From a8c917a5e23bf791fb23f1769033648a67251879 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Dec 10 2013 12:59:47 +0000 Subject: - Fix ldap_read_certs() interface to allow acess also link files - Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt - Allow tuned to run modprobe - Allow portreserve to search /var/lib/sss dir - Add SELinux support for the teamd package contains team network device control daemon. - Dontaudit access check on /proc for bumblebee - Bumblebee wants to load nvidia modules - Fix rpm_named_filetrans_log_files and wine.te - Add conman policy for rawhide - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Added new policy for ninfod - Added new policy for openwsman - Added rdisc_admin and rdisc_systemctl interfaces - Fix kernel_dontaudit_access_check_proc() - Add support for /dev/uhid - Allow sulogin to get the attributes of initctl and sys_admin cap - Add kernel_dontaudit_access_check_proc() - Fix dev_rw_ipmi_dev() - Fix new interface in devices.if - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices --- diff --git a/permissivedomains.pp b/permissivedomains.pp index f8ac2b9..c63c1f8 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/permissivedomains.te b/permissivedomains.te index c864bad..28d0998 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -55,22 +55,67 @@ optional_policy(` gen_require(` type mip6d_t; ') + permissive mip6d_t; ') optional_policy(` gen_require(` type opensm_t; ') + permissive opensm_t; ') optional_policy(` gen_require(` - type bumblebee_t; + type bumblebee_t; ') + permissive bumblebee_t; ') optional_policy(` gen_require(` type freqset_t; ') + permissive freqset_t; ') + +optional_policy(` + gen_require(` + type freeipmi_bmc_watchdog_t; + type freeipmi_ipmidetectd_t; + type freeipmi_ipmiseld_t; + ') + permissive freeipmi_bmc_watchdog_t; + permissive freeipmi_ipmidetectd_t; + permissive freeipmi_ipmidetectd_t; +') + +optional_policy(` + gen_require(` + type conman_t; + ') + permissive conman_t; +') + +optional_policy(` + gen_require(` + type opensm_t; + ') + permissive opensm_t; +') + +optional_policy(` + gen_require(` + type openwsman_t; + ') + permissive openwsman_t; +') + +optional_policy(` + gen_require(` + type ninfod_t; + ') + permissive ninfod_t; +') + + diff --git a/policy-f20-base.patch b/policy-f20-base.patch index e982721..760f6d6 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -5549,7 +5549,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..06129ea 100644 +index 4edc40d..d11b74d 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5636,7 +5636,7 @@ index 4edc40d..06129ea 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0) +@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5652,6 +5652,7 @@ index 4edc40d..06129ea 100644 network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) ++network_port(conman, tcp,7890,s0, udp,7890,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) @@ -5659,7 +5660,7 @@ index 4edc40d..06129ea 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, +@@ -119,19 +143,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5688,7 +5689,7 @@ index 4edc40d..06129ea 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +170,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5755,7 +5756,7 @@ index 4edc40d..06129ea 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +223,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5794,7 +5795,7 @@ index 4edc40d..06129ea 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +260,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5847,7 +5848,7 @@ index 4edc40d..06129ea 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +310,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5858,7 +5859,7 @@ index 4edc40d..06129ea 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +322,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5871,7 +5872,7 @@ index 4edc40d..06129ea 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -285,19 +338,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -285,19 +339,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5898,7 +5899,7 @@ index 4edc40d..06129ea 100644 ######################################## # -@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +388,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5907,7 +5908,7 @@ index 4edc40d..06129ea 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +402,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5963,7 +5964,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..e4d61f5 100644 +index b31c054..53df7ae 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6030,7 +6031,16 @@ index b31c054..e4d61f5 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -198,12 +208,22 @@ ifdef(`distro_debian',` +@@ -172,6 +182,8 @@ ifdef(`distro_suse', ` + /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) + ++/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0) ++ + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) +@@ -198,12 +210,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6056,7 +6066,7 @@ index b31c054..e4d61f5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..b708d28 100644 +index 76f285e..9f56be1 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6473,122 +6483,85 @@ index 76f285e..b708d28 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',` +@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',` ######################################## ## --## Get the attributes of the lvm comtrol device. -+## Get the attributes of the loop comtrol device. - ## - ## - ## -@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',` - ## - ## - # --interface(`dev_getattr_lvm_control',` -+interface(`dev_getattr_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, lvm_control_t) -+ getattr_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Read the lvm comtrol device. -+## Read the loop comtrol device. ++## Read and write the dri devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_inherited_dri',` ++ gen_require(` ++ type device_t, dri_device_t; ++ ') ++ ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## + ## Dontaudit read and write on the dri devices. ## ## - ## -@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',` - ## - ## - # --interface(`dev_read_lvm_control',` -+interface(`dev_read_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- read_chr_files_pattern($1, device_t, lvm_control_t) -+ read_chr_files_pattern($1, device_t, loop_control_device_t) - ') +@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',` ######################################## ## --## Read and write the lvm control device. -+## Read and write the loop control device. +-## Get the attributes of the framebuffer device node. ++## Read input event devices (/dev/input). ## ## ## -@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',` +@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',` ## ## # --interface(`dev_rw_lvm_control',` -+interface(`dev_rw_loop_control',` +-interface(`dev_getattr_framebuffer_dev',` ++interface(`dev_rw_inherited_input_dev',` gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; +- type device_t, framebuf_device_t; ++ type device_t, event_device_t; ') -- rw_chr_files_pattern($1, device_t, lvm_control_t) -+ rw_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Do not audit attempts to read and write lvm control device. -+## Do not audit attempts to read and write loop control device. - ## - ## - ## -@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',` - ## - ## - # --interface(`dev_dontaudit_rw_lvm_control',` -+interface(`dev_dontaudit_rw_loop_control',` - gen_require(` -- type lvm_control_t; -+ type loop_control_device_t; - ') - -- dontaudit $1 lvm_control_t:chr_file rw_file_perms; -+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; +- getattr_chr_files_pattern($1, device_t, framebuf_device_t) ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; ') ++ ######################################## ## --## Delete the lvm control device. -+## Delete the loop control device. +-## Set the attributes of the framebuffer device node. ++## Read ipmi devices. ## ## ## -@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',` +@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',` ## ## # --interface(`dev_delete_lvm_control_dev',` -+interface(`dev_delete_loop_control_dev',` +-interface(`dev_setattr_framebuffer_dev',` ++interface(`dev_read_ipmi_dev',` gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; +- type device_t, framebuf_device_t; ++ type device_t, ipmi_device_t; ') -- delete_chr_files_pattern($1, device_t, lvm_control_t) -+ delete_chr_files_pattern($1, device_t, loop_control_device_t) +- setattr_chr_files_pattern($1, device_t, framebuf_device_t) ++ read_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## --## dontaudit getattr raw memory devices (e.g. /dev/mem). -+## Get the attributes of the loop comtrol device. +-## Dot not audit attempts to set the attributes +-## of the framebuffer device node. ++## Read and write ipmi devices. ## ## ## @@ -6597,46 +6570,41 @@ index 76f285e..b708d28 100644 ## ## # --interface(`dev_dontaudit_getattr_memory_dev',` -+interface(`dev_getattr_lvm_control',` +-interface(`dev_dontaudit_setattr_framebuffer_dev',` ++interface(`dev_rw_ipmi_dev',` gen_require(` -- type memory_device_t; -+ type device_t, lvm_control_t; +- type framebuf_device_t; ++ type device_t, ipmi_device_t; ') -- dontaudit $1 memory_device_t:chr_file getattr; -+ getattr_chr_files_pattern($1, device_t, lvm_control_t) +- dontaudit $1 framebuf_device_t:chr_file setattr; ++ rw_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## --## Read raw memory devices (e.g. /dev/mem). -+## Read the lvm comtrol device. +-## Read the framebuffer. ++## Get the attributes of the framebuffer device node. ## ## ## -@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',` +@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',` ## ## # --interface(`dev_read_raw_memory',` -+interface(`dev_read_lvm_control',` +-interface(`dev_read_framebuffer',` ++interface(`dev_getattr_framebuffer_dev',` gen_require(` -- type device_t, memory_device_t; -- attribute memory_raw_read; -+ type device_t, lvm_control_t; - ') - -- read_chr_files_pattern($1, device_t, memory_device_t) -- -- allow $1 self:capability sys_rawio; -- typeattribute $1 memory_raw_read; -+ read_chr_files_pattern($1, device_t, lvm_control_t) +- type framebuf_device_t; ++ type device_t, framebuf_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, framebuf_device_t) +') + +######################################## +## -+## Read and write the lvm control device. ++## Set the attributes of the framebuffer device node. +## +## +## @@ -6644,17 +6612,18 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_rw_lvm_control',` ++interface(`dev_setattr_framebuffer_dev',` + gen_require(` -+ type device_t, lvm_control_t; ++ type device_t, framebuf_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, lvm_control_t) ++ setattr_chr_files_pattern($1, device_t, framebuf_device_t) +') + +######################################## +## -+## Do not audit attempts to read and write lvm control device. ++## Dot not audit attempts to set the attributes ++## of the framebuffer device node. +## +## +## @@ -6662,17 +6631,17 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_dontaudit_rw_lvm_control',` ++interface(`dev_dontaudit_setattr_framebuffer_dev',` + gen_require(` -+ type lvm_control_t; ++ type framebuf_device_t; + ') + -+ dontaudit $1 lvm_control_t:chr_file rw_file_perms; ++ dontaudit $1 framebuf_device_t:chr_file setattr; +') + +######################################## +## -+## Delete the lvm control device. ++## Read the framebuffer. +## +## +## @@ -6680,17 +6649,72 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_delete_lvm_control_dev',` ++interface(`dev_read_framebuffer',` + gen_require(` -+ type device_t, lvm_control_t; ++ type framebuf_device_t; + ') + + read_chr_files_pattern($1, device_t, framebuf_device_t) +@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',` + + ######################################## + ## +-## Get the attributes of the lvm comtrol device. ++## Get the attributes of the loop comtrol device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_loop_control',` ++ gen_require(` ++ type device_t, loop_control_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, loop_control_device_t) ++') ++ ++######################################## ++## ++## Read the loop comtrol device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_loop_control',` ++ gen_require(` ++ type device_t, loop_control_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, loop_control_device_t) ++') ++ ++######################################## ++## ++## Read and write the loop control device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_loop_control',` ++ gen_require(` ++ type device_t, loop_control_device_t; + ') + -+ delete_chr_files_pattern($1, device_t, lvm_control_t) ++ rw_chr_files_pattern($1, device_t, loop_control_device_t) +') + +######################################## +## -+## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## Do not audit attempts to read and write loop control device. +## +## +## @@ -6698,17 +6722,17 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_dontaudit_getattr_memory_dev',` ++interface(`dev_dontaudit_rw_loop_control',` + gen_require(` -+ type memory_device_t; ++ type loop_control_device_t; + ') + -+ dontaudit $1 memory_device_t:chr_file getattr; ++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; +') + +######################################## +## -+## Read raw memory devices (e.g. /dev/mem). ++## Delete the loop control device. +## +## +## @@ -6716,20 +6740,21 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_read_raw_memory',` ++interface(`dev_delete_loop_control_dev',` + gen_require(` -+ type device_t, memory_device_t; -+ attribute memory_raw_read; ++ type device_t, loop_control_device_t; + ') + -+ read_chr_files_pattern($1, device_t, memory_device_t) ++ delete_chr_files_pattern($1, device_t, loop_control_device_t) ++') + -+ allow $1 self:capability sys_rawio; -+ typeattribute $1 memory_raw_read; - ') - - ######################################## -@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',` ++######################################## ++## ++## Get the attributes of the loop comtrol device. + ## + ## + ## +@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6738,7 +6763,7 @@ index 76f285e..b708d28 100644 ## ## # -@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -6763,7 +6788,7 @@ index 76f285e..b708d28 100644 ##

## ## -@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -6819,7 +6844,7 @@ index 76f285e..b708d28 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',` ## ## # @@ -6836,7 +6861,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -6879,7 +6904,7 @@ index 76f285e..b708d28 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -6904,7 +6929,7 @@ index 76f285e..b708d28 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6931,7 +6956,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6948,7 +6973,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -6957,7 +6982,7 @@ index 76f285e..b708d28 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -6966,7 +6991,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6975,7 +7000,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -7040,7 +7065,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',` +@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',` ## ## # @@ -7085,7 +7110,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -7103,91 +7128,63 @@ index 76f285e..b708d28 100644 ## -## Read hardware state information. +## Do not audit attempts to search sysfs. - ## --## --##

--## Allow the specified domain to read the contents of --## the sysfs filesystem. This filesystem contains --## information, parameters, and other settings on the --## hardware installed on the system. --##

--## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`dev_read_sysfs',` ++## ++## ++# +interface(`dev_dontaudit_search_sysfs',` - gen_require(` - type sysfs_t; - ') - -- read_files_pattern($1, sysfs_t, sysfs_t) -- read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- -- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ gen_require(` ++ type sysfs_t; ++ ') ++ + dontaudit $1 sysfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Allow caller to modify hardware state information. ++') ++ ++######################################## ++## +## List the contents of the sysfs directories. - ## - ## - ## -@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',` - ## - ## - # --interface(`dev_rw_sysfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_list_sysfs',` - gen_require(` - type sysfs_t; - ') - -- rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- - list_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read and write the TPM device. ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ list_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## +## Write in a sysfs directories. - ## - ## - ## -@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',` - ## - ## - # --interface(`dev_rw_tpm',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` - gen_require(` -- type device_t, tpm_device_t; ++ gen_require(` + type sysfs_t; - ') - -- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ ') ++ + allow $1 sysfs_t:dir write; - ') - - ######################################## - ## --## Read from pseudo random number generator devices (e.g., /dev/urandom). ++') ++ ++######################################## ++## +## Do not audit attempts to write in a sysfs directory. - ## --## --##

--## Allow the specified domain to read from pseudo random number --## generator devices (e.g., /dev/urandom). Typically this is ++##

+## +## +## Domain to not audit. @@ -7229,7 +7226,15 @@ index 76f285e..b708d28 100644 +######################################## +## +## Relabel cpu online hardware state information. -+## + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-## +## +## +## Domain allowed access. @@ -7259,47 +7264,13 @@ index 76f285e..b708d28 100644 +## hardware installed on the system. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ read_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Allow caller to modify hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ rw_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## + ## + ## + ## Domain allowed access. +@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',` + + ######################################## + ## +## Relabel hardware state directories. +## +## @@ -7356,34 +7327,10 @@ index 76f285e..b708d28 100644 + +######################################## +## -+## Read and write the TPM device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_tpm',` -+ gen_require(` -+ type device_t, tpm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, tpm_device_t) -+') -+ -+######################################## -+## -+## Read from pseudo random number generator devices (e.g., /dev/urandom). -+## -+## -+##

-+## Allow the specified domain to read from pseudo random number -+## generator devices (e.g., /dev/urandom). Typically this is - ## used in situations when a cryptographically secure random - ## number is not necessarily needed. One example is the Stack - ## Smashing Protector (SSP, formerly known as ProPolice) support -@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',` + ## Read and write the TPM device. + ##

+ ## +@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7409,7 +7356,7 @@ index 76f285e..b708d28 100644 ## Getattr generic the USB devices. ## ## -@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7421,7 +7368,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7444,7 +7391,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7460,7 +7407,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7595,7 +7542,7 @@ index 76f285e..b708d28 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7620,7 +7567,7 @@ index 76f285e..b708d28 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7647,7 +7594,7 @@ index 76f285e..b708d28 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7798,6 +7745,7 @@ index 76f285e..b708d28 100644 +gen_require(` + type device_t; + type usb_device_t; ++ type uhid_device_t; + type sound_device_t; + type apm_bios_t; + type mouse_device_t; @@ -8524,6 +8472,7 @@ index 76f285e..b708d28 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") ++ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") + dev_filetrans_xserver_named_dev($1) +') + @@ -8592,7 +8541,7 @@ index 76f285e..b708d28 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 6529bd9..831344c 100644 +index 6529bd9..b31a5e8 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -8658,17 +8607,23 @@ index 6529bd9..831344c 100644 # # Type for /dev/tpm # -@@ -266,6 +275,9 @@ dev_node(usbmon_device_t) +@@ -266,6 +275,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) ++# ++# uhid_device_t is the type for /dev/uhid ++# ++type uhid_device_t; ++dev_node(uhid_device_t) ++ +type vfio_device_t; +dev_node(vfio_device_t) + type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +286,7 @@ dev_node(v4l_device_t) +@@ -274,6 +292,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -8676,7 +8631,7 @@ index 6529bd9..831344c 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +332,5 @@ files_associate_tmp(device_node) +@@ -319,5 +338,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -8892,7 +8847,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..369ddc2 100644 +index cf04cb5..7e91ba9 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -9029,7 +8984,7 @@ index cf04cb5..369ddc2 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9061,6 +9016,10 @@ index cf04cb5..369ddc2 100644 + seutil_filetrans_named_content(named_filetrans_domain) +') + ++optional_policy(` ++ wine_filetrans_named_content(named_filetrans_domain) ++') ++ +storage_filetrans_all_named_dev(named_filetrans_domain) + +term_filetrans_all_named_dev(named_filetrans_domain) @@ -14372,7 +14331,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..d47750f 100644 +index 649e458..646d467 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -14384,6 +14343,16 @@ index 649e458..d47750f 100644 ') ######################################## +@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',` + ') + + manage_files_pattern($1, debugfs_t, debugfs_t) ++ manage_dirs_pattern($1,debugfs_t, debugfs_t) + read_lnk_files_pattern($1, debugfs_t, debugfs_t) +- list_dirs_pattern($1, debugfs_t, debugfs_t) + ') + + ######################################## @@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',` ######################################## @@ -14450,7 +14419,33 @@ index 649e458..d47750f 100644 ') ######################################## -@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on generic proc entries. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_access_check_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ dontaudit $1 proc_t:dir_file_class_set audit_access; ++') ++ ++######################################## ++## + ## Do not audit attempts by caller to + ## read system state information in proc. + ## +@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -14475,7 +14470,7 @@ index 649e458..d47750f 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -14484,7 +14479,7 @@ index 649e458..d47750f 100644 ') ######################################## -@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -14510,7 +14505,7 @@ index 649e458..d47750f 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -14519,7 +14514,7 @@ index 649e458..d47750f 100644 ## ## # -@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -14544,7 +14539,7 @@ index 649e458..d47750f 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -14569,7 +14564,7 @@ index 649e458..d47750f 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2757,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -14578,7 +14573,7 @@ index 649e458..d47750f 100644 ') ######################################## -@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2795,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -14603,7 +14598,7 @@ index 649e458..d47750f 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2840,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -14629,7 +14624,7 @@ index 649e458..d47750f 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +2968,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -14663,7 +14658,7 @@ index 649e458..d47750f 100644 ######################################## ## -@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3150,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -14688,7 +14683,7 @@ index 649e458..d47750f 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3182,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -30883,7 +30878,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index c04ac46..5edc27b 100644 +index c04ac46..4f4ee1d 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -31007,7 +31002,16 @@ index c04ac46..5edc27b 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms; +@@ -202,7 +198,7 @@ optional_policy(` + # Sulogin local policy + # + +-allow sulogin_t self:capability dac_override; ++allow sulogin_t self:capability { dac_override sys_admin }; + allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow sulogin_t self:fd use; + allow sulogin_t self:fifo_file rw_fifo_file_perms; +@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -31031,12 +31035,11 @@ index c04ac46..5edc27b 100644 init_getpgid_script(sulogin_t) +init_getpgid(sulogin_t) ++init_getattr_initctl(sulogin_t) logging_send_syslog_msg(sulogin_t) -+ - seutil_read_config(sulogin_t) - seutil_read_default_contexts(sulogin_t) +@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) @@ -37842,10 +37845,10 @@ index 0000000..35b4178 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a88f6e2 +index 0000000..c31945a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,651 @@ +@@ -0,0 +1,652 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37956,6 +37959,7 @@ index 0000000..a88f6e2 +dev_getattr_all_blk_files(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) +dev_rw_input_dev(systemd_logind_t) ++dev_rw_inherited_dri(systemd_logind_t) +dev_setattr_all_chr_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) +dev_setattr_generic_usb_dev(systemd_logind_t) @@ -39880,7 +39884,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..662bac5 100644 +index 3c5dba7..5b45016 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40850,7 +40854,7 @@ index 3c5dba7..662bac5 100644 userdom_change_password_template($1) -@@ -761,82 +984,101 @@ template(`userdom_login_user_template', ` +@@ -761,83 +984,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -40956,39 +40960,45 @@ index 3c5dba7..662bac5 100644 + kerberos_use($1_usertype) + init_write_key($1_usertype) + ') ++ ++ optional_policy(` ++ mysql_filetrans_named_content($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ mysql_filetrans_named_content($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ oddjob_run_mkhomedir($1_t, $1_r) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ oddjob_run_mkhomedir($1_t, $1_r) ++ wine_filetrans_named_content($1_usertype) ') ++ ') -@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',` + ####################################### +@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -41001,7 +41011,7 @@ index 3c5dba7..662bac5 100644 ############################## # # Local policy -@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1160,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -41081,66 +41091,71 @@ index 3c5dba7..662bac5 100644 + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') -+ -+ optional_policy(` -+ accountsd_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ consolekit_dontaudit_read_log($1_usertype) -+ consolekit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) ++ accountsd_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ fprintd_dbus_chat($1_t) ++ consolekit_dontaudit_read_log($1_usertype) ++ consolekit_dbus_chat($1_usertype) ') optional_policy(` - gnome_role_template($1, $1_r, $1_t) ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + realmd_dbus_chat($1_t) ') optional_policy(` -@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,19 +1261,40 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` - java_role($1_r, $1_t) + policykit_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_dontaudit_stream_connect($1_t) + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) -+ ') -+ + ') +-') + +-####################################### +-## +-## The template for creating a unprivileged user roughly +-## equivalent to a regular linux user. +-## + optional_policy(` + rtkit_scheduled($1_usertype) + ') + + optional_policy(` + systemd_filetrans_home_content($1_usertype) - ') - - optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') --') - --####################################### ++ ') ++ ++ optional_policy(` ++ setroubleshoot_dontaudit_stream_connect($1_t) ++ ') ++ + optional_policy(` + udev_read_db($1_usertype) + ') @@ -41151,10 +41166,14 @@ index 3c5dba7..662bac5 100644 +') + +####################################### - ## ++## ++## The template for creating a unprivileged user roughly ++## equivalent to a regular linux user. ++## + ## + ##

## The template for creating a unprivileged user roughly - ## equivalent to a regular linux user. -@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1321,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -41192,7 +41211,7 @@ index 3c5dba7..662bac5 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1358,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -41218,9 +41237,11 @@ index 3c5dba7..662bac5 100644 + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + cdrecord_role($1_r, $1_t) + ') + @@ -41253,17 +41274,15 @@ index 3c5dba7..662bac5 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1420,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -41274,7 +41293,7 @@ index 3c5dba7..662bac5 100644 ') ') -@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1458,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -41285,7 +41304,7 @@ index 3c5dba7..662bac5 100644 ') ############################## -@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1476,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -41293,7 +41312,7 @@ index 3c5dba7..662bac5 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1488,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -41301,7 +41320,7 @@ index 3c5dba7..662bac5 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1497,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -41311,7 +41330,7 @@ index 3c5dba7..662bac5 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1514,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -41319,7 +41338,7 @@ index 3c5dba7..662bac5 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1532,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -41334,7 +41353,7 @@ index 3c5dba7..662bac5 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -41377,7 +41396,7 @@ index 3c5dba7..662bac5 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -41386,7 +41405,7 @@ index 3c5dba7..662bac5 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -41405,7 +41424,7 @@ index 3c5dba7..662bac5 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',` ##

## # @@ -41414,7 +41433,7 @@ index 3c5dba7..662bac5 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1656,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -41423,7 +41442,7 @@ index 3c5dba7..662bac5 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1670,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -41435,7 +41454,7 @@ index 3c5dba7..662bac5 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1684,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -41478,7 +41497,7 @@ index 3c5dba7..662bac5 100644 ') optional_policy(` -@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1769,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -41497,7 +41516,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1820,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -41549,7 +41568,7 @@ index 3c5dba7..662bac5 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1969,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -41581,7 +41600,7 @@ index 3c5dba7..662bac5 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2035,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -41596,7 +41615,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2058,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -41608,7 +41627,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2119,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -41651,7 +41670,7 @@ index 3c5dba7..662bac5 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2234,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -41660,7 +41679,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2269,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -41675,7 +41694,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2299,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -41702,7 +41721,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2327,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -41785,7 +41804,7 @@ index 3c5dba7..662bac5 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2410,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -41811,7 +41830,7 @@ index 3c5dba7..662bac5 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,15 +2459,18 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -41827,188 +41846,144 @@ index 3c5dba7..662bac5 100644 ######################################## ## +-## Do not audit attempts to read user home files. +## Do not audit attempts to getattr user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_getattr_user_home_content',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ -+ dontaudit $1 user_home_type:dir getattr; -+ dontaudit $1 user_home_type:file getattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',` + ## +@@ -1894,18 +2478,18 @@ interface(`userdom_read_user_home_content_files',` + ## + ## # - interface(`userdom_dontaudit_read_user_home_content_files',` +-interface(`userdom_dontaudit_read_user_home_content_files',` ++interface(`userdom_dontaudit_getattr_user_home_content',` gen_require(` - type user_home_t; + attribute user_home_type; -+ type user_home_dir_t; ') - dontaudit $1 user_home_t:dir list_dir_perms; - dontaudit $1 user_home_t:file read_file_perms; -+ dontaudit $1 user_home_dir_t:dir list_dir_perms; -+ dontaudit $1 user_home_type:dir list_dir_perms; -+ dontaudit $1 user_home_type:file read_file_perms; -+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` - - ######################################## - ## --## Delete all user home content files. -+## Delete files in a user home subdirectory. - ## - ## - ## -@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` - ## - ## - # --interface(`userdom_delete_all_user_home_content_files',` -+interface(`userdom_delete_user_home_content_files',` - gen_require(` -- attribute user_home_content_type; -- type user_home_dir_t; -+ type user_home_t; - ') - -- userdom_search_user_home_content($1) -- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) -+ allow $1 user_home_t:file delete_file_perms; ++ dontaudit $1 user_home_type:dir getattr; ++ dontaudit $1 user_home_type:file getattr; ') ######################################## ## --## Delete files in a user home subdirectory. -+## Delete all files in a user home subdirectory. +-## Do not audit attempts to append user home files. ++## Do not audit attempts to read user home files. ## ## ## -@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1913,17 +2497,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',` ## ## # --interface(`userdom_delete_user_home_content_files',` -+interface(`userdom_delete_all_user_home_content_files',` +-interface(`userdom_dontaudit_append_user_home_content_files',` ++interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` - type user_home_t; + attribute user_home_type; ++ type user_home_dir_t; ') -- allow $1 user_home_t:file delete_file_perms; -+ allow $1 user_home_type:file delete_file_perms; +- dontaudit $1 user_home_t:file append_file_perms; ++ dontaudit $1 user_home_dir_t:dir list_dir_perms; ++ dontaudit $1 user_home_type:dir list_dir_perms; ++ dontaudit $1 user_home_type:file read_file_perms; ++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; ') ######################################## ## -## Do not audit attempts to write user home files. -+## Delete sock files in a user home subdirectory. ++## Do not audit attempts to append user home files. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -1931,32 +2519,30 @@ interface(`userdom_dontaudit_append_user_home_content_files',` ## ## # --interface(`userdom_dontaudit_relabel_user_home_content_files',` -+interface(`userdom_delete_user_home_content_sock_files',` +-interface(`userdom_dontaudit_write_user_home_content_files',` ++interface(`userdom_dontaudit_append_user_home_content_files',` gen_require(` type user_home_t; ') -- dontaudit $1 user_home_t:file relabel_file_perms; -+ allow $1 user_home_t:sock_file delete_file_perms; +- dontaudit $1 user_home_t:file write_file_perms; ++ dontaudit $1 user_home_t:file append_file_perms; ') ######################################## ## --## Read user home subdirectory symbolic links. -+## Delete all sock files in a user home subdirectory. +-## Delete all user home content files. ++## Do not audit attempts to write user home files. ## ## ## -@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`userdom_read_user_home_content_symlinks',` -+interface(`userdom_delete_all_user_home_content_sock_files',` +-interface(`userdom_delete_all_user_home_content_files',` ++interface(`userdom_dontaudit_write_user_home_content_files',` gen_require(` -- type user_home_dir_t, user_home_t; -+ attribute user_home_type; +- attribute user_home_content_type; +- type user_home_dir_t; ++ type user_home_t; ') -- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) -+ allow $1 user_home_type:sock_file delete_file_perms; +- userdom_search_user_home_content($1) +- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) ++ dontaudit $1 user_home_t:file write_file_perms; ') ######################################## +@@ -1979,11 +2565,83 @@ interface(`userdom_delete_user_home_content_files',` + + ######################################## ## --## Execute user home files. +-## Do not audit attempts to write user home files. +## Delete all files in a user home subdirectory. ## ## ## - ## Domain allowed access. - ## - ## --## - # --interface(`userdom_exec_user_home_content_files',` -+interface(`userdom_delete_all_user_home_content',` - gen_require(` -- type user_home_dir_t, user_home_t; +-## Domain to not audit. ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_home_content_files',` ++ gen_require(` + attribute user_home_type; - ') - -- files_search_home($1) -- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ allow $1 user_home_type:dir_file_class_set delete_file_perms; ++ ') ++ ++ allow $1 user_home_type:file delete_file_perms; +') - -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1) ++ +######################################## +## -+## Do not audit attempts to write user home files. ++## Delete sock files in a user home subdirectory. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`userdom_dontaudit_relabel_user_home_content_files',` ++interface(`userdom_delete_user_home_content_sock_files',` + gen_require(` + type user_home_t; - ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -+ dontaudit $1 user_home_t:file relabel_file_perms; ++ ') ++ ++ allow $1 user_home_t:sock_file delete_file_perms; +') + +######################################## +## -+## Read user home subdirectory symbolic links. ++## Delete all sock files in a user home subdirectory. +## +## +## @@ -42016,42 +41991,79 @@ index 3c5dba7..662bac5 100644 +## +## +# -+interface(`userdom_read_user_home_content_symlinks',` ++interface(`userdom_delete_all_user_home_content_sock_files',` + gen_require(` -+ type user_home_dir_t, user_home_t; - ') ++ attribute user_home_type; ++ ') + -+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## -+## Execute user home files. ++ allow $1 user_home_type:sock_file delete_file_perms; ++') ++ ++######################################## ++## ++## Delete all files in a user home subdirectory. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`userdom_exec_user_home_content_files',` ++interface(`userdom_delete_all_user_home_content',` + gen_require(` -+ type user_home_dir_t; + attribute user_home_type; + ') + -+ files_search_home($1) -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ dontaudit $1 user_home_type:sock_file execute; -+ ') ++ allow $1 user_home_type:dir_file_class_set delete_file_perms; ++') + +######################################## +## ++## Do not audit attempts to write user home files. ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -2010,8 +2668,7 @@ interface(`userdom_read_user_home_content_symlinks',` + type user_home_dir_t, user_home_t; + ') + +- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- files_search_home($1) ++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2027,21 +2684,15 @@ interface(`userdom_read_user_home_content_symlinks',` + # + interface(`userdom_exec_user_home_content_files',` + gen_require(` +- type user_home_dir_t, user_home_t; ++ type user_home_dir_t; ++ attribute user_home_type; + ') + + files_search_home($1) +- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files($1) ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; + ') + +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- + ######################################## + ## ## Do not audit attempts to execute user home files. - ## - ## -@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2774,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -42060,7 +42072,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2782,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -42084,7 +42096,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2800,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -42100,7 +42112,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3042,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -42115,7 +42127,7 @@ index 3c5dba7..662bac5 100644 files_search_tmp($1) ') -@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3066,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -42124,7 +42136,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3313,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -42150,7 +42162,7 @@ index 3c5dba7..662bac5 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3348,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -42166,7 +42178,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3376,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -42175,7 +42187,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3384,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -42210,7 +42222,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3502,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -42235,7 +42247,7 @@ index 3c5dba7..662bac5 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3538,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -42278,7 +42290,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3574,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -42316,7 +42328,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3619,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -42346,7 +42358,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3711,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -42447,7 +42459,7 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3780,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -42462,7 +42474,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3849,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -42471,7 +42483,7 @@ index 3c5dba7..662bac5 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3865,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -42505,7 +42517,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3953,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -42532,7 +42544,7 @@ index 3c5dba7..662bac5 100644 ') ######################################## -@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,12 +4026,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -42548,91 +42560,42 @@ index 3c5dba7..662bac5 100644 ## ## ## -@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,12 +4040,87 @@ interface(`userdom_write_user_tmp_files',` ## ## # -interface(`userdom_dontaudit_use_user_ttys',` +interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmp_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -+ dontaudit $1 user_tmp_t:file write; - ') - - ######################################## - ## --## Read the process state of all user domains. -+## Do not audit attempts to delete users -+## temporary files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_delete_user_tmp_files',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; - ') - -- read_files_pattern($1, userdomain, userdomain) -- kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:file delete_file_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Do not audit attempts to read/write users -+## temporary fifo files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` - gen_require(` -- attribute userdomain; ++ gen_require(` + type user_tmp_t; + ') + -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tmp_t:file write; +') + +######################################## +## -+## Allow domain to read/write inherited users -+## fifo files. ++## Do not audit attempts to delete users ++## temporary files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_rw_inherited_user_pipes',` ++interface(`userdom_dontaudit_delete_user_tmp_files',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tmp_t:file delete_file_perms; +') + +######################################## +## -+## Do not audit attempts to use user ttys. ++## Do not audit attempts to read/write users ++## temporary fifo files. +## +## +## @@ -42640,17 +42603,18 @@ index 3c5dba7..662bac5 100644 +## +## +# -+interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` -+ type user_tty_device_t; ++ type user_tmp_t; + ') + -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Read the process state of all user domains. ++## Allow domain to read/write inherited users ++## fifo files. +## +## +## @@ -42658,33 +42622,43 @@ index 3c5dba7..662bac5 100644 +## +## +# -+interface(`userdom_read_all_users_state',` ++interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; + ') + -+ read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) -+ kernel_search_proc($1) ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Get the attributes of all user domains. ++## Do not audit attempts to use user ttys. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_getattr_all_users',` -+ gen_require(` -+ attribute userdomain; ++interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## +@@ -3309,6 +4139,7 @@ interface(`userdom_read_all_users_state',` ') - allow $1 userdomain:process getattr; -@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',` + read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) + ') + +@@ -3385,6 +4216,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -42727,7 +42701,7 @@ index 3c5dba7..662bac5 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4272,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -42752,7 +42726,7 @@ index 3c5dba7..662bac5 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4318,1646 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4323,1646 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index b63cc7f..42c23c2 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -9728,29 +9728,28 @@ index 41f8251..57f094e 100644 ') diff --git a/bumblebee.fc b/bumblebee.fc new file mode 100644 -index 0000000..17eea86 +index 0000000..b5ee23b --- /dev/null +++ b/bumblebee.fc @@ -0,0 +1,7 @@ -+/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) + -+/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) + +/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0) + +/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) diff --git a/bumblebee.if b/bumblebee.if new file mode 100644 -index 0000000..f61b9c3 +index 0000000..23a4f86 --- /dev/null +++ b/bumblebee.if -@@ -0,0 +1,122 @@ -+ +@@ -0,0 +1,126 @@ +## policy for bumblebee + +######################################## +## -+## Execute TEMPLATE in the bumblebee domin. ++## Execute bumblebee in the bumblebee domin. +## +## +## @@ -9766,6 +9765,7 @@ index 0000000..f61b9c3 + corecmd_search_bin($1) + domtrans_pattern($1, bumblebee_exec_t, bumblebee_t) +') ++ +######################################## +## +## Read bumblebee PID files. @@ -9802,7 +9802,7 @@ index 0000000..f61b9c3 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 bumblebee_unit_file_t:file read_file_perms; + allow $1 bumblebee_unit_file_t:service manage_service_perms; + @@ -9852,9 +9852,13 @@ index 0000000..f61b9c3 + type bumblebee_unit_file_t; + ') + -+ allow $1 bumblebee_t:process { ptrace signal_perms }; ++ allow $1 bumblebee_t:process { signal_perms }; + ps_process_pattern($1, bumblebee_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bumblebee_t:process ptrace; ++ ') ++ + files_search_pids($1) + admin_pattern($1, bumblebee_var_run_t) + @@ -9869,10 +9873,10 @@ index 0000000..f61b9c3 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..f39fc96 +index 0000000..8d91220 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,47 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -9884,8 +9888,6 @@ index 0000000..f39fc96 +type bumblebee_exec_t; +init_daemon_domain(bumblebee_t, bumblebee_exec_t) + -+permissive bumblebee_t; -+ +type bumblebee_var_run_t; +files_pid_file(bumblebee_var_run_t) + @@ -9896,6 +9898,7 @@ index 0000000..f39fc96 +# +# bumblebee local policy +# ++ +allow bumblebee_t self:capability { setgid }; +allow bumblebee_t self:process { fork signal_perms }; +allow bumblebee_t self:fifo_file rw_fifo_file_perms; @@ -9908,6 +9911,7 @@ index 0000000..f39fc96 +files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file }) + +kernel_read_system_state(bumblebee_t) ++kernel_dontaudit_access_check_proc(bumblebee_t) + +dev_read_sysfs(bumblebee_t) + @@ -9917,6 +9921,8 @@ index 0000000..f39fc96 + +logging_send_syslog_msg(bumblebee_t) + ++modutils_domtrans_insmod(bumblebee_t) ++ +miscfiles_read_localization(bumblebee_t) diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 @@ -11069,10 +11075,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..12585f0 +index 0000000..748f5d5 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,246 @@ +@@ -0,0 +1,247 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -11201,6 +11207,7 @@ index 0000000..12585f0 +userdom_manage_home_certs(chrome_sandbox_t) + +optional_policy(` ++ gnome_read_generic_cache_files(chrome_sandbox_t) + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_read_home_config(chrome_sandbox_t) + gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") @@ -13824,6 +13831,218 @@ index 3f2b672..8fb887d 100644 +optional_policy(` + unconfined_domain(condor_startd_t) +') +diff --git a/conman.fc b/conman.fc +new file mode 100644 +index 0000000..5f97ba9 +--- /dev/null ++++ b/conman.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0) ++ ++/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0) ++ ++/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0) ++/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0) ++ +diff --git a/conman.if b/conman.if +new file mode 100644 +index 0000000..54b4b04 +--- /dev/null ++++ b/conman.if +@@ -0,0 +1,142 @@ ++## Conman is a program for connecting to remote consoles being managed by conmand ++ ++######################################## ++## ++## Execute conman in the conman domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`conman_domtrans',` ++ gen_require(` ++ type conman_t, conman_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, conman_exec_t, conman_t) ++') ++ ++######################################## ++## ++## Read conman's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`conman_read_log',` ++ gen_require(` ++ type conman_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, conman_log_t, conman_log_t) ++') ++ ++######################################## ++## ++## Append to conman log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`conman_append_log',` ++ gen_require(` ++ type conman_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, conman_log_t, conman_log_t) ++') ++ ++######################################## ++## ++## Manage conman log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`conman_manage_log',` ++ gen_require(` ++ type conman_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, conman_log_t, conman_log_t) ++ manage_files_pattern($1, conman_log_t, conman_log_t) ++') ++ ++######################################## ++## ++## Execute conman server in the conman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`conman_systemctl',` ++ gen_require(` ++ type conman_t; ++ type conman_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 conman_unit_file_t:file read_file_perms; ++ allow $1 conman_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, conman_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an conman environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`conman_admin',` ++ gen_require(` ++ type conman_t; ++ type conman_log_t; ++ type conman_unit_file_t; ++ ') ++ ++ allow $1 conman_t:process { signal_perms }; ++ ps_process_pattern($1, conman_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 conman_t:process ptrace; ++ ') ++ ++ logging_search_logs($1) ++ admin_pattern($1, conman_log_t) ++ ++ conman_systemctl($1) ++ admin_pattern($1, conman_unit_file_t) ++ allow $1 conman_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/conman.te b/conman.te +new file mode 100644 +index 0000000..0de2d4d +--- /dev/null ++++ b/conman.te +@@ -0,0 +1,45 @@ ++policy_module(conman, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type conman_t; ++type conman_exec_t; ++init_daemon_domain(conman_t, conman_exec_t) ++ ++type conman_log_t; ++logging_log_file(conman_log_t) ++ ++type conman_unit_file_t; ++systemd_unit_file(conman_unit_file_t) ++ ++######################################## ++# ++# conman local policy ++# ++ ++allow conman_t self:capability { sys_tty_config }; ++allow conman_t self:process { setrlimit signal_perms }; ++ ++allow conman_t self:fifo_file rw_fifo_file_perms; ++allow conman_t self:unix_stream_socket create_stream_socket_perms; ++allow conman_t self:tcp_socket { listen create_socket_perms }; ++ ++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) ++manage_files_pattern(conman_t, conman_log_t, conman_log_t) ++logging_log_filetrans(conman_t, conman_log_t, { dir }) ++ ++corenet_tcp_bind_generic_node(conman_t) ++corenet_tcp_bind_conman_port(conman_t) ++ ++corecmd_exec_bin(conman_t) ++ ++auth_read_passwd(conman_t) ++ ++logging_send_syslog_msg(conman_t) ++ ++optional_policy(` ++ freeipmi_stream_connect(conman_t) ++') diff --git a/consolekit.fc b/consolekit.fc index 23c9558..29e5fd3 100644 --- a/consolekit.fc @@ -19278,7 +19497,7 @@ index afcf3a2..e6ecc4d 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 2c2e7e1..493ab48 100644 +index 2c2e7e1..2ead441 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ @@ -19326,7 +19545,7 @@ index 2c2e7e1..493ab48 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,58 @@ ifdef(`enable_mls',` +@@ -51,59 +47,61 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -19385,7 +19604,9 @@ index 2c2e7e1..493ab48 100644 -domain_use_interactive_fds(system_dbusd_t) -domain_read_all_domains_state(system_dbusd_t) -- ++dev_rw_inherited_input_dev(system_dbusd_t) ++dev_rw_inherited_dri(system_dbusd_t) + -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) +files_rw_inherited_non_security_files(system_dbusd_t) @@ -19403,7 +19624,7 @@ index 2c2e7e1..493ab48 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -19461,10 +19682,9 @@ index 2c2e7e1..493ab48 100644 +optional_policy(` + gnome_exec_gconf(system_dbusd_t) + gnome_read_inherited_home_icc_data_files(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + nis_use_ypbind(system_dbusd_t) +') + @@ -19481,9 +19701,10 @@ index 2c2e7e1..493ab48 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -19577,7 +19798,7 @@ index 2c2e7e1..493ab48 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -19602,7 +19823,7 @@ index 2c2e7e1..493ab48 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -19610,7 +19831,7 @@ index 2c2e7e1..493ab48 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -19652,7 +19873,7 @@ index 2c2e7e1..493ab48 100644 ') ######################################## -@@ -244,5 +344,6 @@ optional_policy(` +@@ -244,5 +347,6 @@ optional_policy(` # Unconfined access to this module # @@ -25243,6 +25464,180 @@ index c81b6e8..34e1f1c 100644 +optional_policy(` + xserver_read_state_xdm(fprintd_t) ') +diff --git a/freeipmi.fc b/freeipmi.fc +new file mode 100644 +index 0000000..0942a2e +--- /dev/null ++++ b/freeipmi.fc +@@ -0,0 +1,17 @@ ++/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0) ++/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0) ++/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0) ++ ++/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0) ++/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0) ++/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0) ++ ++/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0) ++/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0) ++ ++/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0) ++ ++ ++/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0) ++/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0) ++/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0) +diff --git a/freeipmi.if b/freeipmi.if +new file mode 100644 +index 0000000..dc94853 +--- /dev/null ++++ b/freeipmi.if +@@ -0,0 +1,71 @@ ++## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification ++ ++##################################### ++## ++## Creates types and rules for a basic ++## freeipmi init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`freeipmi_domain_template',` ++ gen_require(` ++ attribute freeipmi_domain, freeipmi_pid; ++ ') ++ ++ ############################# ++ # ++ # Declarations ++ # ++ ++ type freeipmi_$1_t, freeipmi_domain; ++ type freeipmi_$1_exec_t; ++ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t) ++ role system_r types freeipmi_$1_t; ++ ++ type freeipmi_$1_unit_file_t; ++ systemd_unit_file(freeipmi_$1_unit_file_t) ++ ++ type freeipmi_$1_var_run_t, freeipmi_pid; ++ files_pid_file(freeipmi_$1_var_run_t) ++ ++ ############################# ++ # ++ # Local policy ++ # ++ ++ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t) ++ ++ kernel_read_system_state(freeipmi_$1_t) ++ ++ corenet_all_recvfrom_netlabel(freeipmi_$1_t) ++ corenet_all_recvfrom_unlabeled(freeipmi_$1_t) ++ ++ auth_use_nsswitch(freeipmi_$1_t) ++ ++ logging_send_syslog_msg(freeipmi_$1_t) ++') ++ ++#################################### ++## ++## Connect to cluster domains over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`freeipmi_stream_connect',` ++ gen_require(` ++ attribute freeipmi_domain, freeipmi_pid; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain) ++') ++ +diff --git a/freeipmi.te b/freeipmi.te +new file mode 100644 +index 0000000..1408208 +--- /dev/null ++++ b/freeipmi.te +@@ -0,0 +1,68 @@ ++policy_module(freeipmi, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute freeipmi_domain; ++attribute freeipmi_pid; ++ ++freeipmi_domain_template(ipmidetectd) ++freeipmi_domain_template(ipmiseld) ++freeipmi_domain_template(bmc_watchdog) ++ ++type freeipmi_var_lib_t; ++files_type(freeipmi_var_lib_t) ++ ++type freeipmi_var_cache_t; ++files_type(freeipmi_var_cache_t) ++ ++######################################## ++# ++# freeipmi_domain local policy ++# ++ ++allow freeipmi_domain self:fifo_file rw_fifo_file_perms; ++allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms; ++allow freeipmi_domain self:sem create_sem_perms; ++ ++manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t) ++manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t) ++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t) ++files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir }) ++ ++manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t) ++manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t) ++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t) ++files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir }) ++ ++sysnet_dns_name_resolve(freeipmi_domain) ++ ++####################################### ++# ++# bmc-watchdog local policy ++# ++ ++files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid") ++ ++dev_read_raw_memory(freeipmi_bmc_watchdog_t) ++dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t) ++ ++####################################### ++# ++# ipmidetectd local policy ++# ++ ++files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid") ++ ++####################################### ++# ++# ipmiseld local policy ++# ++ ++allow freeipmi_ipmiseld_t self:capability sys_rawio; ++ ++allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms; ++ ++files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid") diff --git a/freqset.fc b/freqset.fc new file mode 100644 index 0000000..3cd9c38 @@ -30834,10 +31229,10 @@ index 0000000..17c3627 +') diff --git a/hypervkvp.te b/hypervkvp.te new file mode 100644 -index 0000000..d2ad022 +index 0000000..ddc67b0 --- /dev/null +++ b/hypervkvp.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,61 @@ +policy_module(hypervkvp, 1.0.0) + +######################################## @@ -30878,6 +31273,8 @@ index 0000000..d2ad022 +allow hyperv_domain self:fifo_file rw_fifo_file_perms; +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; + ++dev_read_sysfs(hyperv_domain) ++ +######################################## +# +# hypervkvp local policy @@ -31672,10 +32069,38 @@ index 08b7560..417e630 100644 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) diff --git a/iscsi.if b/iscsi.if -index 1a35420..4b9b978 100644 +index 1a35420..2ea1241 100644 --- a/iscsi.if +++ b/iscsi.if -@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',` +@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',` + ######################################## + ## + ## Create, read, write, and delete ++## iscsid lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iscsi_manage_lock',` ++ gen_require(` ++ type iscsi_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t) ++ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete + ## iscsid sempaphores. + ## + ## +@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',` ######################################## ## @@ -31712,7 +32137,7 @@ index 1a35420..4b9b978 100644 ## ## ## -@@ -99,16 +113,15 @@ interface(`iscsi_admin',` +@@ -99,16 +134,15 @@ interface(`iscsi_admin',` gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; @@ -35878,7 +36303,7 @@ index bc25c95..6692d91 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index ee0c7cc..9cdc21e 100644 +index ee0c7cc..4ac8f2d 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -35986,7 +36411,7 @@ index ee0c7cc..9cdc21e 100644 ## ## ## -@@ -41,22 +119,28 @@ interface(`ldap_read_config',` +@@ -41,22 +119,29 @@ interface(`ldap_read_config',` ######################################## ## @@ -36010,6 +36435,7 @@ index ee0c7cc..9cdc21e 100644 + files_search_etc($1) + allow $1 slapd_cert_t:dir list_dir_perms; + read_files_pattern($1, slapd_cert_t, slapd_cert_t) ++ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t) ') ######################################## @@ -36020,7 +36446,7 @@ index ee0c7cc..9cdc21e 100644 ## ## ## -@@ -64,18 +148,13 @@ interface(`ldap_use',` +@@ -64,18 +149,13 @@ interface(`ldap_use',` ## ## # @@ -36042,7 +36468,7 @@ index ee0c7cc..9cdc21e 100644 ## ## ## -@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',` +@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',` ## ## # @@ -36070,7 +36496,7 @@ index ee0c7cc..9cdc21e 100644 ## ## ## -@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',` +@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',` ## ## ## @@ -36079,7 +36505,7 @@ index ee0c7cc..9cdc21e 100644 ## ## ## -@@ -115,28 +192,28 @@ interface(`ldap_admin',` +@@ -115,28 +193,28 @@ interface(`ldap_admin',` gen_require(` type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; @@ -36117,7 +36543,7 @@ index ee0c7cc..9cdc21e 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -144,4 +221,8 @@ interface(`ldap_admin',` +@@ -144,4 +222,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -37031,7 +37457,7 @@ index 7bab8e5..efdfd9d 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..30e3cd2 100644 +index 4256a4c..81fec37 100644 --- a/logwatch.te +++ b/logwatch.te @@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) @@ -37091,19 +37517,20 @@ index 4256a4c..30e3cd2 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) -@@ -137,6 +146,11 @@ optional_policy(` +@@ -137,6 +146,12 @@ optional_policy(` ') optional_policy(` + raid_domtrans_mdadm(logwatch_t) + raid_access_check_mdadm(logwatch_t) ++ raid_read_conf_files(logwatch_t) +') + +optional_policy(` rpc_search_nfs_state_data(logwatch_t) ') -@@ -145,6 +159,13 @@ optional_policy(` +@@ -145,6 +160,13 @@ optional_policy(` samba_read_share_files(logwatch_t) ') @@ -37117,7 +37544,7 @@ index 4256a4c..30e3cd2 100644 ######################################## # # Mail local policy -@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +186,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -38627,10 +39054,10 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index 5a414e0..7fee444 100644 +index 5a414e0..24f45a8 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -38677,6 +39104,7 @@ index 5a414e0..7fee444 100644 -files_read_etc_files(mandb_t) +files_search_locks(mandb_t) ++files_dontaudit_search_all_mountpoints(mandb_t) miscfiles_manage_man_cache(mandb_t) +miscfiles_setattr_man_pages(mandb_t) @@ -39351,10 +39779,10 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 92508b2..db83591 100644 +index 92508b2..2213a03 100644 --- a/milter.te +++ b/milter.te -@@ -1,77 +1,110 @@ +@@ -1,77 +1,117 @@ -policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) @@ -39374,6 +39802,9 @@ index 92508b2..db83591 100644 +type dkim_milter_private_key_t; +files_type(dkim_milter_private_key_t) + ++type dkim_milter_tmp_t; ++files_tmp_file(dkim_milter_tmp_t) ++ +# currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) @@ -39433,6 +39864,10 @@ index 92508b2..db83591 100644 -logging_send_syslog_msg(milter_domains) +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + ++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t) ++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t) ++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file }) ++ +kernel_read_kernel_sysctls(dkim_milter_t) + +auth_use_nsswitch(dkim_milter_t) @@ -39493,7 +39928,7 @@ index 92508b2..db83591 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +112,45 @@ optional_policy(` +@@ -79,30 +119,45 @@ optional_policy(` ######################################## # @@ -45399,10 +45834,10 @@ index 97370e4..3549b8f 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index c48dc17..43d56e3 100644 +index c48dc17..297f831 100644 --- a/mysql.fc +++ b/mysql.fc -@@ -1,11 +1,24 @@ +@@ -1,11 +1,25 @@ -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) @@ -45420,6 +45855,7 @@ index c48dc17..43d56e3 100644 +/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) + +/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) ++/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) + +# +# /etc @@ -45435,7 +45871,7 @@ index c48dc17..43d56e3 100644 /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) -@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) +@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) @@ -47391,10 +47827,10 @@ index 56c0fbd..173a2c0 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index a1fb3c3..2b818b9 100644 +index a1fb3c3..dfb99d2 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,43 +1,45 @@ +@@ -1,43 +1,47 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -47423,7 +47859,7 @@ index a1fb3c3..2b818b9 100644 -/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -47438,6 +47874,7 @@ index a1fb3c3..2b818b9 100644 /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) ++/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -47460,6 +47897,7 @@ index a1fb3c3..2b818b9 100644 /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -48270,6 +48708,144 @@ index 0b48a30..e61d367 100644 -miscfiles_read_localization(wpa_cli_t) - term_dontaudit_use_console(wpa_cli_t) +diff --git a/ninfod.fc b/ninfod.fc +new file mode 100644 +index 0000000..cc31b9f +--- /dev/null ++++ b/ninfod.fc +@@ -0,0 +1,6 @@ ++/usr/lib/systemd/system/ninfod.* -- gen_context(system_u:object_r:ninfod_unit_file_t,s0) ++ ++/usr/sbin/ninfod -- gen_context(system_u:object_r:ninfod_exec_t,s0) ++ ++/var/run/ninfod.* -- gen_context(system_u:object_r:ninfod_run_t,s0) ++ +diff --git a/ninfod.if b/ninfod.if +new file mode 100644 +index 0000000..a7f57d9 +--- /dev/null ++++ b/ninfod.if +@@ -0,0 +1,79 @@ ++ ++## Respond to IPv6 Node Information Queries ++ ++######################################## ++## ++## Execute ninfod in the ninfod domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ninfod_domtrans',` ++ gen_require(` ++ type ninfod_t, ninfod_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ninfod_exec_t, ninfod_t) ++') ++######################################## ++## ++## Execute ninfod server in the ninfod domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ninfod_systemctl',` ++ gen_require(` ++ type ninfod_t; ++ type ninfod_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 ninfod_unit_file_t:file read_file_perms; ++ allow $1 ninfod_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ninfod_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ninfod environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`ninfod_admin',` ++ gen_require(` ++ type ninfod_t; ++ type ninfod_unit_file_t; ++ ') ++ ++ allow $1 ninfod_t:process { signal_perms }; ++ ps_process_pattern($1, ninfod_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ninfod_t:process ptrace; ++ ') ++ ++ ninfod_systemctl($1) ++ admin_pattern($1, ninfod_unit_file_t) ++ allow $1 ninfod_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/ninfod.te b/ninfod.te +new file mode 100644 +index 0000000..d75c408 +--- /dev/null ++++ b/ninfod.te +@@ -0,0 +1,35 @@ ++policy_module(ninfod, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ninfod_t; ++type ninfod_exec_t; ++init_daemon_domain(ninfod_t, ninfod_exec_t) ++ ++type ninfod_run_t; ++files_pid_file(ninfod_run_t) ++ ++type ninfod_unit_file_t; ++systemd_unit_file(ninfod_unit_file_t) ++ ++######################################## ++# ++# ninfod local policy ++# ++allow ninfod_t self:capability { net_raw setuid }; ++allow ninfod_t self:process setcap; ++allow ninfod_t self:fifo_file rw_fifo_file_perms; ++allow ninfod_t self:rawip_socket { create setopt }; ++allow ninfod_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t) ++files_pid_filetrans(ninfod_t,ninfod_run_t, { file }) ++ ++auth_use_nsswitch(ninfod_t) ++ ++logging_send_syslog_msg(ninfod_t) ++ ++sysnet_dns_name_resolve(ninfod_t) diff --git a/nis.fc b/nis.fc index 8aa1bfa..cd0e015 100644 --- a/nis.fc @@ -54195,16 +54771,16 @@ index 0000000..51650fa +/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0) diff --git a/opensm.if b/opensm.if new file mode 100644 -index 0000000..a62f050 +index 0000000..776fda7 --- /dev/null +++ b/opensm.if -@@ -0,0 +1,220 @@ +@@ -0,0 +1,223 @@ + +## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB + +######################################## +## -+## Execute TEMPLATE in the opensm domin. ++## Execute opensm in the opensm domin. +## +## +## @@ -54307,7 +54883,6 @@ index 0000000..a62f050 +## Domain allowed access. +## +## -+## +# +interface(`opensm_read_log',` + gen_require(` @@ -54374,7 +54949,7 @@ index 0000000..a62f050 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 opensm_unit_file_t:file read_file_perms; + allow $1 opensm_unit_file_t:service manage_service_perms; + @@ -54399,12 +54974,16 @@ index 0000000..a62f050 + type opensm_t; + type opensm_cache_t; + type opensm_log_t; -+ type opensm_unit_file_t; ++ type opensm_unit_file_t; + ') + -+ allow $1 opensm_t:process { ptrace signal_perms }; ++ allow $1 opensm_t:process { signal_perms }; + ps_process_pattern($1, opensm_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 opensm_t:process ptrace; ++ ') ++ + files_search_var($1) + admin_pattern($1, opensm_cache_t) + @@ -55139,6 +55718,152 @@ index 508fedf..a499612 100644 +optional_policy(` + plymouthd_exec_plymouth(openvswitch_t) +') +diff --git a/openwsman.fc b/openwsman.fc +new file mode 100644 +index 0000000..00d0643 +--- /dev/null ++++ b/openwsman.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0) ++ ++/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0) ++ ++/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0) ++ ++/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0) +diff --git a/openwsman.if b/openwsman.if +new file mode 100644 +index 0000000..42ed4ba +--- /dev/null ++++ b/openwsman.if +@@ -0,0 +1,78 @@ ++## WS-Management Server ++ ++######################################## ++## ++## Execute openwsman in the openwsman domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openwsman_domtrans',` ++ gen_require(` ++ type openwsman_t, openwsman_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, openwsman_exec_t, openwsman_t) ++') ++######################################## ++## ++## Execute openwsman server in the openwsman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openwsman_systemctl',` ++ gen_require(` ++ type openwsman_t; ++ type openwsman_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 openwsman_unit_file_t:file read_file_perms; ++ allow $1 openwsman_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, openwsman_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an openwsman environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`openwsman_admin',` ++ gen_require(` ++ type openwsman_t; ++ type openwsman_unit_file_t; ++ ') ++ ++ allow $1 openwsman_t:process { signal_perms }; ++ ps_process_pattern($1, openwsman_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 openwsman_t:process ptrace; ++ ') ++ ++ openwsman_systemctl($1) ++ admin_pattern($1, openwsman_unit_file_t) ++ allow $1 openwsman_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/openwsman.te b/openwsman.te +new file mode 100644 +index 0000000..49dc5ef +--- /dev/null ++++ b/openwsman.te +@@ -0,0 +1,43 @@ ++policy_module(openwsman, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type openwsman_t; ++type openwsman_exec_t; ++init_daemon_domain(openwsman_t, openwsman_exec_t) ++ ++type openwsman_log_t; ++logging_log_file(openwsman_log_t) ++ ++type openwsman_run_t; ++files_pid_file(openwsman_run_t) ++ ++type openwsman_unit_file_t; ++systemd_unit_file(openwsman_unit_file_t) ++ ++######################################## ++# ++# openwsman local policy ++# ++allow openwsman_t self:process { fork }; ++allow openwsman_t self:fifo_file rw_fifo_file_perms; ++allow openwsman_t self:unix_stream_socket create_stream_socket_perms; ++allow openwsman_t self:tcp_socket { create_socket_perms listen }; ++ ++manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) ++logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) ++ ++manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t) ++files_pid_filetrans(openwsman_t, openwsman_run_t, { file }) ++ ++auth_use_nsswitch(openwsman_t) ++ ++corenet_tcp_bind_vnc_port(openwsman_t) ++ ++dev_read_urand(openwsman_t) ++ ++logging_send_syslog_msg(openwsman_t) ++ diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 index 0000000..80fb8c3 @@ -56042,10 +56767,10 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..6b5b74b 100644 +index dfd46e4..4694942 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,25 @@ +@@ -1,15 +1,29 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -56054,29 +56779,33 @@ index dfd46e4..6b5b74b 100644 -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++ ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) ++ ++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++ +/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + ++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + +/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if @@ -56180,7 +56909,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..252377d 100644 +index 7bcf327..38e75ee 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -56204,7 +56933,7 @@ index 7bcf327..252377d 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,278 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,288 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -56401,7 +57130,10 @@ index 7bcf327..252377d 100644 +# pegasus openlmi storage local policy +# + -+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio }; ++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock }; ++allow pegasus_openlmi_storage_t self:process setrlimit; ++ ++allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) @@ -56413,6 +57145,7 @@ index 7bcf327..252377d 100644 + +kernel_read_all_sysctls(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) ++kernel_request_load_module(pegasus_openlmi_storage_t) + +dev_read_rand(pegasus_openlmi_storage_t) +dev_read_urand(pegasus_openlmi_storage_t) @@ -56427,6 +57160,8 @@ index 7bcf327..252377d 100644 +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + ++files_read_kernel_modules(pegasus_openlmi_storage_t) ++ +fs_getattr_all_fs(pegasus_openlmi_storage_t) + +modutils_domtrans_insmod(pegasus_openlmi_storage_t) @@ -56443,6 +57178,10 @@ index 7bcf327..252377d 100644 +') + +optional_policy(` ++ iscsi_manage_lock(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) +') + @@ -56488,7 +57227,7 @@ index 7bcf327..252377d 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +311,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -56519,7 +57258,7 @@ index 7bcf327..252377d 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +337,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -56552,7 +57291,7 @@ index 7bcf327..252377d 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +365,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -56564,7 +57303,7 @@ index 7bcf327..252377d 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +381,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -56600,7 +57339,7 @@ index 7bcf327..252377d 100644 ') optional_policy(` -@@ -151,16 +415,24 @@ optional_policy(` +@@ -151,16 +425,24 @@ optional_policy(` ') optional_policy(` @@ -56629,7 +57368,7 @@ index 7bcf327..252377d 100644 ') optional_policy(` -@@ -168,7 +440,7 @@ optional_policy(` +@@ -168,7 +450,7 @@ optional_policy(` ') optional_policy(` @@ -60145,7 +60884,7 @@ index 5ad5291..7f1ae2a 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index a38b57a..aa9d604 100644 +index a38b57a..49758db 100644 --- a/portreserve.te +++ b/portreserve.te @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } @@ -60156,13 +60895,17 @@ index a38b57a..aa9d604 100644 corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_sendrecv_generic_if(portreserve_t) corenet_udp_sendrecv_generic_if(portreserve_t) -@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t) +@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t) corenet_tcp_bind_all_ports(portreserve_t) corenet_udp_bind_all_ports(portreserve_t) -files_read_etc_files(portreserve_t) - +- userdom_dontaudit_search_user_home_content(portreserve_t) ++ ++optional_policy(` ++ sssd_search_lib(portreserve_t) ++') diff --git a/portslave.te b/portslave.te index e85e33d..a7d7c55 100644 --- a/portslave.te @@ -69740,7 +70483,7 @@ index 5806046..d83ec27 100644 /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f..98a0758 100644 +index 951db7f..c0cabe8 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -69821,7 +70564,7 @@ index 951db7f..98a0758 100644 ## ## ## -@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',` +@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',` ## ## # @@ -69889,7 +70632,7 @@ index 951db7f..98a0758 100644 + +######################################## +## -+## Manage mdadm config files. ++## Read mdadm config files. +## +## ## @@ -69900,7 +70643,7 @@ index 951db7f..98a0758 100644 -## # -interface(`raid_admin_mdadm',` -+interface(`raid_manage_conf_files',` ++interface(`raid_read_conf_files',` gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; + type mdadm_conf_t; @@ -69908,7 +70651,24 @@ index 951db7f..98a0758 100644 - allow $1 mdadm_t:process { ptrace signal_perms }; - ps_process_pattern($1, mdadm_t) -- ++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t) ++') ++ ++######################################## ++## ++## Manage mdadm config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_manage_conf_files',` ++ gen_require(` ++ type mdadm_conf_t; ++ ') + - init_labeled_script_domtrans($1, mdadm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; @@ -70817,6 +71577,68 @@ index e9765c0..ea21331 100644 +/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0) /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) +diff --git a/rdisc.if b/rdisc.if +index 170ef52..7dd9193 100644 +--- a/rdisc.if ++++ b/rdisc.if +@@ -18,3 +18,57 @@ interface(`rdisc_exec',` + corecmd_search_bin($1) + can_exec($1, rdisc_exec_t) + ') ++ ++######################################## ++## ++## Execute rdisc server in the rdisc domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rdisc_systemctl',` ++ gen_require(` ++ type rdisc_t; ++ type rdisc_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rdisc_unit_file_t:file read_file_perms; ++ allow $1 rdisc_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rdisc_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rdisc environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`rdisc_admin',` ++ gen_require(` ++ type rdisc_t; ++ type rdisc_unit_file_t; ++ ') ++ ++ allow $1 rdisc_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rdisc_t) ++ ++ rdisc_systemctl($1) ++ admin_pattern($1, rdisc_unit_file_t) ++ allow $1 rdisc_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') diff --git a/rdisc.te b/rdisc.te index 9196c1d..b775931 100644 --- a/rdisc.te @@ -76354,7 +77176,7 @@ index ebe91fc..576ca21 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..cafc027 100644 +index 0628d50..952ee2a 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -76613,16 +77435,34 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -302,7 +378,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +378,25 @@ interface(`rpm_manage_log',` ######################################## ## -## Inherit and use rpm script file descriptors. ++## Create rpm logs with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_named_filetrans_log_files',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") ++ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date") ++') ++ ++######################################## ++## +## Inherit and use file descriptors from RPM scripts. ## ## ## -@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -76633,7 +77473,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -76650,7 +77490,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -76668,7 +77508,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -76684,7 +77524,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -76693,7 +77533,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -420,8 +500,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +518,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -76703,7 +77543,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -76712,7 +77552,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -459,11 +538,12 @@ interface(`rpm_read_db',` +@@ -459,11 +556,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -76726,7 +77566,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -482,8 +562,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +580,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -76736,7 +77576,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -503,8 +582,28 @@ interface(`rpm_manage_db',` +@@ -503,8 +600,28 @@ interface(`rpm_manage_db',` ######################################## ## @@ -76766,7 +77606,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -76775,7 +77615,7 @@ index 0628d50..cafc027 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -76785,7 +77625,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -76795,7 +77635,7 @@ index 0628d50..cafc027 100644 ## ## ## -@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',` +@@ -573,94 +688,72 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -85706,7 +86546,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..fee904f 100644 +index 703efa3..a0dbe3f 100644 --- a/sosreport.te +++ b/sosreport.te @@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) @@ -85868,7 +86708,7 @@ index 703efa3..fee904f 100644 ') optional_policy(` -@@ -135,9 +193,16 @@ optional_policy(` +@@ -135,9 +193,17 @@ optional_policy(` ') optional_policy(` @@ -85879,6 +86719,7 @@ index 703efa3..fee904f 100644 + rpm_manage_cache(sosreport_t) + rpm_manage_log(sosreport_t) + rpm_manage_pid_files(sosreport_t) ++ rpm_named_filetrans_log_files(sosreport_t) + rpm_read_db(sosreport_t) + rpm_signull(sosreport_t) +') @@ -92163,7 +93004,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..6b315d8 100644 +index 7116181..9f596dc 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -92224,7 +93065,7 @@ index 7116181..6b315d8 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -92249,6 +93090,8 @@ index 7116181..6b315d8 100644 -miscfiles_read_localization(tuned_t) +mount_read_pid_files(tuned_t) ++ ++modutils_domtrans_insmod(tuned_t) udev_read_pid_files(tuned_t) @@ -98439,7 +99282,7 @@ index cdca8c7..3c09628 100644 manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) ') diff --git a/wine.if b/wine.if -index fd2b6cc..52a2e72 100644 +index fd2b6cc..938c4a7 100644 --- a/wine.if +++ b/wine.if @@ -1,46 +1,57 @@ @@ -98588,8 +99431,31 @@ index fd2b6cc..52a2e72 100644 ') ######################################## +@@ -165,3 +169,22 @@ interface(`wine_rw_shm',` + + allow $1 wine_t:shm rw_shm_perms; + ') ++ ++######################################## ++## ++## Transition to wine named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wine_filetrans_named_content',` ++ gen_require(` ++ type wine_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine") ++') ++ diff --git a/wine.te b/wine.te -index b51923c..8e47110 100644 +index b51923c..4906ce0 100644 --- a/wine.te +++ b/wine.te @@ -14,10 +14,11 @@ policy_module(wine, 1.10.1) @@ -98605,7 +99471,7 @@ index b51923c..8e47110 100644 type wine_exec_t; userdom_user_application_domain(wine_t, wine_exec_t) role wine_roles types wine_t; -@@ -25,56 +26,57 @@ role wine_roles types wine_t; +@@ -25,56 +26,58 @@ role wine_roles types wine_t; type wine_home_t; userdom_user_home_content(wine_home_t) @@ -98617,34 +99483,34 @@ index b51923c..8e47110 100644 # Local policy # +domain_mmap_low(wine_t) -+ -+optional_policy(` -+ unconfined_domain(wine_t) -+') -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; ++optional_policy(` ++ unconfined_domain(wine_t) ++') -can_exec(wine_t, wine_exec_t) + +-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +######################################## +# +# Common wine domain policy +# --userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") -+allow wine_domain self:process { execstack execmem execheap }; -+allow wine_domain self:fifo_file manage_fifo_file_perms; - -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -+can_exec(wine_domain, wine_exec_t) ++allow wine_domain self:process { execstack execmem execheap }; ++allow wine_domain self:fifo_file manage_fifo_file_perms; -domain_mmap_low(wine_t) ++can_exec(wine_domain, wine_exec_t) ++ +manage_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) -+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine") +userdom_tmpfs_filetrans(wine_domain, file) ++wine_filetrans_named_content(wine_domain) -files_execmod_all_files(wine_t) +files_execmod_all_files(wine_domain) @@ -98674,19 +99540,19 @@ index b51923c..8e47110 100644 optional_policy(` - rtkit_scheduled(wine_t) --') -- --optional_policy(` -- unconfined_domain(wine_t) + rtkit_scheduled(wine_domain) ') optional_policy(` -- xserver_read_xdm_pid(wine_t) -- xserver_rw_shm(wine_t) +- unconfined_domain(wine_t) + xserver_read_xdm_pid(wine_domain) + xserver_rw_shm(wine_domain) ') + +-optional_policy(` +- xserver_read_xdm_pid(wine_t) +- xserver_rw_shm(wine_t) +-') diff --git a/wireshark.te b/wireshark.te index cf5cab6..a2d910f 100644 --- a/wireshark.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 9979122..d49e679 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 108%{?dist} +Release: 109%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -573,6 +573,48 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Dec 10 2013 Miroslav Grepl 3.12.1-109 +- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t +- Add labeling for /usr/lib/systemd/system/mariadb.service +- Allow hyperv_domain to read sysfs +- Fix ldap_read_certs() interface to allow acess also link files +- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt +- Allow tuned to run modprobe +- Allow portreserve to search /var/lib/sss dir +- Add SELinux support for the teamd package contains team network device control daemon. +- Dontaudit access check on /proc for bumblebee +- Bumblebee wants to load nvidia modules +- Fix rpm_named_filetrans_log_files and wine.te +- Add conman policy for rawhide +- DRM master and input event devices are used by the TakeDevice API +- Clean up bumblebee policy +- Update pegasus_openlmi_storage_t policy +- Add freeipmi_stream_connect() interface +- Allow logwatch read madm.conf to support RAID setup +- Add raid_read_conf_files() interface +- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling +- add rpm_named_filetrans_log_files() interface +- Allow dkim-milter to create files/dirs in /tmp +- update freeipmi policy +- Add policy for freeipmi services +- Added rdisc_admin and rdisc_systemctl interfaces +- opensm policy clean up +- openwsman policy clean up +- ninfod policy clean up +- Added new policy for ninfod +- Added new policy for openwsman +- Added rdisc_admin and rdisc_systemctl interfaces +- Fix kernel_dontaudit_access_check_proc() +- Add support for /dev/uhid +- Allow sulogin to get the attributes of initctl and sys_admin cap +- Add kernel_dontaudit_access_check_proc() +- Fix dev_rw_ipmi_dev() +- Fix new interface in devices.if +- DRM master and input event devices are used by the TakeDevice API +- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() +- Added support for default conman port +- Add interfaces for ipmi devices + * Wed Dec 4 2013 Miroslav Grepl 3.12.1-108 - Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t