From b02295db9b2337025cb6cfba6ef92b567e22e684 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 27 2011 16:15:38 +0000 Subject: - Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch - aisexec will execute corosync - colord tries to read files off noxattr file systems - Allow init_t getcap and setcap --- diff --git a/policy-F16.patch b/policy-F16.patch index e0d652c..ee7f839 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -6172,7 +6172,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..d88c02c 100644 +index 9a6d67d..19de023 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -6283,7 +6283,7 @@ index 9a6d67d..d88c02c 100644 + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:process { signal sigkill }; + -+ ++ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; +') + +######################################## @@ -6309,7 +6309,7 @@ index 9a6d67d..d88c02c 100644 ## Send and receive messages from ## mozilla over dbus. ## -@@ -204,3 +301,40 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -204,3 +301,39 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -6349,9 +6349,8 @@ index 9a6d67d..d88c02c 100644 + + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') -+ diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..3ed1287 100644 +index 2a91fa8..5f272f7 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -6440,7 +6439,7 @@ index 2a91fa8..3ed1287 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +289,192 @@ optional_policy(` +@@ -266,3 +289,194 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -6604,6 +6603,7 @@ index 2a91fa8..3ed1287 100644 + nsplugin_manage_home_files(mozilla_plugin_t) + nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) + nsplugin_user_home_filetrans(mozilla_plugin_t, file) ++ nsplugin_read_rw_files(mozilla_plugin_t); + nsplugin_signal(mozilla_plugin_t) +') + @@ -6620,6 +6620,7 @@ index 2a91fa8..3ed1287 100644 + xserver_use_user_fonts(mozilla_plugin_t) + xserver_read_user_iceauth(mozilla_plugin_t) + xserver_read_user_xauth(mozilla_plugin_t) ++ xserver_append_xdm_home_files(mozilla_plugin_t); +') + +tunable_policy(`use_nfs_home_dirs',` @@ -6796,10 +6797,10 @@ index 0000000..8d7c751 +') diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te new file mode 100644 -index 0000000..4af1aa0 +index 0000000..bb6b61e --- /dev/null +++ b/policy/modules/apps/namespace.te -@@ -0,0 +1,36 @@ +@@ -0,0 +1,38 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -6829,6 +6830,8 @@ index 0000000..4af1aa0 +files_read_etc_files(namespace_init_t) +files_polyinstantiate_all(namespace_init_t) + ++auth_use_nsswitch(namespace_init_t) ++ +miscfiles_read_localization(namespace_init_t) + +userdom_manage_user_home_content_dirs(namespace_init_t) @@ -8717,10 +8720,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..104b919 +index 0000000..fc0e3f7 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,481 @@ +@@ -0,0 +1,483 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8950,6 +8953,8 @@ index 0000000..104b919 +init_read_utmp(sandbox_x_domain) +init_dontaudit_write_utmp(sandbox_x_domain) + ++libs_dontaudit_setattr_lib_files(sandbox_x_domain) ++ +miscfiles_read_localization(sandbox_x_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) + @@ -9324,10 +9329,10 @@ index 1dc7a85..787df80 100644 + ') ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..708e1f2 100644 +index 7590165..9a7ebe5 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -9360,25 +9365,27 @@ index 7590165..708e1f2 100644 -files_read_etc_files(seunshare_t) -files_mounton_all_poly_members(seunshare_t) ++dev_read_urand(seunshare_domain) + +-auth_use_nsswitch(seunshare_t) +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) +files_relabelfrom_tmp_dirs(seunshare_domain) --auth_use_nsswitch(seunshare_t) +-logging_send_syslog_msg(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) +fs_manage_cgroup_files(seunshare_domain) --logging_send_syslog_msg(seunshare_t) +-miscfiles_read_localization(seunshare_t) +auth_use_nsswitch(seunshare_domain) --miscfiles_read_localization(seunshare_t) +-userdom_use_user_terminals(seunshare_t) +logging_send_syslog_msg(seunshare_domain) --userdom_use_user_terminals(seunshare_t) +miscfiles_read_localization(seunshare_domain) - ++ +userdom_use_inherited_user_terminals(seunshare_domain) +userdom_list_user_home_content(seunshare_domain) ifdef(`hide_broken_symptoms', ` @@ -10429,8 +10436,17 @@ index 8bfe97d..6bba1a8 100644 userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; +diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc +index be30d55..93d128c 100644 +--- a/policy/modules/apps/wm.fc ++++ b/policy/modules/apps/wm.fc +@@ -1,3 +1,4 @@ + /usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) + /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) + /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) ++/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if -index 82842a0..4111a1d 100644 +index 82842a0..50c1a74 100644 --- a/policy/modules/apps/wm.if +++ b/policy/modules/apps/wm.if @@ -44,7 +44,7 @@ template(`wm_role_template',` @@ -10442,7 +10458,7 @@ index 82842a0..4111a1d 100644 allow $1_wm_t $3:process { signull sigkill }; allow $1_wm_t $3:dbus send_msg; -@@ -72,9 +72,15 @@ template(`wm_role_template',` +@@ -72,9 +72,16 @@ template(`wm_role_template',` auth_use_nsswitch($1_wm_t) @@ -10454,6 +10470,7 @@ index 82842a0..4111a1d 100644 + userdom_manage_home_role($2, $1_wm_t) + userdom_manage_tmpfs_role($2, $1_wm_t) + userdom_manage_tmp_role($2, $1_wm_t) ++ userdom_exec_user_tmp_files($1_wm_t) + optional_policy(` dbus_system_bus_client($1_wm_t) @@ -10844,7 +10861,7 @@ index 5a07a43..99c7564 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..f8de84b 100644 +index 0757523..7b77799 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -10921,7 +10938,7 @@ index 0757523..f8de84b 100644 network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dccm, tcp,5679,s0, udp,5679,s0) -@@ -96,9 +117,12 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -96,9 +117,13 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -10930,11 +10947,12 @@ index 0757523..f8de84b 100644 network_port(epmap, tcp,135,s0, udp,135,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) ++network_port(firebird, tcp,3050,s0, udp,3050,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -112,7 +136,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -112,7 +137,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -10943,7 +10961,7 @@ index 0757523..f8de84b 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -126,43 +150,58 @@ network_port(iscsi, tcp,3260,s0) +@@ -126,43 +151,58 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -11008,7 +11026,7 @@ index 0757523..f8de84b 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,24 +216,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,24 +217,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -11042,7 +11060,7 @@ index 0757523..f8de84b 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -205,16 +249,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,16 +250,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -11063,7 +11081,7 @@ index 0757523..f8de84b 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -276,5 +321,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn +@@ -276,5 +322,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -11101,7 +11119,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..6db0863 100644 +index e9313fb..f8b1eee 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11256,7 +11274,174 @@ index e9313fb..6db0863 100644 ') ######################################## -@@ -920,7 +975,7 @@ interface(`dev_filetrans',` +@@ -841,6 +896,166 @@ interface(`dev_manage_all_dev_nodes',` + + ######################################## + ## ++## Check generic block device nodes ++## for read permission. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_check_read_generic_blk_dev_nodes',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ allow $1 { device_t device_node }:blk_file read; ++') ++ ++######################################## ++## ++## Check generic block device nodes ++## for write permission. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_check_write_generic_blk_dev_nodes',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ allow $1 { device_t device_node }:blk_file write; ++') ++ ++######################################## ++## ++## Check all character device nodes ++## for read permission. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_check_read_all_chr_dev_nodes',` ++ gen_require(` ++ attribute device_node, memory_raw_read; ++ type device_t; ++ ') ++ ++ allow $1 { device_t device_node }:chr_file read; ++ typeattribute $1 memory_raw_read; ++') ++ ++######################################## ++## ++## Check all character device nodes ++## for write permission. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_check_write_all_chr_dev_nodes',` ++ gen_require(` ++ attribute device_node, memory_raw_write; ++ type device_t; ++ ') ++ ++ allow $1 { device_t device_node }:chr_file write; ++ typeattribute $1 memory_raw_write; ++') ++ ++######################################## ++## ++## Create all character device_nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_create_all_chr_dev_nodes',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ create_chr_files_pattern($1, device_t, device_node) ++') ++ ++######################################## ++## ++## Create all block device_nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_create_all_blk_dev_nodes',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ create_blk_files_pattern($1, device_t, device_node) ++') ++ ++######################################## ++## ++## Set attributes of all character ++## device_nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_all_chr_dev_nodes',` ++ gen_require(` ++ type device_t; ++ attribute device_node; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, { device_t device_node }) ++') ++ ++######################################## ++## ++## Set attributes of all block ++## device_nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_all_blk_dev_nodes',` ++ gen_require(` ++ type device_t; ++ attribute device_node; ++ ') ++ ++ setattr_blk_files_pattern($1, device_t, { device_t device_node }) ++') ++ ++######################################## ++## + ## Dontaudit getattr for generic device files. + ## + ## +@@ -920,7 +1135,7 @@ interface(`dev_filetrans',` type device_t; ') @@ -11265,7 +11450,7 @@ index e9313fb..6db0863 100644 dev_associate($2) files_associate_tmp($2) -@@ -1178,6 +1233,42 @@ interface(`dev_create_all_chr_files',` +@@ -1178,6 +1393,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -11308,7 +11493,7 @@ index e9313fb..6db0863 100644 ## Delete all block device files. ## ## -@@ -3192,24 +3283,6 @@ interface(`dev_rw_printer',` +@@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -11333,7 +11518,7 @@ index e9313fb..6db0863 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3793,6 +3866,24 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3793,6 +4026,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -11358,7 +11543,7 @@ index e9313fb..6db0863 100644 ## Search the sysfs directories. ## ## -@@ -3884,25 +3975,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3884,25 +4135,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -11384,7 +11569,7 @@ index e9313fb..6db0863 100644 ## Read hardware state information. ## ## -@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',` +@@ -3954,6 +4186,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -11427,7 +11612,7 @@ index e9313fb..6db0863 100644 ## Read and write the TPM device. ## ## -@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',` +@@ -4514,6 +4782,24 @@ interface(`dev_rwx_vmware',` ######################################## ## @@ -11452,7 +11637,7 @@ index e9313fb..6db0863 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4874,751 @@ interface(`dev_unconfined',` +@@ -4748,3 +5034,752 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -11874,6 +12059,7 @@ index e9313fb..6db0863 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia7) + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia8) + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia9) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidiactl) + filetrans_pattern($1, device_t, nvram_device_t, chr_file, nvram) + filetrans_pattern($1, device_t, memory_device_t, chr_file, oldmem) + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, opengl) @@ -12536,7 +12722,7 @@ index bc534c1..b70ea07 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 16108f6..e76bf67 100644 +index 16108f6..de3c68f 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -12642,7 +12828,7 @@ index 16108f6..e76bf67 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -227,6 +241,8 @@ ifndef(`distro_redhat',` +@@ -227,23 +241,27 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -12651,7 +12837,11 @@ index 16108f6..e76bf67 100644 /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -237,13 +253,14 @@ ifndef(`distro_redhat',` + + /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) ++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) + + /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) @@ -12667,7 +12857,7 @@ index 16108f6..e76bf67 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -252,3 +269,7 @@ ifndef(`distro_redhat',` +@@ -252,3 +270,7 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -12676,7 +12866,7 @@ index 16108f6..e76bf67 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..4725d50 100644 +index 958ca84..4f3ff26 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -12778,6 +12968,15 @@ index 958ca84..4725d50 100644 ## List the contents of the root directory. ## ## +@@ -1526,7 +1596,7 @@ interface(`files_root_filetrans',` + type root_t; + ') + +- filetrans_pattern($1, root_t, $2, $3) ++ filetrans_pattern($1, root_t, $2, $3, $4) + ') + + ######################################## @@ -1731,6 +1801,24 @@ interface(`files_list_boot',` allow $1 boot_t:dir list_dir_perms; ') @@ -13322,6 +13521,15 @@ index 958ca84..4725d50 100644 ## ## ## +@@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',` + type tmp_t; + ') + +- filetrans_pattern($1, tmp_t, $2, $3) ++ filetrans_pattern($1, tmp_t, $2, $3, $4) + ') + + ######################################## @@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) @@ -15283,7 +15491,7 @@ index a9b8982..57c4a6a 100644 +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 3723150..aa1ba6a 100644 +index 3723150..a137563 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -15295,7 +15503,41 @@ index 3723150..aa1ba6a 100644 typeattribute $1 fixed_disk_raw_read; ') -@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',` +@@ -152,6 +154,33 @@ interface(`storage_raw_write_fixed_disk',` + + ######################################## + ## ++## Directly check for write from a ++## fixed disk. This is extremly ++## dangerous as it can bypass the ++## SELinux protections for filesystem ++## objects, and should only be used ++## by trusted domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_raw_check_write_fixed_disk',` ++ gen_require(` ++ attribute fixed_disk_raw_write; ++ type fixed_disk_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 fixed_disk_device_t:blk_file write; ++ allow $1 fixed_disk_device_t:chr_file write; ++ typeattribute $1 fixed_disk_raw_write; ++') ++ ++######################################## ++## + ## Do not audit attempts made by the caller to write + ## fixed disk device nodes. + ## +@@ -203,7 +232,10 @@ interface(`storage_create_fixed_disk_dev',` type fixed_disk_device_t; ') @@ -15306,7 +15548,40 @@ index 3723150..aa1ba6a 100644 dev_add_entry_generic_dirs($1) ') -@@ -807,3 +812,265 @@ interface(`storage_unconfined',` +@@ -474,6 +506,32 @@ interface(`storage_write_scsi_generic',` + + ######################################## + ## ++## Directly check for write from any ++## SCSI device. This is extremly ++## dangerous as it can bypass the ++## SELinux protections for filesystem ++## objects, and should only be used ++## by trusted domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_check_write_scsi_generic',` ++ gen_require(` ++ attribute scsi_generic_write; ++ type scsi_generic_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 scsi_generic_device_t:chr_file write; ++ typeattribute $1 scsi_generic_write; ++') ++ ++######################################## ++## + ## Set attributes of the device nodes + ## for the SCSI generic inerface. + ## +@@ -807,3 +865,265 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -16348,7 +16623,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..db5a937 100644 +index 2be17d2..95ff489 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) @@ -16403,7 +16678,7 @@ index 2be17d2..db5a937 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +66,139 @@ optional_policy(` +@@ -27,25 +66,140 @@ optional_policy(` ') optional_policy(` @@ -16477,6 +16752,7 @@ index 2be17d2..db5a937 100644 optional_policy(` + qemu_run(staff_t, staff_r) + virt_manage_tmpfs_files(staff_t) ++ virt_user_home_dir_filetrans(staff_t) +') + +optional_policy(` @@ -16545,7 +16821,7 @@ index 2be17d2..db5a937 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +242,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +243,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16556,7 +16832,7 @@ index 2be17d2..db5a937 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +286,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +287,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16567,7 +16843,7 @@ index 2be17d2..db5a937 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +317,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +318,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -16576,7 +16852,7 @@ index 2be17d2..db5a937 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..d73faa1 100644 +index 4a8d146..65a8661 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,55 @@ ifndef(`enable_mls',` @@ -16643,15 +16919,18 @@ index 4a8d146..d73faa1 100644 ') tunable_policy(`allow_ptrace',` -@@ -69,7 +105,6 @@ optional_policy(` +@@ -67,9 +103,9 @@ optional_policy(` + + optional_policy(` apache_run_helper(sysadm_t, sysadm_r) ++ apache_filetrans_home_content(sysadm_t) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) ') optional_policy(` -@@ -98,6 +133,10 @@ optional_policy(` +@@ -98,6 +134,10 @@ optional_policy(` ') optional_policy(` @@ -16662,7 +16941,7 @@ index 4a8d146..d73faa1 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -114,7 +153,7 @@ optional_policy(` +@@ -114,7 +154,7 @@ optional_policy(` ') optional_policy(` @@ -16671,7 +16950,7 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -124,6 +163,10 @@ optional_policy(` +@@ -124,6 +164,10 @@ optional_policy(` ') optional_policy(` @@ -16682,7 +16961,7 @@ index 4a8d146..d73faa1 100644 ddcprobe_run(sysadm_t, sysadm_r) ') -@@ -163,6 +206,13 @@ optional_policy(` +@@ -163,6 +207,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -16696,12 +16975,13 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -170,15 +220,15 @@ optional_policy(` +@@ -170,15 +221,16 @@ optional_policy(` ') optional_policy(` - kudzu_run(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) ++ kerberos_filetrans_named_content(sysadm_t) ') optional_policy(` @@ -16715,7 +16995,7 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -198,18 +248,12 @@ optional_policy(` +@@ -198,22 +250,19 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -16736,7 +17016,14 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -225,6 +269,10 @@ optional_policy(` + mta_role(sysadm_r, sysadm_t) ++ # this is defined in userdom_common_user_template ++ #mta_filetrans_home_content(sysadm_t) ++ mta_filetrans_admin_home_content(sysadm_t) + ') + + optional_policy(` +@@ -225,6 +274,10 @@ optional_policy(` ') optional_policy(` @@ -16747,7 +17034,7 @@ index 4a8d146..d73faa1 100644 netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -253,7 +301,7 @@ optional_policy(` +@@ -253,7 +306,7 @@ optional_policy(` ') optional_policy(` @@ -16756,7 +17043,7 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -265,20 +313,14 @@ optional_policy(` +@@ -265,20 +318,14 @@ optional_policy(` ') optional_policy(` @@ -16778,7 +17065,7 @@ index 4a8d146..d73faa1 100644 optional_policy(` rsync_exec(sysadm_t) -@@ -307,7 +349,7 @@ optional_policy(` +@@ -307,7 +354,7 @@ optional_policy(` ') optional_policy(` @@ -16787,7 +17074,7 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -332,10 +374,6 @@ optional_policy(` +@@ -332,10 +379,6 @@ optional_policy(` ') optional_policy(` @@ -16798,7 +17085,7 @@ index 4a8d146..d73faa1 100644 tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -343,19 +381,15 @@ optional_policy(` +@@ -343,19 +386,15 @@ optional_policy(` ') optional_policy(` @@ -16820,7 +17107,7 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -367,17 +401,14 @@ optional_policy(` +@@ -367,17 +406,14 @@ optional_policy(` ') optional_policy(` @@ -16840,16 +17127,17 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -389,7 +420,7 @@ optional_policy(` +@@ -389,7 +425,8 @@ optional_policy(` ') optional_policy(` - wireshark_role(sysadm_r, sysadm_t) + virt_stream_connect(sysadm_t) ++ virt_user_home_dir_filetrans(sysadm_t) ') optional_policy(` -@@ -404,8 +435,15 @@ optional_policy(` +@@ -404,8 +441,15 @@ optional_policy(` yam_run(sysadm_t, sysadm_r) ') @@ -16865,7 +17153,7 @@ index 4a8d146..d73faa1 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,6 +477,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +483,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -16873,7 +17161,7 @@ index 4a8d146..d73faa1 100644 ') optional_policy(` -@@ -452,5 +491,60 @@ ifndef(`distro_redhat',` +@@ -452,5 +497,60 @@ ifndef(`distro_redhat',` optional_policy(` java_role(sysadm_r, sysadm_t) ') @@ -17644,10 +17932,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..7d48821 +index 0000000..4c5f006 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,519 @@ +@@ -0,0 +1,525 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -17990,6 +18278,10 @@ index 0000000..7d48821 +') + +optional_policy(` ++ kerberos_filetrans_named_content(unconfined_t) ++') ++ ++optional_policy(` + livecd_run(unconfined_t, unconfined_r) +') + @@ -18021,6 +18313,10 @@ index 0000000..7d48821 +') + +optional_policy(` ++ mta_filetrans_named_content(unconfined_t) ++') ++ ++optional_policy(` + ncftool_run(unconfined_t, unconfined_r) +') + @@ -18072,10 +18368,6 @@ index 0000000..7d48821 +') + +optional_policy(` -+ sendmail_run_unconfined(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + sysnet_run_dhcpc(unconfined_t, unconfined_r) + sysnet_dbus_chat_dhcpc(unconfined_t) + sysnet_role_transition_dhcpc(unconfined_r) @@ -18091,6 +18383,7 @@ index 0000000..7d48821 + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) ++ virt_user_home_dir_filetrans(unconfined_t) +') + +optional_policy(` @@ -18107,6 +18400,7 @@ index 0000000..7d48821 + +optional_policy(` + xserver_run(unconfined_t, unconfined_r) ++ xserver_manage_home_fonts(unconfined_t) +') + +######################################## @@ -19292,7 +19586,7 @@ index 0370dba..af5d229 100644 # interface(`aisexec_domtrans',` diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te -index 97c9cae..c24bd66 100644 +index 97c9cae..568e37d 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te @@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t) @@ -19304,7 +19598,7 @@ index 97c9cae..c24bd66 100644 allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; -@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t) +@@ -81,11 +81,18 @@ logging_send_syslog_msg(aisexec_t) miscfiles_read_localization(aisexec_t) @@ -19314,6 +19608,15 @@ index 97c9cae..c24bd66 100644 optional_policy(` ccs_stream_connect(aisexec_t) ') + + optional_policy(` ++ corosync_domtrans(aisexec_t) ++') ++ ++optional_policy(` + # to communication with RHCS + rhcs_rw_dlm_controld_semaphores(aisexec_t) + diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc new file mode 100644 index 0000000..aeb1888 @@ -20293,7 +20596,7 @@ index 6480167..1440827 100644 + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..64d69b0 100644 +index 3136c6a..26669be 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -20684,7 +20987,7 @@ index 3136c6a..64d69b0 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +510,73 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +510,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -20718,6 +21021,7 @@ index 3136c6a..64d69b0 100644 ') +tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_firebird_port(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_oracledb_port(httpd_t) @@ -20760,7 +21064,7 @@ index 3136c6a..64d69b0 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +589,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +590,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -20771,7 +21075,7 @@ index 3136c6a..64d69b0 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +603,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +604,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -20801,7 +21105,7 @@ index 3136c6a..64d69b0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +633,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +634,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -20818,7 +21122,7 @@ index 3136c6a..64d69b0 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +657,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +658,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -20839,7 +21143,7 @@ index 3136c6a..64d69b0 100644 ') optional_policy(` -@@ -513,7 +681,13 @@ optional_policy(` +@@ -513,7 +682,13 @@ optional_policy(` ') optional_policy(` @@ -20854,7 +21158,7 @@ index 3136c6a..64d69b0 100644 ') optional_policy(` -@@ -528,7 +702,18 @@ optional_policy(` +@@ -528,7 +703,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -20874,7 +21178,7 @@ index 3136c6a..64d69b0 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +722,13 @@ optional_policy(` +@@ -537,8 +723,13 @@ optional_policy(` ') optional_policy(` @@ -20889,7 +21193,7 @@ index 3136c6a..64d69b0 100644 ') ') -@@ -556,7 +746,13 @@ optional_policy(` +@@ -556,7 +747,13 @@ optional_policy(` ') optional_policy(` @@ -20903,7 +21207,7 @@ index 3136c6a..64d69b0 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +763,7 @@ optional_policy(` +@@ -567,6 +764,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -20911,7 +21215,7 @@ index 3136c6a..64d69b0 100644 ') optional_policy(` -@@ -577,6 +774,16 @@ optional_policy(` +@@ -577,6 +775,16 @@ optional_policy(` ') optional_policy(` @@ -20928,7 +21232,7 @@ index 3136c6a..64d69b0 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +798,11 @@ optional_policy(` +@@ -591,6 +799,11 @@ optional_policy(` ') optional_policy(` @@ -20940,7 +21244,7 @@ index 3136c6a..64d69b0 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +815,11 @@ optional_policy(` +@@ -603,6 +816,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -20952,7 +21256,7 @@ index 3136c6a..64d69b0 100644 ######################################## # # Apache helper local policy -@@ -616,7 +833,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +834,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -20965,7 +21269,7 @@ index 3136c6a..64d69b0 100644 ######################################## # -@@ -654,28 +875,29 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +876,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -20982,6 +21286,7 @@ index 3136c6a..64d69b0 100644 - corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) - corenet_tcp_connect_mssql_port(httpd_suexec_t) - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_firebird_port(httpd_php_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) + corenet_tcp_connect_oracledb_port(httpd_php_t) @@ -21008,7 +21313,7 @@ index 3136c6a..64d69b0 100644 ') ######################################## -@@ -699,17 +921,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +923,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21034,11 +21339,12 @@ index 3136c6a..64d69b0 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +967,26 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +969,27 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_firebird_port(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_oracledb_port(httpd_suexec_t) @@ -21062,7 +21368,7 @@ index 3136c6a..64d69b0 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1009,25 @@ optional_policy(` +@@ -769,6 +1012,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21088,7 +21394,7 @@ index 3136c6a..64d69b0 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1048,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1051,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21106,7 +21412,7 @@ index 3136c6a..64d69b0 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1067,49 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1070,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21117,6 +21423,7 @@ index 3136c6a..64d69b0 100644 +') + +tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_firebird_port(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_oracledb_port(httpd_sys_script_t) @@ -21162,7 +21469,7 @@ index 3136c6a..64d69b0 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1117,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1121,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21193,7 +21500,7 @@ index 3136c6a..64d69b0 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1152,20 @@ optional_policy(` +@@ -842,10 +1156,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21214,7 +21521,7 @@ index 3136c6a..64d69b0 100644 ') ######################################## -@@ -891,11 +1211,21 @@ optional_policy(` +@@ -891,11 +1215,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -22740,6 +23047,16 @@ index 0000000..e7d2a5b +dev_search_sysfs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) +diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc +index 5432d0e..f77df02 100644 +--- a/policy/modules/services/canna.fc ++++ b/policy/modules/services/canna.fc +@@ -20,4 +20,4 @@ + + /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) + /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) +-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) ++/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 1d25efe..1b16191 100644 --- a/policy/modules/services/canna.te @@ -24299,10 +24616,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..eba511c +index 0000000..e79f653 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,81 @@ +@@ -0,0 +1,96 @@ +policy_module(colord,1.0.0) + +######################################## @@ -24367,6 +24684,17 @@ index 0000000..eba511c + +sysnet_dns_name_resolve(colord_t) + ++fs_search_all(colord_t) ++fs_read_noxattr_fs_files(colord_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(colord_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(colord_t) ++') ++ +optional_policy(` + cups_read_config(colord_t) + cups_read_rw_config(colord_t) @@ -24375,6 +24703,10 @@ index 0000000..eba511c +') + +optional_policy(` ++ gnome_read_gconf_home_files(colord_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) @@ -31044,7 +31376,7 @@ index 3525d24..923e979 100644 /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..65fdeb0 100644 +index 604f67b..414cfb4 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -31108,7 +31440,7 @@ index 604f67b..65fdeb0 100644 + ') + + allow $1 krb5_keytab_t:file manage_file_perms; -+ files_etc_filetrans($1, krb5_keytab_t, file) ++ files_etc_filetrans($1, krb5_keytab_t, file, $2) +') + +######################################## @@ -31173,7 +31505,7 @@ index 604f67b..65fdeb0 100644 ') allow $1 kadmind_t:process { ptrace signal_perms }; -@@ -378,3 +374,41 @@ interface(`kerberos_admin',` +@@ -378,3 +374,110 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -31189,12 +31521,12 @@ index 604f67b..65fdeb0 100644 +## +## +# -+interface(`mta_tmp_filetrans_host_rcache',` ++interface(`kerberos_tmp_filetrans_host_rcache',` + gen_require(` + type krb5_host_rcache_t; + ') + -+ files_tmp_filetrans($1, krb5_host_rcache_t, file) ++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) +') + +######################################## @@ -31215,8 +31547,77 @@ index 604f67b..65fdeb0 100644 + userdom_search_user_home_dirs($1) + read_files_pattern($1, krb5_home_t, krb5_home_t) +') ++ ++######################################## ++## ++## create kerberos content in the in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerberos_filetrans_admin_home_content',` ++ gen_require(` ++ type kerberos_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, kerberos_home_t, file, .k5login) ++') ++ ++######################################## ++## ++## Transition to kerberos named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerberos_filetrans_home_content',` ++ gen_require(` ++ type kerberos_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, kerberos_home_t, file, .k5login) ++') ++ ++######################################## ++## ++## Transition to apache named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerberos_filetrans_named_content',` ++ gen_require(` ++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; ++ type krb5kdc_principal_t; ++ ') ++ ++ files_etc_filetrans($1, krb5_conf_t, file, krb5.conf) ++ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, kadm5.keytab) ++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal) ++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal0) ++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1) ++ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1) ++ ++ kerberos_etc_filetrans_keytab($1, krb5.keytab) ++ # this is defined in userdom_login_user_template ++ #kerberos_filetrans_home_content($1) ++ kerberos_filetrans_admin_home_content($1) ++ ++ kerberos_tmp_filetrans_host_rcache($1, host_0) ++ kerberos_tmp_filetrans_host_rcache($1, HTTP_23) ++') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te -index 8edc29b..09dac65 100644 +index 8edc29b..92dde2c 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) @@ -31260,6 +31661,15 @@ index 8edc29b..09dac65 100644 # types for KDC principal file(s) type krb5kdc_principal_t; +@@ -80,7 +80,7 @@ files_pid_file(krb5kdc_var_run_t) + # Use capabilities. Surplus capabilities may be allowed. + allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; + dontaudit kadmind_t self:capability sys_tty_config; +-allow kadmind_t self:process { setfscreate signal_perms }; ++allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; + allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; + allow kadmind_t self:unix_dgram_socket { connect create write }; + allow kadmind_t self:tcp_socket connected_stream_socket_perms; @@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms; dontaudit kadmind_t krb5_conf_t:file write; @@ -32012,7 +32422,7 @@ index 67c7fdd..84b7626 100644 files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te -index af4d572..0fd2357 100644 +index af4d572..999384c 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -61,14 +61,18 @@ optional_policy(` @@ -32036,7 +32446,7 @@ index af4d572..0fd2357 100644 files_search_spool(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) -@@ -81,6 +85,10 @@ optional_policy(` +@@ -81,11 +85,16 @@ optional_policy(` ') optional_policy(` @@ -32047,7 +32457,13 @@ index af4d572..0fd2357 100644 cron_read_pipes(mailman_mail_t) ') -@@ -104,6 +112,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) + optional_policy(` + postfix_search_spool(mailman_mail_t) ++ postfix_rw_master_pipes(mailman_mail_t) + ') + + ######################################## +@@ -104,6 +113,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) kernel_read_proc_symlinks(mailman_queue_t) @@ -32056,7 +32472,7 @@ index af4d572..0fd2357 100644 auth_domtrans_chk_passwd(mailman_queue_t) files_dontaudit_search_pids(mailman_queue_t) -@@ -125,4 +135,4 @@ optional_policy(` +@@ -125,4 +136,4 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) @@ -33662,7 +34078,7 @@ index 256166a..df99841 100644 /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..3d7edf0 100644 +index 343cee3..0fbbe06 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -33831,6 +34247,15 @@ index 343cee3..3d7edf0 100644 ') ######################################## +@@ -532,7 +570,7 @@ interface(`mta_etc_filetrans_aliases',` + type etc_aliases_t; + ') + +- files_etc_filetrans($1, etc_aliases_t, file) ++ files_etc_filetrans($1, etc_aliases_t, file, $2) + ') + + ######################################## @@ -552,7 +590,7 @@ interface(`mta_rw_aliases',` ') @@ -33871,7 +34296,7 @@ index 343cee3..3d7edf0 100644 ') ######################################## -@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +937,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -33922,6 +34347,68 @@ index 343cee3..3d7edf0 100644 + userdom_search_admin_dir($1) + ') +') ++ ++######################################## ++## ++## create mail content in the in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_filetrans_admin_home_content',` ++ gen_require(` ++ type mail_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, dead.letter) ++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, .forward) ++') ++ ++######################################## ++## ++## Transition to mta named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_filetrans_home_content',` ++ gen_require(` ++ type mail_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mail_home_t, file, dead.letter) ++ userdom_user_home_dir_filetrans($1, mail_home_t, file, .forward) ++') ++ ++######################################## ++## ++## Transition to apache named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_filetrans_named_content',` ++ gen_require(` ++ type etc_aliases_t; ++ type etc_mail_t; ++ ') ++ ++ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) ++ mta_etc_filetrans_aliases($1, aliases) ++ mta_etc_filetrans_aliases($1, aliases.db) ++ mta_filetrans_home_content($1) ++ mta_filetrans_admin_home_content($1) ++') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 64268e4..9ddac52 100644 --- a/policy/modules/services/mta.te @@ -43196,7 +43683,7 @@ index f1aea88..a5a75a8 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index 22184ad..d87a3f0 100644 +index 22184ad..3d85b76 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) @@ -43216,7 +43703,7 @@ index 22184ad..d87a3f0 100644 -allow saslauthd_t saslauthd_tmp_t:dir setattr; -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) -+mta_tmp_filetrans_host_rcache(saslauthd_t) ++kerberos_tmp_filetrans_host_rcache(saslauthd_t) +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) @@ -43354,20 +43841,22 @@ index 7e94c7c..5700fb8 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te -index 22dac1f..b6781d5 100644 +index 22dac1f..c3cf42a 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te -@@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t) +@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +-type unconfined_sendmail_t; +-application_domain(unconfined_sendmail_t, sendmail_exec_t) +-role system_r types unconfined_sendmail_t; +type sendmail_initrc_exec_t; +init_script_file(sendmail_initrc_exec_t) -+ - type unconfined_sendmail_t; - application_domain(unconfined_sendmail_t, sendmail_exec_t) - role system_r types unconfined_sendmail_t; -@@ -84,12 +87,14 @@ files_read_usr_files(sendmail_t) + + ######################################## + # +@@ -84,12 +83,14 @@ files_read_usr_files(sendmail_t) files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) @@ -43382,7 +43871,7 @@ index 22dac1f..b6781d5 100644 auth_use_nsswitch(sendmail_t) -@@ -103,7 +108,7 @@ miscfiles_read_generic_certs(sendmail_t) +@@ -103,7 +104,7 @@ miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) @@ -43391,7 +43880,7 @@ index 22dac1f..b6781d5 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -149,7 +154,9 @@ optional_policy(` +@@ -149,7 +150,9 @@ optional_policy(` ') optional_policy(` @@ -43401,23 +43890,29 @@ index 22dac1f..b6781d5 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,6 +175,10 @@ optional_policy(` +@@ -168,20 +171,13 @@ optional_policy(` ') optional_policy(` +- udev_read_db(sendmail_t) + spamd_stream_connect(sendmail_t) -+') -+ -+optional_policy(` - udev_read_db(sendmail_t) ') -@@ -183,5 +194,5 @@ optional_policy(` + optional_policy(` +- uucp_domtrans_uux(sendmail_t) ++ udev_read_db(sendmail_t) + ') +-######################################## +-# +-# Unconfined sendmail local policy +-# Allow unconfined domain to run newalias and have transitions work +-# +- optional_policy(` - mta_etc_filetrans_aliases(unconfined_sendmail_t) +- mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) -+ unconfined_domain_noaudit(unconfined_sendmail_t) ++ uucp_domtrans_uux(sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if index bcdd16c..7c379a8 100644 @@ -44606,7 +45101,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..7631609 100644 +index 22adaca..de9d29e 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -44677,7 +45172,7 @@ index 22adaca..7631609 100644 type $1_t, ssh_server; auth_login_pgm_domain($1_t) -@@ -181,16 +179,16 @@ template(`ssh_server_template', ` +@@ -181,16 +179,17 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) @@ -44685,7 +45180,8 @@ index 22adaca..7631609 100644 + allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; -+ allow $1_t self:process { signal getsched setsched setrlimit setexec }; ++ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; ++ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: @@ -44697,7 +45193,7 @@ index 22adaca..7631609 100644 term_create_pty($1_t, $1_devpts_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -@@ -206,6 +204,7 @@ template(`ssh_server_template', ` +@@ -206,6 +205,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) @@ -44705,7 +45201,7 @@ index 22adaca..7631609 100644 corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,8 +219,11 @@ template(`ssh_server_template', ` +@@ -220,8 +220,11 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -44718,7 +45214,7 @@ index 22adaca..7631609 100644 fs_dontaudit_getattr_all_fs($1_t) -@@ -234,6 +236,7 @@ template(`ssh_server_template', ` +@@ -234,6 +237,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -44726,7 +45222,7 @@ index 22adaca..7631609 100644 files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -243,13 +246,17 @@ template(`ssh_server_template', ` +@@ -243,13 +247,17 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) @@ -44746,7 +45242,7 @@ index 22adaca..7631609 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) fs_read_nfs_symlinks($1_t) -@@ -268,6 +275,14 @@ template(`ssh_server_template', ` +@@ -268,6 +276,14 @@ template(`ssh_server_template', ` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') @@ -44761,7 +45257,7 @@ index 22adaca..7631609 100644 ') ######################################## -@@ -290,11 +305,11 @@ template(`ssh_server_template', ` +@@ -290,11 +306,11 @@ template(`ssh_server_template', ` ## User domain for the role ## ## @@ -44774,7 +45270,7 @@ index 22adaca..7631609 100644 type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; -@@ -327,7 +342,7 @@ template(`ssh_role_template',` +@@ -327,7 +343,7 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -44783,7 +45279,7 @@ index 22adaca..7631609 100644 # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; -@@ -338,6 +353,7 @@ template(`ssh_role_template',` +@@ -338,6 +354,7 @@ template(`ssh_role_template',` manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) @@ -44791,7 +45287,7 @@ index 22adaca..7631609 100644 ############################## # -@@ -359,7 +375,7 @@ template(`ssh_role_template',` +@@ -359,7 +376,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. @@ -44800,7 +45296,7 @@ index 22adaca..7631609 100644 # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) -@@ -381,7 +397,6 @@ template(`ssh_role_template',` +@@ -381,7 +398,6 @@ template(`ssh_role_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) @@ -44808,7 +45304,7 @@ index 22adaca..7631609 100644 libs_read_lib_files($1_ssh_agent_t) -@@ -393,14 +408,13 @@ template(`ssh_role_template',` +@@ -393,14 +409,13 @@ template(`ssh_role_template',` seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. @@ -44826,7 +45322,7 @@ index 22adaca..7631609 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',` +@@ -477,8 +492,9 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -44837,7 +45333,7 @@ index 22adaca..7631609 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +510,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -44846,7 +45342,7 @@ index 22adaca..7631609 100644 ') ######################################## -@@ -586,6 +601,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +602,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -44871,7 +45367,7 @@ index 22adaca..7631609 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +652,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -44880,7 +45376,7 @@ index 22adaca..7631609 100644 files_search_pids($1) ') -@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',` +@@ -680,6 +714,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -44913,7 +45409,7 @@ index 22adaca..7631609 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +755,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -44922,7 +45418,7 @@ index 22adaca..7631609 100644 ') ###################################### -@@ -735,3 +794,59 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +795,61 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -44962,6 +45458,7 @@ index 22adaca..7631609 100644 + ') + + userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, .ssh) ++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, .shosts) +') + +######################################## @@ -44981,6 +45478,7 @@ index 22adaca..7631609 100644 + ') + + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, .ssh) ++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, .shosts) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2dad3c8..c71bdb9 100644 @@ -46524,16 +47022,18 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..1b33cbb 100644 +index 2124b6a..9682c44 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc -@@ -1,4 +1,5 @@ +@@ -1,5 +1,6 @@ -HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) - HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) @@ -13,17 +14,25 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -46564,7 +47064,7 @@ index 2124b6a..1b33cbb 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..b961fd7 100644 +index 7c5d8d8..05a7054 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -13,14 +13,15 @@ @@ -46832,7 +47332,7 @@ index 7c5d8d8..b961fd7 100644 ') allow $1 virtd_t:process { ptrace signal_perms }; -@@ -515,4 +590,149 @@ interface(`virt_admin',` +@@ -515,4 +590,169 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -46981,6 +47481,26 @@ index 7c5d8d8..b961fd7 100644 + ') + + allow $1 virt_tmpfs_type:file manage_file_perms; ++') ++ ++######################################## ++## ++## Create .virt directory in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_user_home_dir_filetrans',` ++ gen_require(` ++ type virt_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, .libvirt) ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, .virtinst) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 3eca020..f715498 100644 @@ -47842,7 +48362,7 @@ index aa6e5a8..42a0efb 100644 ######################################## ## diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 6f1e3c7..62b0b98 100644 +index 6f1e3c7..a3986f4 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,23 @@ @@ -47856,9 +48376,9 @@ index 6f1e3c7..62b0b98 100644 HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) +HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) @@ -47976,7 +48496,7 @@ index 6f1e3c7..62b0b98 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..33c8170 100644 +index 130ced9..ade50fd 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -48201,19 +48721,29 @@ index 130ced9..33c8170 100644 ') ####################################### -@@ -444,8 +481,8 @@ template(`xserver_object_types_template',` +@@ -444,8 +481,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + type xdm_t, xdm_tmp_t, xserver_tmpfs_t; ++ type xdm_home_t; + type xauth_home_t, iceauth_home_t, xserver_t; ') allow $2 self:shm create_shm_perms; -@@ -458,9 +495,9 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +494,18 @@ template(`xserver_user_x_domain_template',` + allow $2 xauth_home_t:file read_file_perms; + allow $2 iceauth_home_t:file read_file_perms; ++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, .DCOP) ++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, .ICEauthority) ++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, .Xauthority) ++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, .xauth) ++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, .xsession-errors) ++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, .dmrc) ++ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -48224,7 +48754,7 @@ index 130ced9..33c8170 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +517,25 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -48252,7 +48782,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -48260,7 +48790,7 @@ index 130ced9..33c8170 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',` +@@ -545,6 +596,28 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -48289,7 +48819,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -48297,7 +48827,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -48306,7 +48836,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +725,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -48315,7 +48845,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +744,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -48324,7 +48854,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +762,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -48333,7 +48863,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +777,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -48347,7 +48877,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +797,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -48381,7 +48911,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +858,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -48390,7 +48920,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +898,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -48418,7 +48948,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1009,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -48427,7 +48957,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1028,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -48436,7 +48966,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1075,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -48482,7 +49012,7 @@ index 130ced9..33c8170 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1127,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -48491,7 +49021,7 @@ index 130ced9..33c8170 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1189,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -48534,7 +49064,7 @@ index 130ced9..33c8170 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1239,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -48543,7 +49073,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1257,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -48555,7 +49085,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1374,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -48582,7 +49112,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1419,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -48591,7 +49121,7 @@ index 130ced9..33c8170 100644 ## ## ## -@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1429,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -48616,7 +49146,7 @@ index 130ced9..33c8170 100644 ') ######################################## -@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1462,397 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -49002,7 +49532,7 @@ index 130ced9..33c8170 100644 +# +interface(`xserver_manage_home_fonts',` + gen_require(` -+ type user_fonts_t, user_fonts_config_t; ++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; + ') + + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) @@ -49010,9 +49540,14 @@ index 130ced9..33c8170 100644 + manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ++ ++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .k5login) ++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d) ++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts) ++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 6c01261..3f91fd9 100644 +index 6c01261..8cb530b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -49334,7 +49869,7 @@ index 6c01261..3f91fd9 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -302,20 +415,33 @@ optional_policy(` +@@ -302,20 +415,38 @@ optional_policy(` # XDM Local policy # @@ -49364,6 +49899,11 @@ index 6c01261..3f91fd9 100644 + +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) ++userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .DCOP) ++userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .ICEauthority) ++userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauthority) ++userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .xauth) ++userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauth) + +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) @@ -49372,7 +49912,7 @@ index 6c01261..3f91fd9 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -323,43 +449,62 @@ can_exec(xdm_t, xdm_exec_t) +@@ -323,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -49441,7 +49981,7 @@ index 6c01261..3f91fd9 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -368,18 +513,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -368,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -49469,7 +50009,7 @@ index 6c01261..3f91fd9 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -391,18 +544,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -391,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -49493,7 +50033,7 @@ index 6c01261..3f91fd9 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -411,18 +568,24 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -411,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -49521,7 +50061,7 @@ index 6c01261..3f91fd9 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -433,9 +596,23 @@ files_list_mnt(xdm_t) +@@ -433,9 +601,23 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -49545,7 +50085,7 @@ index 6c01261..3f91fd9 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -444,28 +621,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -444,28 +626,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -49584,7 +50124,7 @@ index 6c01261..3f91fd9 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -474,9 +659,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -474,9 +664,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -49615,7 +50155,7 @@ index 6c01261..3f91fd9 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -492,6 +698,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -492,6 +703,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -49630,7 +50170,7 @@ index 6c01261..3f91fd9 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -505,11 +719,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -505,11 +724,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -49652,7 +50192,7 @@ index 6c01261..3f91fd9 100644 ') optional_policy(` -@@ -517,7 +741,43 @@ optional_policy(` +@@ -517,7 +746,43 @@ optional_policy(` ') optional_policy(` @@ -49697,7 +50237,7 @@ index 6c01261..3f91fd9 100644 ') optional_policy(` -@@ -527,6 +787,16 @@ optional_policy(` +@@ -527,6 +792,16 @@ optional_policy(` ') optional_policy(` @@ -49714,7 +50254,7 @@ index 6c01261..3f91fd9 100644 hostname_exec(xdm_t) ') -@@ -544,28 +814,65 @@ optional_policy(` +@@ -544,28 +819,65 @@ optional_policy(` ') optional_policy(` @@ -49789,7 +50329,7 @@ index 6c01261..3f91fd9 100644 ') optional_policy(` -@@ -577,6 +884,14 @@ optional_policy(` +@@ -577,6 +889,14 @@ optional_policy(` ') optional_policy(` @@ -49804,7 +50344,7 @@ index 6c01261..3f91fd9 100644 xfs_stream_connect(xdm_t) ') -@@ -601,7 +916,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -601,7 +921,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -49813,7 +50353,7 @@ index 6c01261..3f91fd9 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -615,8 +930,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -615,8 +935,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -49829,7 +50369,7 @@ index 6c01261..3f91fd9 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -635,12 +957,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -635,12 +962,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -49851,7 +50391,7 @@ index 6c01261..3f91fd9 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -648,6 +977,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -648,6 +982,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -49859,7 +50399,7 @@ index 6c01261..3f91fd9 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -674,7 +1004,6 @@ dev_rw_apm_bios(xserver_t) +@@ -674,7 +1009,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -49867,7 +50407,7 @@ index 6c01261..3f91fd9 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -684,11 +1013,17 @@ dev_wx_raw_memory(xserver_t) +@@ -684,11 +1018,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -49885,7 +50425,7 @@ index 6c01261..3f91fd9 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -699,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -699,8 +1039,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -49899,7 +50439,7 @@ index 6c01261..3f91fd9 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -713,8 +1053,6 @@ init_getpgid(xserver_t) +@@ -713,8 +1058,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -49908,7 +50448,7 @@ index 6c01261..3f91fd9 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -722,11 +1060,12 @@ logging_send_audit_msgs(xserver_t) +@@ -722,11 +1065,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -49923,7 +50463,7 @@ index 6c01261..3f91fd9 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -780,16 +1119,36 @@ optional_policy(` +@@ -780,16 +1124,36 @@ optional_policy(` ') optional_policy(` @@ -49961,7 +50501,7 @@ index 6c01261..3f91fd9 100644 unconfined_domtrans(xserver_t) ') -@@ -798,6 +1157,10 @@ optional_policy(` +@@ -798,6 +1162,10 @@ optional_policy(` ') optional_policy(` @@ -49972,7 +50512,7 @@ index 6c01261..3f91fd9 100644 xfs_stream_connect(xserver_t) ') -@@ -813,10 +1176,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -813,10 +1181,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -49986,7 +50526,7 @@ index 6c01261..3f91fd9 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -824,7 +1187,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -824,7 +1192,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -49995,7 +50535,7 @@ index 6c01261..3f91fd9 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -837,6 +1200,9 @@ init_use_fds(xserver_t) +@@ -837,6 +1205,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -50005,7 +50545,7 @@ index 6c01261..3f91fd9 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -844,6 +1210,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -844,6 +1215,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -50017,7 +50557,7 @@ index 6c01261..3f91fd9 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -852,11 +1223,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -852,11 +1228,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -50034,7 +50574,7 @@ index 6c01261..3f91fd9 100644 ') optional_policy(` -@@ -864,6 +1238,10 @@ optional_policy(` +@@ -864,6 +1243,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -50045,7 +50585,7 @@ index 6c01261..3f91fd9 100644 ######################################## # # Rules common to all X window domains -@@ -907,7 +1285,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -907,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -50054,7 +50594,7 @@ index 6c01261..3f91fd9 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -961,11 +1339,31 @@ allow x_domain self:x_resource { read write }; +@@ -961,11 +1344,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -50086,7 +50626,7 @@ index 6c01261..3f91fd9 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -987,18 +1385,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -987,18 +1390,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -52460,7 +53000,7 @@ index cc83689..e83c909 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..7860408 100644 +index ea29513..5429a16 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -52626,7 +53166,7 @@ index ea29513..7860408 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +236,118 @@ tunable_policy(`init_upstart',` +@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -52639,6 +53179,7 @@ index ea29513..7860408 100644 +tunable_policy(`init_systemd',` + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; + allow init_t self:process { setsockcreate setfscreate }; ++ allow init_t self:process { getcap setcap }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + # Until systemd is fixed @@ -52745,7 +53286,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -199,10 +355,25 @@ optional_policy(` +@@ -199,10 +356,25 @@ optional_policy(` ') optional_policy(` @@ -52771,7 +53312,7 @@ index ea29513..7860408 100644 unconfined_domain(init_t) ') -@@ -212,7 +383,7 @@ optional_policy(` +@@ -212,7 +384,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -52780,7 +53321,7 @@ index ea29513..7860408 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +412,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -52796,7 +53337,7 @@ index ea29513..7860408 100644 init_write_initctl(initrc_t) -@@ -258,20 +432,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -52833,7 +53374,7 @@ index ea29513..7860408 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +465,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -52841,7 +53382,7 @@ index ea29513..7860408 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +478,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -52849,7 +53390,7 @@ index ea29513..7860408 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +486,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -52865,7 +53406,7 @@ index ea29513..7860408 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +504,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -52873,7 +53414,7 @@ index ea29513..7860408 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +512,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -52885,7 +53426,7 @@ index ea29513..7860408 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +531,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -52899,7 +53440,7 @@ index ea29513..7860408 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +546,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -52908,7 +53449,7 @@ index ea29513..7860408 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +560,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -52916,7 +53457,7 @@ index ea29513..7860408 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +572,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -52924,7 +53465,7 @@ index ea29513..7860408 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +593,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -52946,7 +53487,7 @@ index ea29513..7860408 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +656,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -52957,7 +53498,7 @@ index ea29513..7860408 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +680,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +681,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -52966,7 +53507,7 @@ index ea29513..7860408 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +695,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +696,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -52974,7 +53515,7 @@ index ea29513..7860408 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +725,29 @@ ifdef(`distro_redhat',` +@@ -522,8 +726,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -53004,7 +53545,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -531,10 +755,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +756,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -53019,10 +53560,15 @@ index ea29513..7860408 100644 + sysnet_relabelfrom_dhcpc_state(initrc_t) + sysnet_relabelfrom_net_conf(initrc_t) + sysnet_relabelto_net_conf(initrc_t) ++ sysnet_etc_filetrans_config(initrc_t, resolv.conf) ++ sysnet_etc_filetrans_config(initrc_t, denyhosts) ++ sysnet_etc_filetrans_config(initrc_t, hosts) ++ sysnet_etc_filetrans_config(initrc_t, ethers) ++ sysnet_etc_filetrans_config(initrc_t, yp.conf) ') optional_policy(` -@@ -549,6 +780,39 @@ ifdef(`distro_suse',` +@@ -549,6 +786,39 @@ ifdef(`distro_suse',` ') ') @@ -53062,7 +53608,7 @@ index ea29513..7860408 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +825,8 @@ optional_policy(` +@@ -561,6 +831,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -53071,7 +53617,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -577,6 +843,7 @@ optional_policy(` +@@ -577,6 +849,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -53079,7 +53625,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -589,6 +856,11 @@ optional_policy(` +@@ -589,6 +862,11 @@ optional_policy(` ') optional_policy(` @@ -53091,7 +53637,7 @@ index ea29513..7860408 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +877,13 @@ optional_policy(` +@@ -605,9 +883,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -53105,7 +53651,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -649,6 +925,11 @@ optional_policy(` +@@ -649,6 +931,11 @@ optional_policy(` ') optional_policy(` @@ -53117,7 +53663,7 @@ index ea29513..7860408 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +987,13 @@ optional_policy(` +@@ -706,7 +993,13 @@ optional_policy(` ') optional_policy(` @@ -53131,7 +53677,7 @@ index ea29513..7860408 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1016,10 @@ optional_policy(` +@@ -729,6 +1022,10 @@ optional_policy(` ') optional_policy(` @@ -53142,7 +53688,7 @@ index ea29513..7860408 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1029,20 @@ optional_policy(` +@@ -738,10 +1035,20 @@ optional_policy(` ') optional_policy(` @@ -53163,7 +53709,7 @@ index ea29513..7860408 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1051,10 @@ optional_policy(` +@@ -750,6 +1057,10 @@ optional_policy(` ') optional_policy(` @@ -53174,7 +53720,7 @@ index ea29513..7860408 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1076,6 @@ optional_policy(` +@@ -771,8 +1082,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -53183,7 +53729,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -781,14 +1084,21 @@ optional_policy(` +@@ -781,14 +1090,21 @@ optional_policy(` ') optional_policy(` @@ -53205,7 +53751,7 @@ index ea29513..7860408 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1110,6 @@ optional_policy(` +@@ -800,7 +1116,6 @@ optional_policy(` ') optional_policy(` @@ -53213,7 +53759,7 @@ index ea29513..7860408 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1119,24 @@ optional_policy(` +@@ -810,11 +1125,24 @@ optional_policy(` ') optional_policy(` @@ -53239,7 +53785,7 @@ index ea29513..7860408 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1146,25 @@ optional_policy(` +@@ -824,6 +1152,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -53265,7 +53811,7 @@ index ea29513..7860408 100644 ') optional_policy(` -@@ -849,3 +1190,42 @@ optional_policy(` +@@ -849,3 +1196,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -55125,10 +55671,10 @@ index 879bb1e..7b22111 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..b95f0c0 100644 +index 58bc27f..c3fe956 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,39 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +123,57 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -55168,6 +55714,24 @@ index 58bc27f..b95f0c0 100644 + + allow $1 clvmd_tmpfs_t:file unlink; +') ++ ++######################################## ++## ++## Send lvm a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_signull',` ++ gen_require(` ++ type lvm_t; ++ ') ++ ++ allow $1 lvm_t:process signull; ++') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index a0a0ebf..e7fd4ec 100644 --- a/policy/modules/system/lvm.te @@ -56303,14 +56867,16 @@ index 15832c7..43f0a0b 100644 + +userdom_use_inherited_user_terminals(showmount_t) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te -index cbbda4a..81ce417 100644 +index cbbda4a..83c5ce7 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te -@@ -25,4 +25,4 @@ files_read_etc_files(netlabel_mgmt_t) +@@ -25,4 +25,6 @@ files_read_etc_files(netlabel_mgmt_t) seutil_use_newrole_fds(netlabel_mgmt_t) -userdom_use_user_terminals(netlabel_mgmt_t) ++term_use_all_terms(netlabel_mgmt_t) ++ +userdom_use_inherited_user_terminals(netlabel_mgmt_t) diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 4d06ae3..ebd5ed4 100644 @@ -58201,10 +58767,10 @@ index 0000000..4dfe28c +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..ef7eddd +index 0000000..13b7617 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,180 @@ +@@ -0,0 +1,185 @@ + +policy_module(systemd, 1.0.0) + @@ -58270,10 +58836,15 @@ index 0000000..ef7eddd + +init_read_utmp(systemd_passwd_agent_t) +init_create_pid_dirs(systemd_passwd_agent_t) ++init_stream_connect(systemd_passwd_agent_t) + +miscfiles_read_localization(systemd_passwd_agent_t) + +optional_policy(` ++ lvm_signull(systemd_passwd_agent_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(systemd_passwd_agent_t) +') + @@ -58588,7 +59159,7 @@ index 025348a..4e2ca03 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..b18dc17 100644 +index d88f7c3..7f59b32 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -58633,7 +59204,7 @@ index d88f7c3..b18dc17 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -62,17 +69,15 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -58651,11 +59222,10 @@ index d88f7c3..b18dc17 100644 +files_pid_filetrans(udev_t, udev_var_run_t, { file dir }) +allow udev_t udev_var_run_t:file mounton; +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) -+ kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t) +@@ -87,6 +92,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) kernel_search_debugfs(udev_t) @@ -58663,7 +59233,33 @@ index d88f7c3..b18dc17 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -95,8 +101,17 @@ kernel_read_software_raid_state(udev_t) + + corecmd_exec_all_executables(udev_t) + ++dev_write_kmsg(udev_t) + dev_rw_sysfs(udev_t) +-dev_manage_all_dev_nodes(udev_t) ++dev_read_raw_memory(udev_t) ++dev_check_read_all_chr_dev_nodes(udev_t) ++dev_check_read_generic_blk_dev_nodes(udev_t) ++dev_check_write_all_chr_dev_nodes(udev_t) ++dev_check_write_generic_blk_dev_nodes(udev_t) ++dev_create_all_blk_dev_nodes(udev_t) ++dev_create_all_chr_dev_nodes(udev_t) ++dev_setattr_all_chr_dev_nodes(udev_t) ++dev_setattr_all_blk_dev_nodes(udev_t) + dev_rw_generic_files(udev_t) + dev_delete_generic_files(udev_t) + dev_search_usbfs(udev_t) +@@ -105,21 +120,27 @@ dev_relabel_all_dev_nodes(udev_t) + # preserved, instead of short circuiting the relabel + dev_relabel_generic_symlinks(udev_t) + dev_manage_generic_symlinks(udev_t) ++dev_manage_generic_dirs(udev_t) + + domain_read_all_domains_state(udev_t) + domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -58685,7 +59281,21 @@ index d88f7c3..b18dc17 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t) +@@ -136,6 +157,13 @@ selinux_compute_create_context(udev_t) + selinux_compute_relabel_context(udev_t) + selinux_compute_user_contexts(udev_t) + ++storage_raw_read_fixed_disk(udev_t) ++storage_read_scsi_generic(udev_t) ++storage_raw_read_removable_device(udev_t) ++storage_raw_write_removable_device(udev_t) ++storage_raw_check_write_fixed_disk(udev_t) ++storage_check_write_scsi_generic(udev_t) ++ + auth_read_pam_console_data(udev_t) + auth_domtrans_pam_console(udev_t) + auth_use_nsswitch(udev_t) +@@ -143,6 +171,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -58693,13 +59303,14 @@ index d88f7c3..b18dc17 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +199,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +215,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) + fs_manage_hugetlbfs_dirs(udev_t) - term_search_ptys(udev_t) +- term_search_ptys(udev_t) ++ term_use_generic_ptys(udev_t) # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) @@ -58713,7 +59324,7 @@ index d88f7c3..b18dc17 100644 ') optional_policy(` -@@ -216,11 +230,16 @@ optional_policy(` +@@ -216,11 +246,16 @@ optional_policy(` ') optional_policy(` @@ -58730,7 +59341,7 @@ index d88f7c3..b18dc17 100644 ') optional_policy(` -@@ -233,6 +252,10 @@ optional_policy(` +@@ -233,6 +268,14 @@ optional_policy(` ') optional_policy(` @@ -58738,10 +59349,14 @@ index d88f7c3..b18dc17 100644 +') + +optional_policy(` ++ gpsd_domtrans(udev_t) ++') ++ ++optional_policy(` lvm_domtrans(udev_t) ') -@@ -259,6 +282,10 @@ optional_policy(` +@@ -259,6 +302,10 @@ optional_policy(` ') optional_policy(` @@ -58752,7 +59367,7 @@ index d88f7c3..b18dc17 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +300,11 @@ optional_policy(` +@@ -273,6 +320,11 @@ optional_policy(` ') optional_policy(` @@ -59536,7 +60151,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..5ea0ea4 100644 +index 28b88de..78f35d2 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -60108,7 +60723,7 @@ index 28b88de..5ea0ea4 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +651,122 @@ template(`userdom_common_user_template',` +@@ -574,67 +651,123 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -60241,6 +60856,7 @@ index 28b88de..5ea0ea4 100644 + optional_policy(` + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) ++ mta_filetrans_home_content($1_usertype) ') optional_policy(` @@ -60249,7 +60865,7 @@ index 28b88de..5ea0ea4 100644 ') optional_policy(` -@@ -650,41 +782,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +783,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -60311,7 +60927,7 @@ index 28b88de..5ea0ea4 100644 ') ####################################### -@@ -712,13 +853,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +854,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -60343,7 +60959,7 @@ index 28b88de..5ea0ea4 100644 userdom_change_password_template($1) -@@ -736,72 +890,70 @@ template(`userdom_login_user_template', ` +@@ -736,72 +891,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -60425,6 +61041,7 @@ index 28b88de..5ea0ea4 100644 - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ') optional_policy(` @@ -60451,7 +61068,7 @@ index 28b88de..5ea0ea4 100644 ') ') -@@ -833,6 +985,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +987,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -60461,7 +61078,7 @@ index 28b88de..5ea0ea4 100644 ############################## # # Local policy -@@ -874,45 +1029,113 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1031,113 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -60586,7 +61203,7 @@ index 28b88de..5ea0ea4 100644 ') ') -@@ -947,7 +1170,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -60595,7 +61212,7 @@ index 28b88de..5ea0ea4 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1179,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -60709,7 +61326,7 @@ index 28b88de..5ea0ea4 100644 ') ') -@@ -1039,7 +1291,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -60718,7 +61335,7 @@ index 28b88de..5ea0ea4 100644 ') ############################## -@@ -1066,6 +1318,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -60726,7 +61343,7 @@ index 28b88de..5ea0ea4 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1327,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -60736,7 +61353,7 @@ index 28b88de..5ea0ea4 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1344,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -60744,7 +61361,7 @@ index 28b88de..5ea0ea4 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1362,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -60758,7 +61375,7 @@ index 28b88de..5ea0ea4 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1379,21 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1381,21 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -60781,7 +61398,7 @@ index 28b88de..5ea0ea4 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1405,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -60793,7 +61410,7 @@ index 28b88de..5ea0ea4 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1477,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -60802,7 +61419,7 @@ index 28b88de..5ea0ea4 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1491,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -60810,7 +61427,7 @@ index 28b88de..5ea0ea4 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1507,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -60818,7 +61435,7 @@ index 28b88de..5ea0ea4 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1550,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -60856,7 +61473,7 @@ index 28b88de..5ea0ea4 100644 ubac_constrained($1) ') -@@ -1395,6 +1692,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -60864,7 +61481,7 @@ index 28b88de..5ea0ea4 100644 files_search_home($1) ') -@@ -1441,6 +1739,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -60879,7 +61496,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -1456,9 +1762,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -60891,7 +61508,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -1515,10 +1823,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -60904,7 +61521,7 @@ index 28b88de..5ea0ea4 100644 ## ## ## -@@ -1526,22 +1834,58 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,22 +1836,58 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -60972,7 +61589,7 @@ index 28b88de..5ea0ea4 100644 ## Do a domain transition to the specified ## domain when executing a program in the ## user home directory. -@@ -1589,6 +1933,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -60981,7 +61598,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -1603,10 +1949,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -60996,7 +61613,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -1649,6 +1997,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -61022,7 +61639,7 @@ index 28b88de..5ea0ea4 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2067,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -61055,7 +61672,7 @@ index 28b88de..5ea0ea4 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2103,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -61073,7 +61690,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -1779,6 +2169,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -61098,7 +61715,7 @@ index 28b88de..5ea0ea4 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2218,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -61108,7 +61725,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -1827,21 +2234,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2236,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -61134,7 +61751,7 @@ index 28b88de..5ea0ea4 100644 ######################################## ## ## Do not audit attempts to execute user home files. -@@ -2008,7 +2409,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -61143,7 +61760,7 @@ index 28b88de..5ea0ea4 100644 files_search_home($1) ') -@@ -2182,7 +2583,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -61152,7 +61769,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -2435,13 +2836,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -61168,7 +61785,7 @@ index 28b88de..5ea0ea4 100644 ## ## ## -@@ -2462,26 +2864,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -61195,7 +61812,7 @@ index 28b88de..5ea0ea4 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2954,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2956,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -61220,7 +61837,7 @@ index 28b88de..5ea0ea4 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +2990,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +2992,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -61263,7 +61880,7 @@ index 28b88de..5ea0ea4 100644 ## ## ## -@@ -2614,14 +3026,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3028,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -61301,7 +61918,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -2815,7 +3246,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3248,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -61310,7 +61927,7 @@ index 28b88de..5ea0ea4 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3262,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3264,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -61326,7 +61943,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -2917,7 +3350,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3352,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -61335,7 +61952,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -2972,7 +3405,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3407,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -61382,7 +61999,7 @@ index 28b88de..5ea0ea4 100644 ') ######################################## -@@ -3009,6 +3480,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3482,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -61390,7 +62007,7 @@ index 28b88de..5ea0ea4 100644 kernel_search_proc($1) ') -@@ -3087,6 +3559,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3561,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -61415,7 +62032,7 @@ index 28b88de..5ea0ea4 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3629,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3631,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -62595,7 +63212,7 @@ index df29ca1..e9e85d7 100644 +') + diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc -index a865da7..0818ff0 100644 +index a865da7..a5ed06e 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -1,12 +1,10 @@ @@ -62612,6 +63229,14 @@ index a865da7..0818ff0 100644 ifdef(`distro_debian',` /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +@@ -17,6 +15,7 @@ ifdef(`distro_debian',` + /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) + /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) + /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) ++/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) + /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) + ') + diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 77d41b6..4aa96c6 100644 --- a/policy/modules/system/xen.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 06ee490..d15dee3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,13 @@ exit 0 %endif %changelog +* Wed Apr 27 2011 Miroslav Grepl 3.9.16-18 +- Allow init_t getcap and setcap +- Allow namespace_init_t to use nsswitch +- aisexec will execute corosync +- colord tries to read files off noxattr file systems +- Allow init_t getcap and setcap + * Thu Apr 21 2011 Miroslav Grepl 3.9.16-17 - Add support for ABRT retrace server - Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners