From a5261f65f93e8386bd802618cfc4a02d83d3aedc Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 15 2013 14:47:35 +0000 Subject: - Allow udev to communicate with the logind daemon - Add labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Allow rpm_script_t to dbus communicate with certmonger_t - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interface - Fix gnome_filetrans_home_content() to include also "fontconfig" d - Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the pro - Allow numad access discovered by Dominic - Allow gnomeclock to talk to puppet over dbus - Add support for HOME_DIR/.maildir --- diff --git a/policy-f18-base.patch b/policy-f18-base.patch index 1a16867..ab2beb7 100644 --- a/policy-f18-base.patch +++ b/policy-f18-base.patch @@ -112417,7 +112417,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..e2c87b3 100644 +index db981df..7a2ff89 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -112653,7 +112653,7 @@ index db981df..e2c87b3 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',` +@@ -289,16 +342,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -112666,6 +112666,7 @@ index db981df..e2c87b3 100644 /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) ++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd) gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/tucan.*/tucan.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112677,7 +112678,7 @@ index db981df..e2c87b3 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +372,12 @@ ifdef(`distro_redhat', ` +@@ -314,8 +373,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -112690,7 +112691,7 @@ index db981df..e2c87b3 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +387,11 @@ ifdef(`distro_redhat', ` +@@ -325,9 +388,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112702,7 +112703,7 @@ index db981df..e2c87b3 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +440,15 @@ ifdef(`distro_suse', ` +@@ -376,11 +441,15 @@ ifdef(`distro_suse', ` # # /var # @@ -112719,7 +112720,7 @@ index db981df..e2c87b3 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +458,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +459,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -128366,7 +128367,7 @@ index fc86b7c..ea115aa 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..a75282a 100644 +index 130ced9..f14edb7 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -129163,7 +129164,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1577,559 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -129602,6 +129603,24 @@ index 130ced9..a75282a 100644 +# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') + ++####################################### ++## ++## Transition to xserver .fontconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_filetrans_fonts_cache_home_content',` ++ gen_require(` ++ type user_fonts_cache_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++') ++ +######################################## +## +## Transition to xserver named content @@ -143176,7 +143195,7 @@ index 77a13a5..9a5a73f 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 29075b3..8d185fc 100644 +index 29075b3..a4da3c2 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -143354,7 +143373,7 @@ index 29075b3..8d185fc 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +228,16 @@ optional_policy(` +@@ -216,24 +228,43 @@ optional_policy(` ') optional_policy(` @@ -143371,7 +143390,13 @@ index 29075b3..8d185fc 100644 ') optional_policy(` -@@ -230,10 +247,20 @@ optional_policy(` + dbus_system_bus_client(udev_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(udev_t) ++ ') + ') + optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -143392,7 +143417,7 @@ index 29075b3..8d185fc 100644 ') optional_policy(` -@@ -259,6 +286,10 @@ optional_policy(` +@@ -259,6 +290,10 @@ optional_policy(` ') optional_policy(` @@ -143403,7 +143428,7 @@ index 29075b3..8d185fc 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +304,15 @@ optional_policy(` +@@ -273,6 +308,15 @@ optional_policy(` ') optional_policy(` @@ -143419,7 +143444,7 @@ index 29075b3..8d185fc 100644 unconfined_signal(udev_t) ') -@@ -285,6 +325,7 @@ optional_policy(` +@@ -285,6 +329,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch index dbf0db2..9adf141 100644 --- a/policy-f18-contrib.patch +++ b/policy-f18-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index 1bd5812..ad5baf5 100644 +index 1bd5812..94697ea 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,20 +1,37 @@ +@@ -1,20 +1,38 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -32,6 +32,7 @@ index 1bd5812..ad5baf5 100644 /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +# ABRT retrace server +/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) @@ -366,7 +367,7 @@ index 0b827c5..cce58bb 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..6d98338 100644 +index 30861ec..e143a71 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0) @@ -405,7 +406,13 @@ index 30861ec..6d98338 100644 # etc files type abrt_etc_t; files_config_file(abrt_etc_t) -@@ -32,10 +52,20 @@ files_type(abrt_var_cache_t) +@@ -27,15 +47,26 @@ files_tmp_file(abrt_tmp_t) + # var/cache files + type abrt_var_cache_t; + files_type(abrt_var_cache_t) ++files_tmp_file(abrt_var_cache_t) + + # pid files type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -428,7 +435,7 @@ index 30861ec..6d98338 100644 application_domain(abrt_helper_t, abrt_helper_exec_t) role system_r types abrt_helper_t; -@@ -43,14 +73,36 @@ ifdef(`enable_mcs',` +@@ -43,14 +74,36 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -467,7 +474,7 @@ index 30861ec..6d98338 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +112,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -475,7 +482,7 @@ index 30861ec..6d98338 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -68,7 +122,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) # abrt tmp files manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) @@ -485,7 +492,14 @@ index 30861ec..6d98338 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +137,11 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -76,16 +132,18 @@ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) + files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) ++files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") + + # abrt pid files + manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -499,7 +513,7 @@ index 30861ec..6d98338 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -93,7 +149,6 @@ corecmd_exec_shell(abrt_t) +@@ -93,7 +151,6 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -507,7 +521,7 @@ index 30861ec..6d98338 100644 corenet_tcp_sendrecv_generic_if(abrt_t) corenet_tcp_sendrecv_generic_node(abrt_t) corenet_tcp_sendrecv_generic_port(abrt_t) -@@ -104,6 +159,8 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +161,8 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -516,7 +530,7 @@ index 30861ec..6d98338 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +170,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +172,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -526,7 +540,7 @@ index 30861ec..6d98338 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +179,9 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +181,9 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -536,7 +550,7 @@ index 30861ec..6d98338 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +192,37 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +194,37 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -578,7 +592,7 @@ index 30861ec..6d98338 100644 ') optional_policy(` -@@ -167,6 +243,7 @@ optional_policy(` +@@ -167,6 +245,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -586,7 +600,7 @@ index 30861ec..6d98338 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,9 +255,36 @@ optional_policy(` +@@ -178,9 +257,36 @@ optional_policy(` ') optional_policy(` @@ -623,7 +637,12 @@ index 30861ec..6d98338 100644 ######################################## # # abrt--helper local policy -@@ -200,9 +304,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -196,13 +302,16 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) ++files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt") + read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -636,7 +655,7 @@ index 30861ec..6d98338 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -211,12 +317,11 @@ auth_use_nsswitch(abrt_helper_t) +@@ -211,12 +320,11 @@ auth_use_nsswitch(abrt_helper_t) logging_send_syslog_msg(abrt_helper_t) @@ -651,7 +670,7 @@ index 30861ec..6d98338 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +329,149 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +332,150 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -757,6 +776,7 @@ index 30861ec..6d98338 100644 +manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) +manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) ++files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt") + +read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) +read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) @@ -3151,7 +3171,7 @@ index 6480167..7b2ad39 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..2864927 100644 +index 0833afb..833af5e 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3870,7 +3890,7 @@ index 0833afb..2864927 100644 ') optional_policy(` -@@ -573,7 +911,21 @@ optional_policy(` +@@ -573,7 +911,25 @@ optional_policy(` ') optional_policy(` @@ -3887,12 +3907,16 @@ index 0833afb..2864927 100644 +') + +optional_policy(` ++ munin_read_config(httpd_t) ++') ++ ++optional_policy(` # Allow httpd to work with mysql + mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +936,7 @@ optional_policy(` +@@ -584,6 +940,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3900,7 +3924,7 @@ index 0833afb..2864927 100644 ') optional_policy(` -@@ -594,6 +947,42 @@ optional_policy(` +@@ -594,6 +951,42 @@ optional_policy(` ') optional_policy(` @@ -3943,7 +3967,7 @@ index 0833afb..2864927 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +997,11 @@ optional_policy(` +@@ -608,6 +1001,11 @@ optional_policy(` ') optional_policy(` @@ -3955,7 +3979,7 @@ index 0833afb..2864927 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +1014,12 @@ optional_policy(` +@@ -620,6 +1018,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3968,7 +3992,7 @@ index 0833afb..2864927 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1037,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -4013,7 +4037,7 @@ index 0833afb..2864927 100644 ######################################## # -@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1111,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -4057,7 +4081,7 @@ index 0833afb..2864927 100644 ') ######################################## -@@ -702,6 +1140,7 @@ optional_policy(` +@@ -702,6 +1144,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -4065,7 +4089,7 @@ index 0833afb..2864927 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1159,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4094,7 +4118,7 @@ index 0833afb..2864927 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1189,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -4112,7 +4136,7 @@ index 0833afb..2864927 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1207,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -4145,7 +4169,7 @@ index 0833afb..2864927 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1250,25 @@ optional_policy(` +@@ -786,6 +1254,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4171,7 +4195,7 @@ index 0833afb..2864927 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1293,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4189,7 +4213,7 @@ index 0833afb..2864927 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1312,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4248,7 +4272,7 @@ index 0833afb..2864927 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1363,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4289,7 +4313,7 @@ index 0833afb..2864927 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +@@ -854,15 +1403,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) @@ -4316,7 +4340,7 @@ index 0833afb..2864927 100644 ') ######################################## -@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1438,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4328,7 +4352,7 @@ index 0833afb..2864927 100644 ######################################## # -@@ -908,11 +1462,138 @@ optional_policy(` +@@ -908,11 +1466,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -5815,10 +5839,10 @@ index cf8e59f..ad57d4a 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 59aa54f..005bb7e 100644 +index 59aa54f..1cb1b4f 100644 --- a/bind.fc +++ b/bind.fc -@@ -4,6 +4,11 @@ +@@ -4,12 +4,18 @@ /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) @@ -5830,7 +5854,14 @@ index 59aa54f..005bb7e 100644 /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -@@ -40,6 +45,7 @@ ifdef(`distro_redhat',` + /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) + /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) + /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0) + + /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) + +@@ -40,6 +46,7 @@ ifdef(`distro_redhat',` /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) /etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) @@ -8305,10 +8336,20 @@ index c3e3f79..89db900 100644 + unconfined_domain(certmonger_unconfined_t) +') diff --git a/certwatch.te b/certwatch.te -index e07cef5..55051ce 100644 +index e07cef5..2f5dd78 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -27,15 +27,15 @@ files_list_tmp(certwatch_t) +@@ -17,6 +17,9 @@ role system_r types certwatch_t; + allow certwatch_t self:capability sys_nice; + allow certwatch_t self:process { setsched getsched }; + ++kernel_read_system_state(certwatch_t) ++ ++dev_read_rand(certwatch_t) + dev_read_urand(certwatch_t) + + files_read_etc_files(certwatch_t) +@@ -27,15 +30,15 @@ files_list_tmp(certwatch_t) fs_list_inotifyfs(certwatch_t) auth_manage_cache(certwatch_t) @@ -23571,7 +23612,7 @@ index 00a19e3..52e5a3a 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..2d6e6bb 100644 +index f5afe78..f73c152 100644 --- a/gnome.if +++ b/gnome.if @@ -1,44 +1,1067 @@ @@ -24923,7 +24964,7 @@ index f5afe78..2d6e6bb 100644 ## ## ## -@@ -140,51 +1306,279 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1306,280 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -25134,6 +25175,7 @@ index f5afe78..2d6e6bb 100644 + filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") + filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") + filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") ++ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig") + userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf") + gnome_filetrans_gstreamer_home_content($1) +') @@ -32729,13 +32771,15 @@ index 0000000..29b79eb +') diff --git a/mandb.fc b/mandb.fc new file mode 100644 -index 0000000..75b9968 +index 0000000..df710ae --- /dev/null +++ b/mandb.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,5 @@ +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) ++ ++/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) diff --git a/mandb.if b/mandb.if new file mode 100644 index 0000000..4a4e899 @@ -32931,10 +32975,10 @@ index 0000000..4a4e899 +') diff --git a/mandb.te b/mandb.te new file mode 100644 -index 0000000..8cc45e7 +index 0000000..cc1c704 --- /dev/null +++ b/mandb.te -@@ -0,0 +1,35 @@ +@@ -0,0 +1,41 @@ +policy_module(mandb, 1.0.0) + +######################################## @@ -32950,6 +32994,9 @@ index 0000000..8cc45e7 +type mandb_cache_t; +files_type(mandb_cache_t) + ++type mandb_lock_t; ++files_lock_file(mandb_lock_t) ++ +######################################## +# +# mandb local policy @@ -32963,6 +33010,9 @@ index 0000000..8cc45e7 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) + ++allow mandb_t mandb_lock_t:file manage_file_perms; ++files_lock_filetrans(mandb_t, mandb_lock_t, file) ++ +kernel_read_system_state(mandb_t) + +corecmd_exec_bin(mandb_t) @@ -34717,7 +34767,7 @@ index b397fde..cccec7e 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..8cf0087 100644 +index d4fcb75..95b8be3 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -35124,7 +35174,7 @@ index d4fcb75..8cf0087 100644 ') optional_policy(` -@@ -447,10 +523,116 @@ optional_policy(` +@@ -447,10 +523,117 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -35153,6 +35203,7 @@ index d4fcb75..8cf0087 100644 + xserver_read_user_xauth(mozilla_plugin_t) + xserver_append_xdm_home_files(mozilla_plugin_t) + xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t) ++ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t) +') + +######################################## @@ -35715,16 +35766,18 @@ index 0e19d80..c203717 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index afa18c8..2f102b2 100644 +index afa18c8..8654c3c 100644 --- a/mta.fc +++ b/mta.fc -@@ -1,30 +1,41 @@ +@@ -1,30 +1,43 @@ -HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) ++ /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -35771,7 +35824,7 @@ index afa18c8..2f102b2 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index 4e2a5ba..0005ac0 100644 +index 4e2a5ba..7d1522c 100644 --- a/mta.if +++ b/mta.if @@ -37,6 +37,7 @@ interface(`mta_stub',` @@ -36283,7 +36336,7 @@ index 4e2a5ba..0005ac0 100644 ## Read sendmail binary. ## ## -@@ -901,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -901,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -36408,6 +36461,7 @@ index 4e2a5ba..0005ac0 100644 + userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc") + userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") +') + @@ -36431,6 +36485,7 @@ index 4e2a5ba..0005ac0 100644 + userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter") + userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") +') + @@ -36882,7 +36937,7 @@ index 84a7d66..61f95e2 100644 + clamav_stream_connect(mta_user_agent) +') diff --git a/munin.fc b/munin.fc -index fd71d69..123ee4c 100644 +index fd71d69..4968324 100644 --- a/munin.fc +++ b/munin.fc @@ -4,7 +4,9 @@ @@ -36914,7 +36969,7 @@ index fd71d69..123ee4c 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -58,12 +64,15 @@ +@@ -58,12 +64,16 @@ /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -36928,8 +36983,10 @@ index fd71d69..123ee4c 100644 /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) - /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/munin.if b/munin.if index c358d8f..1cc176c 100644 --- a/munin.if @@ -39890,10 +39947,10 @@ index 623b731..429bd79 100644 + +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) diff --git a/nscd.if b/nscd.if -index 85188dc..685270c 100644 +index 85188dc..7b8f5ad 100644 --- a/nscd.if +++ b/nscd.if -@@ -116,7 +116,44 @@ interface(`nscd_socket_use',` +@@ -116,7 +116,46 @@ interface(`nscd_socket_use',` dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) @@ -39932,14 +39989,16 @@ index 85188dc..685270c 100644 +# +interface(`nscd_dontaudit_write_sock_file',` + gen_require(` -+ type nscd_t; ++ type nscd_t, nscd_var_run_t; + ') + + dontaudit $1 nscd_t:sock_file write; ++ dontaudit $1 nscd_var_run_t:sock_file write; ++ ') ######################################## -@@ -146,11 +183,14 @@ interface(`nscd_shm_use',` +@@ -146,11 +185,14 @@ interface(`nscd_shm_use',` # nscd_socket_domain macro. need to investigate # if they are all actually required allow $1 self:unix_stream_socket create_stream_socket_perms; @@ -39957,7 +40016,7 @@ index 85188dc..685270c 100644 ') ######################################## -@@ -168,7 +208,7 @@ interface(`nscd_dontaudit_search_pid',` +@@ -168,7 +210,7 @@ interface(`nscd_dontaudit_search_pid',` type nscd_var_run_t; ') @@ -39966,7 +40025,7 @@ index 85188dc..685270c 100644 ') ######################################## -@@ -224,6 +264,7 @@ interface(`nscd_unconfined',` +@@ -224,6 +266,7 @@ interface(`nscd_unconfined',` ## Role allowed access. ## ## @@ -39974,7 +40033,7 @@ index 85188dc..685270c 100644 # interface(`nscd_run',` gen_require(` -@@ -254,6 +295,29 @@ interface(`nscd_initrc_domtrans',` +@@ -254,6 +297,29 @@ interface(`nscd_initrc_domtrans',` ######################################## ## @@ -40004,7 +40063,7 @@ index 85188dc..685270c 100644 ## All of the rules required to administrate ## an nscd environment ## -@@ -273,10 +337,14 @@ interface(`nscd_admin',` +@@ -273,10 +339,14 @@ interface(`nscd_admin',` gen_require(` type nscd_t, nscd_log_t, nscd_var_run_t; type nscd_initrc_exec_t; @@ -40020,7 +40079,7 @@ index 85188dc..685270c 100644 init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) -@@ -288,4 +356,8 @@ interface(`nscd_admin',` +@@ -288,4 +358,8 @@ interface(`nscd_admin',` files_list_pids($1) admin_pattern($1, nscd_var_run_t) @@ -41537,10 +41596,10 @@ index 0000000..709dda1 +') diff --git a/numad.te b/numad.te new file mode 100644 -index 0000000..c2d4196 +index 0000000..97e1148 --- /dev/null +++ b/numad.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,51 @@ +policy_module(numad, 1.0.0) + +######################################## @@ -41566,27 +41625,32 @@ index 0000000..c2d4196 +# numad local policy +# + -+allow numad_t self:process { fork }; ++allow numad_t self:capability sys_ptrace; +allow numad_t self:fifo_file rw_fifo_file_perms; +allow numad_t self:msgq create_msgq_perms; +allow numad_t self:msg { send receive }; +allow numad_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t) -+logging_log_filetrans(numad_t, numad_var_log_t, { file }) ++logging_log_filetrans(numad_t, numad_var_log_t, file) + +manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) -+files_pid_filetrans(numad_t, numad_var_run_t, { file }) ++files_pid_filetrans(numad_t, numad_var_run_t, file) + +kernel_read_system_state(numad_t) + +dev_read_sysfs(numad_t) + +domain_use_interactive_fds(numad_t) ++domain_read_all_domains_state(numad_t) ++domain_setpriority_all_domains(numad_t) + -+files_read_etc_files(numad_t) ++fs_manage_cgroup_dirs(numad_t) ++fs_rw_cgroup_files(numad_t) + -+fs_search_cgroup_dirs(numad_t) ++tunable_policy(`deny_ptrace',`',` ++ virt_ptrace(numad_t) ++') diff --git a/nut.fc b/nut.fc index 0a929ef..371119d 100644 --- a/nut.fc @@ -51324,7 +51388,7 @@ index 2855a44..b7b5ee7 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/puppet.te b/puppet.te -index baa88f6..050d953 100644 +index baa88f6..9cc1f32 100644 --- a/puppet.te +++ b/puppet.te @@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0) @@ -51427,14 +51491,14 @@ index baa88f6..050d953 100644 tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) + files_manage_non_security_files(puppet_t) -+') -+ -+optional_policy(` -+ cfengine_read_lib_files(puppet_t) ') optional_policy(` - consoletype_domtrans(puppet_t) ++ cfengine_read_lib_files(puppet_t) ++') ++ ++optional_policy(` + consoletype_exec(puppet_t) ') @@ -51591,7 +51655,7 @@ index baa88f6..050d953 100644 ') ######################################## -@@ -184,51 +335,83 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -184,51 +335,87 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -51646,13 +51710,13 @@ index baa88f6..050d953 100644 domain_read_all_domains_state(puppetmaster_t) +domain_obj_id_change_exemption(puppetmaster_t) - --files_read_etc_files(puppetmaster_t) --files_search_var_lib(puppetmaster_t) ++ +files_read_usr_files(puppetmaster_t) + +selinux_validate_context(puppetmaster_t) -+ + +-files_read_etc_files(puppetmaster_t) +-files_search_var_lib(puppetmaster_t) +auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) @@ -51679,10 +51743,14 @@ index baa88f6..050d953 100644 + ') +') + ++optional_policy(` ++ gnomeclock_dbus_chat(puppetmaster_t) ++') ++ optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -239,3 +422,9 @@ optional_policy(` +@@ -239,3 +426,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -58139,7 +58207,7 @@ index 951d8f6..bedc8ae 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/rpm.te b/rpm.te -index 60149a5..b33a77d 100644 +index 60149a5..705935e 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,11 @@ @@ -58360,7 +58428,7 @@ index 60149a5..b33a77d 100644 domain_use_interactive_fds(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) -@@ -328,35 +354,41 @@ files_relabel_all_files(rpm_script_t) +@@ -328,35 +354,45 @@ files_relabel_all_files(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) @@ -58408,11 +58476,15 @@ index 60149a5..b33a77d 100644 +') + +optional_policy(` ++ certmonger_dbus_chat(rpm_script_t) ++') ++ ++optional_policy(` + cups_filetrans_named_content(rpm_script_t) ') optional_policy(` -@@ -364,7 +396,7 @@ optional_policy(` +@@ -364,7 +400,7 @@ optional_policy(` ') optional_policy(` @@ -58421,7 +58493,7 @@ index 60149a5..b33a77d 100644 ') optional_policy(` -@@ -372,8 +404,17 @@ optional_policy(` +@@ -372,8 +408,17 @@ optional_policy(` ') optional_policy(` @@ -58441,7 +58513,7 @@ index 60149a5..b33a77d 100644 ') optional_policy(` -@@ -381,7 +422,7 @@ optional_policy(` +@@ -381,7 +426,7 @@ optional_policy(` ') optional_policy(` @@ -58450,7 +58522,7 @@ index 60149a5..b33a77d 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -394,6 +435,6 @@ optional_policy(` +@@ -394,6 +439,6 @@ optional_policy(` ') optional_policy(` @@ -70413,7 +70485,7 @@ index 2124b6a..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..408a20a 100644 +index 6f0736b..882e76b 100644 --- a/virt.if +++ b/virt.if @@ -13,67 +13,30 @@ @@ -70847,7 +70919,7 @@ index 6f0736b..408a20a 100644 ') ######################################## -@@ -468,18 +636,52 @@ interface(`virt_manage_images',` +@@ -468,18 +636,70 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -70858,7 +70930,6 @@ index 6f0736b..408a20a 100644 - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) -- ') +####################################### +## +## Allow domain to manage virt image files @@ -70880,11 +70951,7 @@ index 6f0736b..408a20a 100644 + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) +') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_files($1) -- fs_manage_cifs_files($1) -- fs_read_cifs_symlinks($1) ++ +######################################## +## +## Execute virt server in the virt domain. @@ -70900,16 +70967,38 @@ index 6f0736b..408a20a 100644 + type virtd_unit_file_t; + type virtd_t; ') -+ + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) + systemd_exec_systemctl($1) + allow $1 virtd_unit_file_t:file read_file_perms; + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) ++') ++ ++######################################## ++## ++## Ptrace the svirt domain ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`virt_ptrace',` ++ gen_require(` ++ attribute virt_domain; + ') ++ ++ allow $1 virt_domain:process ptrace; ') ######################################## -@@ -502,10 +704,20 @@ interface(`virt_manage_images',` +@@ -502,10 +722,20 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -70931,7 +71020,7 @@ index 6f0736b..408a20a 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -517,4 +729,305 @@ interface(`virt_admin',` +@@ -517,4 +747,305 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -71238,10 +71327,10 @@ index 6f0736b..408a20a 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..1e4a204 100644 +index 947bbc6..75efecc 100644 --- a/virt.te +++ b/virt.te -@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) +@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0) # Declarations # @@ -71302,14 +71391,6 @@ index 947bbc6..1e4a204 100644 gen_tunable(virt_use_samba, false) ## - ##

--## Allow virt to manage device configuration, (pci) -+## Allow confined virtual guests to manage device configuration, (pci) - ##

- ## - gen_tunable(virt_use_sysfs, false) - - ## +##

+## Allow confined virtual guests to interact with the sanlock +##

@@ -71325,14 +71406,16 @@ index 947bbc6..1e4a204 100644 + +## ##

--## Allow virt to use usb devices +-## Allow virt to manage device configuration, (pci) +## Allow confined virtual guests to interact with the xserver -+##

-+## + ##

+ ## +-gen_tunable(virt_use_sysfs, false) +gen_tunable(virt_use_xserver, false) -+ -+## -+##

+ + ## + ##

+-## Allow virt to use usb devices +## Allow confined virtual guests to use usb devices ##

## @@ -71356,7 +71439,7 @@ index 947bbc6..1e4a204 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -62,26 +110,37 @@ files_config_file(virt_etc_t) +@@ -62,26 +103,37 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) @@ -71397,7 +71480,7 @@ index 947bbc6..1e4a204 100644 type virtd_t; type virtd_exec_t; -@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) +@@ -89,9 +141,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) domain_obj_id_change_exemption(virtd_t) domain_subj_id_change_exemption(virtd_t) @@ -71415,7 +71498,7 @@ index 947bbc6..1e4a204 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -100,28 +167,53 @@ ifdef(`enable_mls',` +@@ -100,28 +160,53 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -71483,7 +71566,7 @@ index 947bbc6..1e4a204 100644 corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) -@@ -131,67 +223,73 @@ corenet_udp_bind_all_ports(svirt_t) +@@ -131,67 +216,73 @@ corenet_udp_bind_all_ports(svirt_t) corenet_tcp_bind_all_ports(svirt_t) corenet_tcp_connect_all_ports(svirt_t) @@ -71492,8 +71575,7 @@ index 947bbc6..1e4a204 100644 -userdom_search_user_home_content(svirt_t) -userdom_read_user_home_content_symlinks(svirt_t) -userdom_read_all_users_state(svirt_t) -+miscfiles_read_generic_certs(svirt_t) - +- -tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(svirt_t) - dev_rw_printer(svirt_t) @@ -71503,7 +71585,8 @@ index 947bbc6..1e4a204 100644 - fs_read_fusefs_files(svirt_t) - fs_read_fusefs_symlinks(svirt_t) -') -- ++miscfiles_read_generic_certs(svirt_t) + -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(svirt_t) - fs_manage_nfs_files(svirt_t) @@ -71596,7 +71679,7 @@ index 947bbc6..1e4a204 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +300,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +293,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -71632,7 +71715,7 @@ index 947bbc6..1e4a204 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +333,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +326,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -71656,7 +71739,7 @@ index 947bbc6..1e4a204 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +361,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +354,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -71690,7 +71773,7 @@ index 947bbc6..1e4a204 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +393,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +386,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -71709,7 +71792,7 @@ index 947bbc6..1e4a204 100644 mcs_process_set_categories(virtd_t) -@@ -284,7 +419,8 @@ term_use_ptmx(virtd_t) +@@ -284,7 +412,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -71719,7 +71802,7 @@ index 947bbc6..1e4a204 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +429,36 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +422,36 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -71756,7 +71839,7 @@ index 947bbc6..1e4a204 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +477,10 @@ optional_policy(` +@@ -322,6 +470,10 @@ optional_policy(` ') optional_policy(` @@ -71767,7 +71850,7 @@ index 947bbc6..1e4a204 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +494,34 @@ optional_policy(` +@@ -335,19 +487,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -71803,7 +71886,7 @@ index 947bbc6..1e4a204 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +536,12 @@ optional_policy(` +@@ -362,6 +529,12 @@ optional_policy(` ') optional_policy(` @@ -71816,7 +71899,7 @@ index 947bbc6..1e4a204 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +549,11 @@ optional_policy(` +@@ -369,11 +542,11 @@ optional_policy(` ') optional_policy(` @@ -71833,7 +71916,7 @@ index 947bbc6..1e4a204 100644 ') optional_policy(` -@@ -384,6 +564,7 @@ optional_policy(` +@@ -384,6 +557,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -71841,7 +71924,7 @@ index 947bbc6..1e4a204 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -402,35 +583,85 @@ optional_policy(` +@@ -402,35 +576,86 @@ optional_policy(` # # virtual domains common policy # @@ -71849,6 +71932,7 @@ index 947bbc6..1e4a204 100644 -allow virt_domain self:capability { dac_read_search dac_override kill }; -allow virt_domain self:process { execmem execstack signal getsched signull }; -allow virt_domain self:fifo_file rw_file_perms; ++allow virt_domain self:capability2 compromise_kernel; +allow virt_domain self:process { signal getsched signull }; +allow virt_domain self:fifo_file rw_fifo_file_perms; allow virt_domain self:shm create_shm_perms; @@ -71936,7 +72020,7 @@ index 947bbc6..1e4a204 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +669,630 @@ dev_write_sound(virt_domain) +@@ -438,34 +663,625 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -71962,10 +72046,10 @@ index 947bbc6..1e4a204 100644 +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) ++ ++sysnet_read_config(virt_domain) -term_use_all_terms(virt_domain) -+sysnet_read_config(virt_domain) -+ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -71995,7 +72079,7 @@ index 947bbc6..1e4a204 100644 virt_read_content(virt_domain) virt_stream_connect(virt_domain) + virt_domtrans_bridgehelper(virt_domain) -+') + ') + +optional_policy(` + xserver_rw_shm(virt_domain) @@ -72029,11 +72113,6 @@ index 947bbc6..1e4a204 100644 + fs_getattr_cifs(virt_domain) +') + -+tunable_policy(`virt_use_sysfs',` -+ allow svirt_t self:capability2 compromise_kernel; -+ dev_rw_sysfs(virt_domain) -+') -+ +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) @@ -72185,7 +72264,7 @@ index 947bbc6..1e4a204 100644 + optional_policy(` + hal_dbus_chat(virsh_t) + ') - ') ++') + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index be3bb57..24e1eb6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jan 15 2013 Miroslav Grepl 3.11.1-71 +- Allow udev to communicate with the logind daemon +- Add labeling for texlive bash scripts +- Add xserver_filetrans_fonts_cache_home_content() interface +- Allow rpm_script_t to dbus communicate with certmonger_t +- Add support for /var/lock/man-db.lock +- Add support for /var/tmp/abrt(/.*)? +- Add additional labeling for munin cgi scripts +- Allow httpd_t to read munin conf files +- Allow certwatch to read meminfo +- Fix nscd_dontaudit_write_sock_file() interface +- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t +- Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling +- Allow numad access discovered by Dominic +- Allow gnomeclock to talk to puppet over dbus +- Add support for HOME_DIR/.maildir + * Thu Jan 10 2013 Miroslav Grepl 3.11.1-70 - Add label for dns lib files - Allow svirt_t images to compromise_kernel when using pci-passthrough