From a48162f97499a9ed4a0deb8fb34e32f2572ba2cb Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 25 2013 14:11:41 +0000 Subject: - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow certwatch to write to cert_t directories - New abrt application - Allow mozilla_plugin to transition to itself - Allow mdadm_t to read images labeled svirt_image_t - Allow NetworkManager to set the kernel scheduler - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - More handling of ther kernel keyring required by kerberos --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index a7f173d..e8c0f81 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -17369,7 +17369,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..3cfc3dd 100644 +index 88d0028..85b1f4c 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) @@ -17464,7 +17464,7 @@ index 88d0028..3cfc3dd 100644 + +optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) -+ ssh_filetrans_keys(sysadm_t) ++ ssh_filetrans_keys(sysadm_t) +') ifdef(`direct_sysadm_daemon',` @@ -20448,7 +20448,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..007ac2e 100644 +index 5fc0391..337d97e 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20537,7 +20537,7 @@ index 5fc0391..007ac2e 100644 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; -+allow ssh_t self:key read; ++allow ssh_t self:key manage_key_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; @@ -26355,7 +26355,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..c4155c7 100644 +index 24e7804..76da5dd 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -26874,7 +26874,50 @@ index 24e7804..c4155c7 100644 files_search_etc($1) ') -@@ -1026,7 +1235,9 @@ interface(`init_ptrace',` +@@ -1012,6 +1221,42 @@ interface(`init_read_state',` + + ######################################## + ## ++## Read the process keyring of init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_key',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:key read; ++') ++ ++######################################## ++## ++## Write the process keyring of init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_write_key',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:key read; ++') ++ ++######################################## ++## + ## Ptrace init + ## + ## +@@ -1026,7 +1271,9 @@ interface(`init_ptrace',` type init_t; ') @@ -26885,7 +26928,7 @@ index 24e7804..c4155c7 100644 ') ######################################## -@@ -1125,6 +1336,25 @@ interface(`init_getattr_all_script_files',` +@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',` ######################################## ## @@ -26911,7 +26954,7 @@ index 24e7804..c4155c7 100644 ## Read all init script files. ## ## -@@ -1144,6 +1374,24 @@ interface(`init_read_all_script_files',` +@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -26936,7 +26979,7 @@ index 24e7804..c4155c7 100644 ## Dontaudit read all init script files. ## ## -@@ -1195,12 +1443,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -26950,35 +26993,69 @@ index 24e7804..c4155c7 100644 ') ######################################## -@@ -1440,6 +1683,27 @@ interface(`init_dbus_send_script',` +@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from +-## init scripts over dbus. +## init over dbus. -+## + ## + ## + ## +@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',` + ## + ## + # +-interface(`init_dbus_chat_script',` ++interface(`init_dbus_chat',` + gen_require(` +- type initrc_t; ++ type init_t; + class dbus send_msg; + ') + +- allow $1 initrc_t:dbus send_msg; +- allow initrc_t $1:dbus send_msg; ++ allow $1 init_t:dbus send_msg; ++ allow init_t $1:dbus send_msg; + ') + + ######################################## + ## +-## Read and write the init script pty. ++## Send and receive messages from ++## init scripts over dbus. + ## +-## +-##

+-## Read and write the init script pty. This +## +##

+## Domain allowed access. +## +## +# -+interface(`init_dbus_chat',` ++interface(`init_dbus_chat_script',` + gen_require(` -+ type init_t; ++ type initrc_t; + class dbus send_msg; + ') + -+ allow $1 init_t:dbus send_msg; -+ allow init_t $1:dbus send_msg; ++ allow $1 initrc_t:dbus send_msg; ++ allow initrc_t $1:dbus send_msg; +') + +######################################## +## -+## Send and receive messages from - ## init scripts over dbus. - ## - ## -@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',` ++## Read and write the init script pty. ++## ++## ++##

++## Read and write the init script pty. This + ## pty is generally opened by the open_init_pty + ## portion of the run_init program so that the + ## daemon does not require direct access to +@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',` ######################################## ##

@@ -27004,26 +27081,17 @@ index 24e7804..c4155c7 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',` +@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## --## Create files in a init script --## temporary data directory. +## Read and write init script inherited temporary data. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created --## --## --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`init_rw_inherited_script_tmp_files',` + gen_require(` @@ -27035,25 +27103,10 @@ index 24e7804..c4155c7 100644 + +######################################## +## -+## Create files in a init script -+## temporary data directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## - ## The object class. - ## - ## -@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',` + ## Create files in a init script + ## temporary data directory. + ## +@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -27097,7 +27150,7 @@ index 24e7804..c4155c7 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -27106,7 +27159,7 @@ index 24e7804..c4155c7 100644 ') ######################################## -@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -27240,7 +27293,7 @@ index 24e7804..c4155c7 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -39029,7 +39082,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..991cb36 100644 +index 3c5dba7..bce11fd 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39961,7 +40014,7 @@ index 3c5dba7..991cb36 100644 userdom_change_password_template($1) -@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` +@@ -761,82 +946,100 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -40064,6 +40117,7 @@ index 3c5dba7..991cb36 100644 - seutil_read_config($1_t) + optional_policy(` + kerberos_use($1_usertype) ++ init_write_key($1_usertype) + ') optional_policy(` @@ -40097,7 +40151,7 @@ index 3c5dba7..991cb36 100644 ') ') -@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -40110,7 +40164,7 @@ index 3c5dba7..991cb36 100644 ############################## # # Local policy -@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1116,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -40223,7 +40277,7 @@ index 3c5dba7..991cb36 100644 ') optional_policy(` -@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1217,29 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -40254,7 +40308,7 @@ index 3c5dba7..991cb36 100644 ') ####################################### -@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1273,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -40292,7 +40346,7 @@ index 3c5dba7..991cb36 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1310,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -40363,7 +40417,7 @@ index 3c5dba7..991cb36 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -40374,7 +40428,7 @@ index 3c5dba7..991cb36 100644 ') ') -@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -40383,7 +40437,7 @@ index 3c5dba7..991cb36 100644 ') ############################## -@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -40391,7 +40445,7 @@ index 3c5dba7..991cb36 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -40401,7 +40455,7 @@ index 3c5dba7..991cb36 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -40409,7 +40463,7 @@ index 3c5dba7..991cb36 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -40424,7 +40478,7 @@ index 3c5dba7..991cb36 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1499,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -40467,7 +40521,7 @@ index 3c5dba7..991cb36 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -40476,7 +40530,7 @@ index 3c5dba7..991cb36 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40495,7 +40549,7 @@ index 3c5dba7..991cb36 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40504,7 +40558,7 @@ index 3c5dba7..991cb36 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40516,7 +40570,7 @@ index 3c5dba7..991cb36 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40559,7 +40613,7 @@ index 3c5dba7..991cb36 100644 ') optional_policy(` -@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40578,7 +40632,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40630,7 +40684,7 @@ index 3c5dba7..991cb36 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40662,7 +40716,7 @@ index 3c5dba7..991cb36 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40677,7 +40731,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40689,7 +40743,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40732,7 +40786,7 @@ index 3c5dba7..991cb36 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40741,7 +40795,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40756,7 +40810,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2248,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40783,7 +40837,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -1782,49 +2275,67 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,49 +2276,67 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -40863,7 +40917,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1848,6 +2359,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2360,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -40889,7 +40943,7 @@ index 3c5dba7..991cb36 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2408,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2409,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -40927,7 +40981,7 @@ index 3c5dba7..991cb36 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2448,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2449,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -40945,7 +40999,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -1941,7 +2496,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2497,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -40972,7 +41026,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -1951,17 +2524,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2525,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -40993,7 +41047,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -1969,12 +2540,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2541,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -41044,7 +41098,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2010,8 +2617,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2618,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -41054,7 +41108,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2027,20 +2633,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2634,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -41079,7 +41133,7 @@ index 3c5dba7..991cb36 100644 ######################################## ## -@@ -2123,7 +2723,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2724,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -41088,7 +41142,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -2131,19 +2731,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2732,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -41112,7 +41166,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -2151,12 +2749,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2750,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -41128,7 +41182,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2393,11 +2991,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2992,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -41143,7 +41197,7 @@ index 3c5dba7..991cb36 100644 files_search_tmp($1) ') -@@ -2417,7 +3015,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3016,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -41152,7 +41206,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2664,6 +3262,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3263,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -41178,7 +41232,7 @@ index 3c5dba7..991cb36 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3297,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3298,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -41194,7 +41248,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -2707,7 +3325,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3326,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -41203,7 +41257,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -2715,14 +3333,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3334,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -41238,7 +41292,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2817,6 +3451,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3452,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -41263,7 +41317,7 @@ index 3c5dba7..991cb36 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3487,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3488,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -41306,7 +41360,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -2859,14 +3523,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3524,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -41344,7 +41398,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2885,8 +3568,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3569,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -41374,7 +41428,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -2958,69 +3660,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3661,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41475,7 +41529,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -3028,12 +3729,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3730,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41490,7 +41544,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -3097,7 +3798,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3799,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41499,7 +41553,7 @@ index 3c5dba7..991cb36 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3814,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3815,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41533,7 +41587,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -3217,7 +3902,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3903,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41560,7 +41614,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -3272,7 +3975,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3976,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41626,7 +41680,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -3290,7 +4050,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +4051,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41635,7 +41689,7 @@ index 3c5dba7..991cb36 100644 ') ######################################## -@@ -3309,6 +4069,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4070,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41643,7 +41697,7 @@ index 3c5dba7..991cb36 100644 kernel_search_proc($1) ') -@@ -3385,6 +4146,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4147,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41686,7 +41740,7 @@ index 3c5dba7..991cb36 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,7 +4202,7 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,7 +4203,7 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -41695,7 +41749,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -3413,17 +4210,17 @@ interface(`userdom_sigchld_all_users',` +@@ -3413,17 +4211,17 @@ interface(`userdom_sigchld_all_users',` ## ## # @@ -41716,7 +41770,7 @@ index 3c5dba7..991cb36 100644 ## ## ## -@@ -3431,11 +4228,1516 @@ interface(`userdom_create_all_users_keys',` +@@ -3431,11 +4229,1516 @@ interface(`userdom_create_all_users_keys',` ## ## # diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 7657ec9..735d1d7 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index e4f84de..2fe1152 100644 +index e4f84de..2ed712d 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,30 +1,41 @@ +@@ -1,30 +1,42 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -22,6 +22,7 @@ index e4f84de..2fe1152 100644 +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) @@ -519,7 +520,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..9782064 100644 +index cc43d25..2b3de55 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -704,7 +705,7 @@ index cc43d25..9782064 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -726,14 +727,17 @@ index cc43d25..9782064 100644 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) -can_exec(abrt_t, abrt_tmp_t) -- ++manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) + kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) +kernel_read_network_state(abrt_t) kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -752,7 +756,7 @@ index cc43d25..9782064 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -793,7 +797,7 @@ index cc43d25..9782064 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -810,7 +814,7 @@ index cc43d25..9782064 100644 ') optional_policy(` -@@ -209,6 +239,16 @@ optional_policy(` +@@ -209,6 +243,16 @@ optional_policy(` ') optional_policy(` @@ -827,7 +831,7 @@ index cc43d25..9782064 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +260,7 @@ optional_policy(` +@@ -220,6 +264,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -835,7 +839,7 @@ index cc43d25..9782064 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +271,7 @@ optional_policy(` +@@ -230,6 +275,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -843,7 +847,7 @@ index cc43d25..9782064 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +282,17 @@ optional_policy(` +@@ -240,9 +286,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -862,7 +866,7 @@ index cc43d25..9782064 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -877,7 +881,7 @@ index cc43d25..9782064 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -885,7 +889,7 @@ index cc43d25..9782064 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -906,7 +910,7 @@ index cc43d25..9782064 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -933,7 +937,7 @@ index cc43d25..9782064 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -947,7 +951,7 @@ index cc43d25..9782064 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +406,11 @@ optional_policy(` +@@ -330,10 +410,11 @@ optional_policy(` ####################################### # @@ -961,7 +965,7 @@ index cc43d25..9782064 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1023,7 +1027,7 @@ index cc43d25..9782064 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1045,16 +1049,19 @@ index cc43d25..9782064 100644 -files_read_etc_files(abrt_domain) +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir}) + +read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) + -+manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) + +corecmd_exec_bin(abrt_upload_watch_t) + +dev_read_urand(abrt_upload_watch_t) + ++files_search_spool(abrt_upload_watch_t) ++ +auth_read_passwd(abrt_upload_watch_t) -logging_send_syslog_msg(abrt_domain) @@ -2023,7 +2030,7 @@ index 7f4dfbc..4d750fa 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..d4df671 100644 +index ed45974..ec7bb41 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2077,7 +2084,15 @@ index ed45974..d4df671 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) + + dev_getattr_all_blk_files(amanda_t) + dev_getattr_all_chr_files(amanda_t) ++dev_read_urand(amanda_t) + + files_read_etc_runtime_files(amanda_t) + files_list_all(amanda_t) +@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2085,7 +2100,7 @@ index ed45974..d4df671 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -10347,10 +10362,10 @@ index 2354e21..fb8c9ed 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 403af41..84b41e6 100644 +index 403af41..1a4bd9c 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -20,33 +20,44 @@ role certwatch_roles types certwatch_t; +@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t; allow certwatch_t self:capability sys_nice; allow certwatch_t self:process { setsched getsched }; @@ -10378,11 +10393,12 @@ index 403af41..84b41e6 100644 miscfiles_read_all_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) ++miscfiles_manage_generic_cert_dirs(certwatch_t) ++ ++sysnet_read_config(certwatch_t) -userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_user_home_dirs(certwatch_t) -+sysnet_read_config(certwatch_t) -+ +userdom_use_inherited_user_terminals(certwatch_t) +userdom_dontaudit_list_admin_dir(certwatch_t) @@ -39804,7 +39820,7 @@ index 6194b80..f1a5676 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..2108bc7 100644 +index 6a306ee..bcecbbd 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -40262,7 +40278,7 @@ index 6a306ee..2108bc7 100644 +dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config }; +dontaudit mozilla_plugin_t self:capability2 block_suspend; + -+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit }; ++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mozilla_plugin_t self:netlink_socket create_socket_perms; +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; @@ -45964,7 +45980,7 @@ index 0e8508c..f8893f8 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..2b6c69a 100644 +index 0b48a30..b5c140b 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -46057,7 +46073,7 @@ index 0b48a30..2b6c69a 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,9 +104,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -46067,15 +46083,16 @@ index 0b48a30..2b6c69a 100644 kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) -@@ -91,7 +111,6 @@ kernel_request_load_module(NetworkManager_t) + kernel_request_load_module(NetworkManager_t) kernel_read_debugfs(NetworkManager_t) kernel_rw_net_sysctls(NetworkManager_t) ++kernel_setsched(NetworkManager_t) -corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +121,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -46101,7 +46118,7 @@ index 0b48a30..2b6c69a 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +137,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -46115,7 +46132,7 @@ index 0b48a30..2b6c69a 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +145,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -46133,7 +46150,7 @@ index 0b48a30..2b6c69a 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +164,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -46146,7 +46163,7 @@ index 0b48a30..2b6c69a 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +183,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -46183,7 +46200,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -196,10 +224,6 @@ optional_policy(` +@@ -196,10 +225,6 @@ optional_policy(` ') optional_policy(` @@ -46194,7 +46211,7 @@ index 0b48a30..2b6c69a 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +234,11 @@ optional_policy(` +@@ -210,16 +235,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -46213,7 +46230,7 @@ index 0b48a30..2b6c69a 100644 ') ') -@@ -231,18 +250,19 @@ optional_policy(` +@@ -231,18 +251,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -46236,7 +46253,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -250,6 +270,10 @@ optional_policy(` +@@ -250,6 +271,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -46247,7 +46264,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -257,11 +281,10 @@ optional_policy(` +@@ -257,11 +282,10 @@ optional_policy(` ') optional_policy(` @@ -46263,7 +46280,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -274,10 +297,17 @@ optional_policy(` +@@ -274,10 +298,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -46281,7 +46298,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -289,6 +319,7 @@ optional_policy(` +@@ -289,6 +320,7 @@ optional_policy(` ') optional_policy(` @@ -46289,7 +46306,7 @@ index 0b48a30..2b6c69a 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +327,7 @@ optional_policy(` +@@ -296,7 +328,7 @@ optional_policy(` ') optional_policy(` @@ -46298,7 +46315,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -307,6 +338,7 @@ optional_policy(` +@@ -307,6 +339,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -46306,7 +46323,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -320,13 +352,19 @@ optional_policy(` +@@ -320,13 +353,19 @@ optional_policy(` ') optional_policy(` @@ -46330,7 +46347,7 @@ index 0b48a30..2b6c69a 100644 ') optional_policy(` -@@ -356,6 +394,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -67429,7 +67446,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..6f60d73 100644 +index 2c1730b..13e6b9c 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -67534,7 +67551,7 @@ index 2c1730b..6f60d73 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +125,17 @@ optional_policy(` +@@ -97,9 +125,21 @@ optional_policy(` ') optional_policy(` @@ -67550,6 +67567,10 @@ index 2c1730b..6f60d73 100644 ') + +optional_policy(` ++ virt_read_blk_images(mdadm_t) ++') ++ ++optional_policy(` + xserver_dontaudit_search_log(mdadm_t) +') diff --git a/razor.fc b/razor.fc @@ -73142,7 +73163,7 @@ index ebe91fc..6392cad 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..39e36fb 100644 +index 0628d50..cafc027 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -73291,10 +73312,10 @@ index 0628d50..39e36fb 100644 +# +interface(`rpm_rw_script_inherited_pipes',` + gen_require(` -+ type rpm_script_t; ++ type rpm_script_tmp_t; + ') + -+ allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## @@ -80063,7 +80084,7 @@ index 3a9a70b..039b0c8 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..46356db 100644 +index 49b12ae..2505921 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -80152,8 +80173,12 @@ index 49b12ae..46356db 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t) - domain_dontaudit_search_all_domains_state(setroubleshootd_t) +@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) + dev_getattr_all_chr_files(setroubleshootd_t) + dev_getattr_mtrr_dev(setroubleshootd_t) + +-domain_dontaudit_search_all_domains_state(setroubleshootd_t) ++domain_read_all_domains_state(setroubleshootd_t) domain_signull_all_domains(setroubleshootd_t) -files_read_usr_files(setroubleshootd_t) @@ -85905,7 +85930,7 @@ index 42946bc..741f2f4 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index e9c0964..ff77783 100644 +index e9c0964..ed2f217 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,29 +1,28 @@ @@ -86406,7 +86431,7 @@ index e9c0964..ff77783 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -452,31 +382,43 @@ optional_policy(` +@@ -452,31 +382,48 @@ optional_policy(` ####################################### # @@ -86451,12 +86476,17 @@ index e9c0964..ff77783 100644 +') + +optional_policy(` ++ systemd_dbus_chat_logind(telepathy_domain) ++') ++ ++optional_policy(` + telepathy_dbus_chat(telepathy_domain) +') + +optional_policy(` xserver_rw_xdm_pipes(telepathy_domain) ') ++ diff --git a/telnet.te b/telnet.te index 9f89916..1bdef51 100644 --- a/telnet.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 24f563c..1bdd0c2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.6%{?dist} +Release: 74.7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Sep 25 2013 Miroslav Grepl 3.12.1-74.7 +- Allow setroubleshoot to look at /proc +- Allow telepathy domains to dbus with systemd logind +- Fix handling of fifo files of rpm +- Allow certwatch to write to cert_t directories +- New abrt application +- Allow mozilla_plugin to transition to itself +- Allow mdadm_t to read images labeled svirt_image_t +- Allow NetworkManager to set the kernel scheduler +- Allow abrt daemon to manage abrt-watch tmp files +- Allow abrt-upload-watcher to search /var/spool directory +- More handling of ther kernel keyring required by kerberos + * Fri Sep 20 2013 Miroslav Grepl 3.12.1-74.6 - Keep initrc_domain if init_t executes bin_t