16 @@ dev_manage_generic_files(initrc_t) +@@ -315,17 +589,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -131864,7 +131887,7 @@ index 4a88fa1..52b1afc 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -333,6 +602,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -333,6 +606,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -131872,7 +131895,7 @@ index 4a88fa1..52b1afc 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -340,8 +610,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -340,8 +614,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -131884,7 +131907,7 @@ index 4a88fa1..52b1afc 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -357,8 +629,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -357,8 +633,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -131898,7 +131921,7 @@ index 4a88fa1..52b1afc 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -368,9 +644,12 @@ fs_mount_all_fs(initrc_t) +@@ -368,9 +648,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -131912,7 +131935,7 @@ index 4a88fa1..52b1afc 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -380,6 +659,7 @@ mls_process_read_up(initrc_t) +@@ -380,6 +663,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -131920,7 +131943,7 @@ index 4a88fa1..52b1afc 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,6 +671,7 @@ term_use_all_terms(initrc_t) +@@ -391,6 +675,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -131928,7 +131951,7 @@ index 4a88fa1..52b1afc 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -409,20 +690,18 @@ logging_read_all_logs(initrc_t) +@@ -409,20 +694,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -131952,7 +131975,7 @@ index 4a88fa1..52b1afc 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -476,6 +755,10 @@ ifdef(`distro_gentoo',` +@@ -476,6 +759,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -131963,7 +131986,7 @@ index 4a88fa1..52b1afc 100644 alsa_read_lib(initrc_t) ') -@@ -496,7 +779,7 @@ ifdef(`distro_redhat',` +@@ -496,7 +783,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -131972,7 +131995,7 @@ index 4a88fa1..52b1afc 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -511,6 +794,7 @@ ifdef(`distro_redhat',` +@@ -511,6 +798,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -131980,7 +132003,7 @@ index 4a88fa1..52b1afc 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -531,6 +815,7 @@ ifdef(`distro_redhat',` +@@ -531,6 +819,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -131988,7 +132011,7 @@ index 4a88fa1..52b1afc 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -540,8 +825,40 @@ ifdef(`distro_redhat',` +@@ -540,8 +829,40 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -132029,7 +132052,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -549,14 +866,31 @@ ifdef(`distro_redhat',` +@@ -549,14 +870,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -132061,7 +132084,7 @@ index 4a88fa1..52b1afc 100644 ') ') -@@ -567,6 +901,39 @@ ifdef(`distro_suse',` +@@ -567,6 +905,39 @@ ifdef(`distro_suse',` ') ') @@ -132101,7 +132124,7 @@ index 4a88fa1..52b1afc 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +946,8 @@ optional_policy(` +@@ -579,6 +950,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -132110,7 +132133,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -600,6 +969,7 @@ optional_policy(` +@@ -600,6 +973,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -132118,7 +132141,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -612,6 +982,17 @@ optional_policy(` +@@ -612,6 +986,17 @@ optional_policy(` ') optional_policy(` @@ -132136,7 +132159,7 @@ index 4a88fa1..52b1afc 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -628,9 +1009,13 @@ optional_policy(` +@@ -628,9 +1013,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -132150,7 +132173,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -655,6 +1040,10 @@ optional_policy(` +@@ -655,6 +1044,10 @@ optional_policy(` ') optional_policy(` @@ -132161,7 +132184,7 @@ index 4a88fa1..52b1afc 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -672,6 +1061,15 @@ optional_policy(` +@@ -672,6 +1065,15 @@ optional_policy(` ') optional_policy(` @@ -132177,7 +132200,7 @@ index 4a88fa1..52b1afc 100644 inn_exec_config(initrc_t) ') -@@ -712,6 +1110,7 @@ optional_policy(` +@@ -712,6 +1114,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -132185,7 +132208,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -729,7 +1128,14 @@ optional_policy(` +@@ -729,7 +1132,14 @@ optional_policy(` ') optional_policy(` @@ -132200,7 +132223,7 @@ index 4a88fa1..52b1afc 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -752,6 +1158,10 @@ optional_policy(` +@@ -752,6 +1162,10 @@ optional_policy(` ') optional_policy(` @@ -132211,7 +132234,7 @@ index 4a88fa1..52b1afc 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -761,10 +1171,20 @@ optional_policy(` +@@ -761,10 +1175,20 @@ optional_policy(` ') optional_policy(` @@ -132232,7 +132255,7 @@ index 4a88fa1..52b1afc 100644 quota_manage_flags(initrc_t) ') -@@ -773,6 +1193,10 @@ optional_policy(` +@@ -773,6 +1197,10 @@ optional_policy(` ') optional_policy(` @@ -132243,7 +132266,7 @@ index 4a88fa1..52b1afc 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -794,8 +1218,6 @@ optional_policy(` +@@ -794,8 +1222,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -132252,7 +132275,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -804,6 +1226,10 @@ optional_policy(` +@@ -804,6 +1230,10 @@ optional_policy(` ') optional_policy(` @@ -132263,7 +132286,7 @@ index 4a88fa1..52b1afc 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -813,10 +1239,12 @@ optional_policy(` +@@ -813,10 +1243,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -132276,7 +132299,7 @@ index 4a88fa1..52b1afc 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -828,8 +1256,6 @@ optional_policy(` +@@ -828,8 +1260,6 @@ optional_policy(` ') optional_policy(` @@ -132285,7 +132308,7 @@ index 4a88fa1..52b1afc 100644 udev_manage_pid_files(initrc_t) udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) -@@ -840,12 +1266,30 @@ optional_policy(` +@@ -840,12 +1270,30 @@ optional_policy(` ') optional_policy(` @@ -132318,7 +132341,7 @@ index 4a88fa1..52b1afc 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -855,6 +1299,18 @@ optional_policy(` +@@ -855,6 +1303,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -132337,7 +132360,7 @@ index 4a88fa1..52b1afc 100644 ') optional_policy(` -@@ -870,6 +1326,10 @@ optional_policy(` +@@ -870,6 +1330,10 @@ optional_policy(` ') optional_policy(` @@ -132348,7 +132371,7 @@ index 4a88fa1..52b1afc 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1340,178 @@ optional_policy(` +@@ -880,3 +1344,178 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -133020,10 +133043,15 @@ index 0646ee7..f0e41a1 100644 ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index ef8bbaf..0fbc39e 100644 +index ef8bbaf..a21d5fe 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc -@@ -28,14 +28,17 @@ ifdef(`distro_redhat',` +@@ -1,3 +1,4 @@ ++ + # + # /emul + # +@@ -28,14 +29,17 @@ ifdef(`distro_redhat',` # /etc # /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) @@ -133042,7 +133070,7 @@ index ef8bbaf..0fbc39e 100644 /lib/.* gen_context(system_u:object_r:lib_t,s0) /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -52,9 +55,8 @@ ifdef(`distro_gentoo',` +@@ -52,9 +56,8 @@ ifdef(`distro_gentoo',` # # /opt # @@ -133053,7 +133081,7 @@ index ef8bbaf..0fbc39e 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -103,6 +105,12 @@ ifdef(`distro_redhat',` +@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` # # /usr # @@ -133066,7 +133094,7 @@ index ef8bbaf..0fbc39e 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -111,12 +119,12 @@ ifdef(`distro_redhat',` +@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -133081,7 +133109,7 @@ index ef8bbaf..0fbc39e 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -140,6 +148,8 @@ ifdef(`distro_redhat',` +@@ -140,6 +149,8 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -133090,7 +133118,7 @@ index ef8bbaf..0fbc39e 100644 /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -147,12 +157,11 @@ ifdef(`distro_redhat',` +@@ -147,12 +158,11 @@ ifdef(`distro_redhat',` /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -133106,7 +133134,7 @@ index ef8bbaf..0fbc39e 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -181,6 +190,7 @@ ifdef(`distro_redhat',` +@@ -181,11 +191,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -133114,7 +133142,13 @@ index ef8bbaf..0fbc39e 100644 /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -240,14 +250,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ + /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/dri/fglrx_dri.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -133130,7 +133164,7 @@ index ef8bbaf..0fbc39e 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +275,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -133161,7 +133195,7 @@ index ef8bbaf..0fbc39e 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +304,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -133256,6 +133290,10 @@ index ef8bbaf..0fbc39e 100644 + +/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +ifdef(`fixed',` +/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -133274,9 +133312,6 @@ index ef8bbaf..0fbc39e 100644 +/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +# Flash plugin, Macromedia +/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') +/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -135159,7 +135194,7 @@ index fe3427d..2a501db 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 926ba65..1c044d6 100644 +index 926ba65..9cac7b3 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -135265,19 +135300,20 @@ index 926ba65..1c044d6 100644 ## Read public files used for file ## transfer services. ## -@@ -744,8 +796,9 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') - files_etc_filetrans($1, locale_t, file) - ++ files_etc_filetrans($1, locale_t, lnk_file) + files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) + files_etc_filetrans($1, locale_t, file, "locale.conf" ) + files_etc_filetrans($1, locale_t, file, "timezone" ) ') ######################################## -@@ -769,3 +822,43 @@ interface(`miscfiles_manage_localization',` +@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -141363,10 +141399,10 @@ index 0280b32..61f19e9 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..ce61aed 100644 +index db75976..65191bd 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,20 @@ +@@ -1,4 +1,21 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -141374,6 +141410,7 @@ index db75976..ce61aed 100644 /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) ++/root/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/root/\.debug(/.*)? <> +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 83f2d78..30b1348 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -2072,7 +2072,7 @@ index 0000000..feabdf3 + files_getattr_all_sockets(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index fd9fa07..50e40f7 100644 +index fd9fa07..9ac41bc 100644 --- a/apache.fc +++ b/apache.fc @@ -1,39 +1,57 @@ @@ -2217,7 +2217,7 @@ index fd9fa07..50e40f7 100644 /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -@@ -109,3 +146,25 @@ ifdef(`distro_debian', ` +@@ -109,3 +146,26 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -2235,6 +2235,7 @@ index fd9fa07..50e40f7 100644 + +/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + ++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -3004,7 +3005,7 @@ index 6480167..e77ad76 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..08c3720 100644 +index 0833afb..c1e855c 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3131,7 +3132,7 @@ index 0833afb..08c3720 100644 ## Allow httpd to read home directories ##

## -@@ -100,6 +173,20 @@ gen_tunable(httpd_enable_homedirs, false) +@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false) ## ##

@@ -3149,10 +3150,17 @@ index 0833afb..08c3720 100644 + +## +##

++## Allow Apache to query NS records ++##

++## ++gen_tunable(httpd_verify_dns, false) ++ ++## ++##

## Allow httpd daemon to change its resource limits ##

## -@@ -114,6 +201,13 @@ gen_tunable(httpd_ssi_exec, false) +@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false) ## ##

@@ -3166,7 +3174,7 @@ index 0833afb..08c3720 100644 ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -130,12 +224,26 @@ gen_tunable(httpd_unified, false) +@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false) ## ##

@@ -3193,7 +3201,7 @@ index 0833afb..08c3720 100644 ##

## Allow httpd to run gpg ##

-@@ -149,12 +257,28 @@ gen_tunable(httpd_use_gpg, false) +@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false) ## gen_tunable(httpd_use_nfs, false) @@ -3222,7 +3230,7 @@ index 0833afb..08c3720 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -173,7 +297,7 @@ files_type(httpd_cache_t) +@@ -173,7 +304,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -3231,7 +3239,7 @@ index 0833afb..08c3720 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -184,6 +308,9 @@ role system_r types httpd_helper_t; +@@ -184,6 +315,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -3241,7 +3249,7 @@ index 0833afb..08c3720 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -223,7 +350,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -223,7 +357,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -3264,7 +3272,7 @@ index 0833afb..08c3720 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -233,6 +374,11 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -233,6 +381,11 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -3276,7 +3284,7 @@ index 0833afb..08c3720 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -240,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -240,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -3284,7 +3292,7 @@ index 0833afb..08c3720 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -261,14 +408,23 @@ files_type(httpd_var_lib_t) +@@ -261,14 +415,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -3308,7 +3316,7 @@ index 0833afb..08c3720 100644 ######################################## # # Apache server local policy -@@ -288,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -288,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -3322,7 +3330,7 @@ index 0833afb..08c3720 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -336,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -3334,7 +3342,7 @@ index 0833afb..08c3720 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -346,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -3345,7 +3353,7 @@ index 0833afb..08c3720 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +523,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +530,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3357,7 +3365,7 @@ index 0833afb..08c3720 100644 corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +542,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -3378,7 +3386,7 @@ index 0833afb..08c3720 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +563,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3393,7 +3401,7 @@ index 0833afb..08c3720 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +572,112 @@ domain_use_interactive_fds(httpd_t) +@@ -396,61 +579,112 @@ domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3514,7 +3522,7 @@ index 0833afb..08c3720 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3578,7 +3586,7 @@ index 0833afb..08c3720 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3601,7 +3609,7 @@ index 0833afb..08c3720 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +787,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +794,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3622,7 +3630,7 @@ index 0833afb..08c3720 100644 ') optional_policy(` -@@ -525,6 +811,9 @@ optional_policy(` +@@ -525,6 +818,9 @@ optional_policy(` ') optional_policy(` @@ -3632,7 +3640,7 @@ index 0833afb..08c3720 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +829,24 @@ optional_policy(` +@@ -540,6 +836,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3657,7 +3665,7 @@ index 0833afb..08c3720 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +856,24 @@ optional_policy(` +@@ -549,13 +863,24 @@ optional_policy(` ') optional_policy(` @@ -3683,7 +3691,7 @@ index 0833afb..08c3720 100644 ') optional_policy(` -@@ -573,7 +891,21 @@ optional_policy(` +@@ -573,7 +898,21 @@ optional_policy(` ') optional_policy(` @@ -3705,7 +3713,7 @@ index 0833afb..08c3720 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +916,7 @@ optional_policy(` +@@ -584,6 +923,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3713,7 +3721,7 @@ index 0833afb..08c3720 100644 ') optional_policy(` -@@ -594,6 +927,36 @@ optional_policy(` +@@ -594,6 +934,36 @@ optional_policy(` ') optional_policy(` @@ -3750,7 +3758,7 @@ index 0833afb..08c3720 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +971,11 @@ optional_policy(` +@@ -608,6 +978,11 @@ optional_policy(` ') optional_policy(` @@ -3762,7 +3770,7 @@ index 0833afb..08c3720 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +988,12 @@ optional_policy(` +@@ -620,6 +995,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3775,13 +3783,17 @@ index 0833afb..08c3720 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1007,38 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1014,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) -userdom_use_user_terminals(httpd_helper_t) +userdom_use_inherited_user_terminals(httpd_helper_t) + ++tunable_policy(`httpd_verify_dns',` ++ corenet_udp_bind_all_ephemeral_ports(httpd_t) ++') ++ +tunable_policy(`httpd_run_stickshift', ` + allow httpd_t self:capability { fowner fsetid sys_resource }; + dontaudit httpd_t self:capability sys_ptrace; @@ -3815,7 +3827,7 @@ index 0833afb..08c3720 100644 ######################################## # -@@ -671,28 +1076,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1087,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3859,7 +3871,7 @@ index 0833afb..08c3720 100644 ') ######################################## -@@ -702,6 +1109,7 @@ optional_policy(` +@@ -702,6 +1120,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3867,7 +3879,7 @@ index 0833afb..08c3720 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1124,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1135,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3896,7 +3908,7 @@ index 0833afb..08c3720 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1154,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1165,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -3914,7 +3926,7 @@ index 0833afb..08c3720 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1172,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1183,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3947,7 +3959,7 @@ index 0833afb..08c3720 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1219,25 @@ optional_policy(` +@@ -786,6 +1230,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3973,7 +3985,7 @@ index 0833afb..08c3720 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1258,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1269,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -3991,7 +4003,7 @@ index 0833afb..08c3720 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1277,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1288,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4050,7 +4062,7 @@ index 0833afb..08c3720 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1328,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1339,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4091,7 +4103,7 @@ index 0833afb..08c3720 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -859,10 +1373,20 @@ optional_policy(` +@@ -859,10 +1384,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -4112,7 +4124,7 @@ index 0833afb..08c3720 100644 ') ######################################## -@@ -878,11 +1402,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1413,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4124,7 +4136,7 @@ index 0833afb..08c3720 100644 ######################################## # -@@ -908,11 +1430,138 @@ optional_policy(` +@@ -908,11 +1441,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -4880,6 +4892,192 @@ index 159610b..164b672 100644 mysql_stream_connect(asterisk_t) ') +diff --git a/authconfig.fc b/authconfig.fc +new file mode 100644 +index 0000000..86bbf21 +--- /dev/null ++++ b/authconfig.fc +@@ -0,0 +1,3 @@ ++/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:authconfig_exec_t,s0) ++ ++/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0) +diff --git a/authconfig.if b/authconfig.if +new file mode 100644 +index 0000000..98ab9ed +--- /dev/null ++++ b/authconfig.if +@@ -0,0 +1,132 @@ ++ ++## policy for authconfig ++ ++######################################## ++## ++## Execute TEMPLATE in the authconfig domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`authconfig_domtrans',` ++ gen_require(` ++ type authconfig_t, authconfig_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, authconfig_exec_t, authconfig_t) ++') ++ ++######################################## ++## ++## Search authconfig lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_search_lib',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ allow $1 authconfig_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read authconfig lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_read_lib_files',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) ++') ++ ++######################################## ++## ++## Manage authconfig lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_manage_lib_files',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) ++') ++ ++######################################## ++## ++## Manage authconfig lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authconfig_manage_lib_dirs',` ++ gen_require(` ++ type authconfig_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an authconfig environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`authconfig_admin',` ++ gen_require(` ++ type authconfig_t; ++ type authconfig_var_lib_t; ++ ') ++ ++ allow $1 authconfig_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, authconfig_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, authconfig_var_lib_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/authconfig.te b/authconfig.te +new file mode 100644 +index 0000000..aeea7cf +--- /dev/null ++++ b/authconfig.te +@@ -0,0 +1,33 @@ ++policy_module(authconfig, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type authconfig_t; ++type authconfig_exec_t; ++application_domain(authconfig_t, authconfig_exec_t) ++ ++type authconfig_var_lib_t; ++files_type(authconfig_var_lib_t) ++ ++######################################## ++# ++# authconfig local policy ++# ++allow authconfig_t self:fifo_file rw_fifo_file_perms; ++allow authconfig_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) ++manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) ++manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t) ++files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file }) ++ ++domain_use_interactive_fds(authconfig_t) ++ ++files_read_etc_files(authconfig_t) ++ ++init_domtrans_script(authconfig_t) ++ ++unconfined_domain_noaudit(authconfig_t) diff --git a/automount.fc b/automount.fc index f16ab68..e4178a4 100644 --- a/automount.fc @@ -9437,10 +9635,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..7a7220c +index 0000000..1e73280 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,198 @@ +@@ -0,0 +1,199 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -9499,6 +9697,7 @@ index 0000000..7a7220c + +dev_read_rand(cloudform_domain) +dev_read_urand(cloudform_domain) ++dev_read_sysfs(cloudform_domain) + +files_read_etc_files(cloudform_domain) + @@ -16513,7 +16712,7 @@ index f706b99..aa049fc 100644 + #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 1819518..4848cfe 100644 +index 1819518..1363f96 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0) @@ -16642,7 +16841,7 @@ index 1819518..4848cfe 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -178,55 +194,83 @@ optional_policy(` +@@ -178,55 +194,84 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -16660,6 +16859,7 @@ index 1819518..4848cfe 100644 -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -allow devicekit_power_t self:process getsched; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; ++allow devicekit_power_t self:capability2 compromise_kernel; +allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; @@ -16733,7 +16933,7 @@ index 1819518..4848cfe 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,10 +279,16 @@ optional_policy(` +@@ -235,10 +280,16 @@ optional_policy(` ') optional_policy(` @@ -16750,7 +16950,7 @@ index 1819518..4848cfe 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -261,14 +311,21 @@ optional_policy(` +@@ -261,14 +312,21 @@ optional_policy(` ') optional_policy(` @@ -16773,7 +16973,7 @@ index 1819518..4848cfe 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +333,31 @@ optional_policy(` +@@ -276,9 +334,31 @@ optional_policy(` ') optional_policy(` @@ -26889,10 +27089,10 @@ index 0000000..1b3514a + diff --git a/isnsd.te b/isnsd.te new file mode 100644 -index 0000000..fa4b4d7 +index 0000000..951fbae --- /dev/null +++ b/isnsd.te -@@ -0,0 +1,51 @@ +@@ -0,0 +1,52 @@ +policy_module(isnsd, 1.0.0) + +######################################## @@ -26922,6 +27122,7 @@ index 0000000..fa4b4d7 +allow isnsd_t self:process { signal }; + +allow isnsd_t self:fifo_file rw_fifo_file_perms; ++allow isnsd_t self:tcp_socket { listen }; +allow isnsd_t self:udp_socket { listen }; +allow isnsd_t self:unix_stream_socket create_stream_socket_perms; + @@ -28148,7 +28349,7 @@ index 4198ff5..d1ab262 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index b29d8e2..7bc0ab1 100644 +index b29d8e2..6a6dcf0 100644 --- a/kdump.te +++ b/kdump.te @@ -15,15 +15,28 @@ files_config_file(kdump_etc_t) @@ -28180,7 +28381,7 @@ index b29d8e2..7bc0ab1 100644 files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) -@@ -36,3 +49,85 @@ dev_read_framebuffer(kdump_t) +@@ -36,3 +49,87 @@ dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) term_use_console(kdump_t) @@ -28201,9 +28402,11 @@ index b29d8e2..7bc0ab1 100644 +allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) ++manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) ++can_exec(kdumpctl_t, kdumpctl_tmp_t) + +read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) + @@ -32334,13 +32537,14 @@ index b681608..9c4fc55 100644 -miscfiles_read_localization(memcached_t) diff --git a/milter.fc b/milter.fc -index 1ec5a6c..9485753 100644 +index 1ec5a6c..64ac6f0 100644 --- a/milter.fc +++ b/milter.fc -@@ -1,13 +1,21 @@ +@@ -1,15 +1,26 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) ++/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) @@ -32359,7 +32563,11 @@ index 1ec5a6c..9485753 100644 +/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) + /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if index ee72cbe..bdf319a 100644 --- a/milter.if @@ -33657,7 +33865,7 @@ index b397fde..c7c031d 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..1c81b41 100644 +index d4fcb75..a54e4ec 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -33857,7 +34065,7 @@ index d4fcb75..1c81b41 100644 -files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) @@ -44460,10 +44668,10 @@ index 0000000..83c13cf + diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..5e5f291 +index 0000000..733a153 --- /dev/null +++ b/pki.te -@@ -0,0 +1,289 @@ +@@ -0,0 +1,287 @@ +policy_module(pki,10.0.11) + +######################################## @@ -44725,8 +44933,6 @@ index 0000000..5e5f291 +domain_dontaudit_read_all_domains_state(pki_apache_domain) +ps_process_pattern(pki_apache_domain, pki_apache_domain) + -+miscfiles_read_localization(pki_apache_domain) -+ +sysnet_read_config(pki_apache_domain) + +ifdef(`targeted_policy',` @@ -52453,10 +52659,10 @@ index 0000000..e38693b +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..b1347a4 +index 0000000..8ef2a1b --- /dev/null +++ b/realmd.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,97 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -52503,6 +52709,10 @@ index 0000000..b1347a4 +#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache") + +optional_policy(` ++ authconfig_domtrans(realmd_t) ++') ++ ++optional_policy(` + dbus_system_domain(realmd_t, realmd_exec_t) + + optional_policy(` @@ -54846,10 +55056,10 @@ index 0000000..8b505d5 +') diff --git a/rngd.te b/rngd.te new file mode 100644 -index 0000000..243ecf9 +index 0000000..868faed --- /dev/null +++ b/rngd.te -@@ -0,0 +1,39 @@ +@@ -0,0 +1,37 @@ +policy_module(rngd, 1.0.0) + +######################################## @@ -54887,8 +55097,6 @@ index 0000000..243ecf9 +files_read_etc_files(rngd_t) + +logging_send_syslog_msg(rngd_t) -+ -+miscfiles_read_localization(rngd_t) diff --git a/roundup.if b/roundup.if index 30c4b75..e07c2ff 100644 --- a/roundup.if @@ -55463,7 +55671,7 @@ index f5c47d6..164ce1f 100644 -/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) +/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/rpcbind.if b/rpcbind.if -index a96249c..5f38427 100644 +index a96249c..54e6f2d 100644 --- a/rpcbind.if +++ b/rpcbind.if @@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',` @@ -55476,7 +55684,7 @@ index a96249c..5f38427 100644 ') ######################################## -@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',` +@@ -117,6 +116,42 @@ interface(`rpcbind_manage_lib_files',` ######################################## ## @@ -55498,10 +55706,28 @@ index a96249c..5f38427 100644 + +######################################## +## ++## Transition to rpcbind named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpcbind_filetrans_named_content',` ++ gen_require(` ++ type rpcbind_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock") ++') ++ ++######################################## ++## ## All of the rules required to administrate ## an rpcbind environment ## -@@ -138,11 +155,20 @@ interface(`rpcbind_admin',` +@@ -138,11 +173,20 @@ interface(`rpcbind_admin',` type rpcbind_initrc_exec_t; ') @@ -68387,7 +68613,7 @@ index 6f0736b..cebdb3e 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..ad97e84 100644 +index 947bbc6..2ab5066 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.5.0) @@ -68685,13 +68911,14 @@ index 947bbc6..ad97e84 100644 xen_rw_image_files(svirt_t) ') -@@ -176,22 +297,41 @@ optional_policy(` +@@ -176,22 +297,42 @@ optional_policy(` # virtd local policy # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; ++allow virtd_t self:capability2 compromise_kernel; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code @@ -68734,7 +68961,7 @@ index 947bbc6..ad97e84 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +342,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +343,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -68769,7 +68996,7 @@ index 947bbc6..ad97e84 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +374,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +375,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -68784,6 +69011,7 @@ index 947bbc6..ad97e84 100644 +kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) ++kernel_setsched(virtd_t) corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) @@ -68792,7 +69020,7 @@ index 947bbc6..ad97e84 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +401,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +403,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -68826,7 +69054,7 @@ index 947bbc6..ad97e84 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +433,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +435,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -68845,7 +69073,7 @@ index 947bbc6..ad97e84 100644 mcs_process_set_categories(virtd_t) -@@ -284,7 +459,8 @@ term_use_ptmx(virtd_t) +@@ -284,7 +461,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -68855,7 +69083,7 @@ index 947bbc6..ad97e84 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +469,32 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +471,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -68888,7 +69116,7 @@ index 947bbc6..ad97e84 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +513,10 @@ optional_policy(` +@@ -322,6 +515,10 @@ optional_policy(` ') optional_policy(` @@ -68899,7 +69127,7 @@ index 947bbc6..ad97e84 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +530,34 @@ optional_policy(` +@@ -335,19 +532,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -68935,7 +69163,7 @@ index 947bbc6..ad97e84 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +572,12 @@ optional_policy(` +@@ -362,6 +574,12 @@ optional_policy(` ') optional_policy(` @@ -68948,7 +69176,7 @@ index 947bbc6..ad97e84 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +585,11 @@ optional_policy(` +@@ -369,11 +587,11 @@ optional_policy(` ') optional_policy(` @@ -68965,7 +69193,7 @@ index 947bbc6..ad97e84 100644 ') optional_policy(` -@@ -384,6 +600,7 @@ optional_policy(` +@@ -384,6 +602,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -68973,7 +69201,7 @@ index 947bbc6..ad97e84 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,34 +620,48 @@ optional_policy(` +@@ -403,34 +622,48 @@ optional_policy(` # virtual domains common policy # @@ -69029,7 +69257,7 @@ index 947bbc6..ad97e84 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +669,11 @@ dev_write_sound(virt_domain) +@@ -438,10 +671,11 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -69042,7 +69270,7 @@ index 947bbc6..ad97e84 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,23 +681,512 @@ files_search_all(virt_domain) +@@ -449,23 +683,513 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -69160,6 +69388,9 @@ index 947bbc6..ad97e84 100644 + +term_use_all_inherited_terms(virsh_t) + ++userdom_search_admin_dir(virsh_t) ++userdom_read_home_certs(virsh_t) ++ +init_stream_connect_script(virsh_t) +init_rw_script_stream_sockets(virsh_t) +init_use_fds(virsh_t) @@ -69429,7 +69660,7 @@ index 947bbc6..ad97e84 100644 +virt_lxc_domain_template(svirt_lxc_net) + +allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+dontaudit svirt_lxc_net_t self:capability2 { block_suspend }; ++dontaudit svirt_lxc_net_t self:capability2 block_suspend; + +allow svirt_lxc_net_t self:process setrlimit; + @@ -69554,8 +69785,6 @@ index 947bbc6..ad97e84 100644 + +logging_send_syslog_msg(virt_qemu_ga_t) + -+miscfiles_read_localization(virt_qemu_ga_t) -+ +sysnet_dns_name_resolve(virt_qemu_ga_t) + diff --git a/vlock.te b/vlock.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 647f4dd..b78f6b4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 47%{?dist} +Release: 48%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -522,6 +522,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 30 2012 Miroslav Grepl 3.11.1-48 +- Fix label on /etc/group.lock +- Allow gnomeclock to create lnk_file in /etc +- label /root/.pki as a home_cert_t +- Add interface to make sure rpcbind.sock is created with the correct label +- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules +- opendkim should be a part of milter +- Allow libvirt to set the kernel sched algorythm +- Allow mongod to read sysfs_t +- Add authconfig policy +- Remove calls to miscfiles_read_localization all domains get this +- Allow virsh_t to read /root/.pki/ content +- Add label for log directory under /var/www/stickshift + * Mon Oct 29 2012 Miroslav Grepl 3.11.1-47 - Allow getty to setattr on usb ttys - Allow sshd to search all directories for sshd_home_t content