From dcec63d64d226982748991fcef3cc29a889d9062 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 25 2018 00:17:47 +0000 Subject: * Sun Mar 25 2018 Lukas Vrabec - 3.13.1-283.29 - Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) - Allow nagios to exec itself and mmap nagios spool files BZ(1559683) - Allow nagios to mmap nagios config files BZ(1559683) - Add a policy for conntrackd - Fix typo in NetworkManager module - Fix bug in gssproxy SELinux module - Allow networkmanager to be run ssh client BZ(1558441) - Allow pcp domains to do dc override BZ(1557913) - Dontaudit pcp_pmie_t to reaquest lost kernel module - Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955) - Allow httpd_t to read httpd_log_t dirs BZ(1554912) - Allow fail2ban_t to read system network state BZ(1557752) - Allow dac override capability to mandb_t domain BZ(1529399) - Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439) - Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359) - Allow snapperd to relabel snapperd_data_t - Add allow to map for pki_tomcat_t - Allow rpm domain to mmap rpm_var_lib_t files - Allow tor_t domain to execute bin_t files BZ(1496274) - Allow iscsid_t domain to mmap kernel modules BZ(1553759) - Update minidlna SELinux policy BZ(1554087) - Allow motion_t domain to read sysfs_t files BZ(1554142 - Allow systemd create stream socket permissions BZ(1560195) - Allow insmod_t to load modules BZ(1544189) - Allow systemd_rfkill_t domain sys_admin capability BZ(1557595) - Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862) - Improve userdom_mmap_user_home_content_files - Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module - Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227) - Allow secadm_t domain to mmap audit config and log files - Update init_abstract_socket_activation() to allow also creating tcp sockets - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Create new type bpf_t and label /sys/fs/bpf with this type - Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) - Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) - Allow xdm_t domain to sys_ptrace BZ(1554150) - Allow application_domain_type also mmap inherited user temp files BZ(1552765) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 749dfed..1fd02b8 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f27-base.patch b/policy-f27-base.patch index 3d3e2de..b510852 100644 --- a/policy-f27-base.patch +++ b/policy-f27-base.patch @@ -19693,10 +19693,10 @@ index 1a03abdd7..3221f8018 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0b3..f521a50f8 100644 +index d7c11a0b3..ea3ed8174 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,23 +1,28 @@ +@@ -1,15 +1,26 @@ -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> +# ecryptfs does not support xattr @@ -19714,7 +19714,7 @@ index d7c11a0b3..f521a50f8 100644 -/lib/udev/devices/shm/.* <> +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> - ++ +/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) @@ -19725,9 +19725,13 @@ index d7c11a0b3..f521a50f8 100644 +/var/run/user/[^/]*/gvfs/.* <> + +# for systemd systems: ++# ++/sys/fs/bpf -d gen_context(system_u:object_r:bpf_t,s0) ++/sys/fs/bpf/.* <> + /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.* <> - +@@ -17,7 +28,5 @@ /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) /sys/fs/pstore/.* <> @@ -23568,7 +23572,7 @@ index 8416beb43..692813818 100644 + allow $1 tracefs_t:filesystem unmount; +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d173844..b10afaff0 100644 +index e7d173844..768a47a04 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,20 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -23608,10 +23612,16 @@ index e7d173844..b10afaff0 100644 type bdev_t; fs_type(bdev_t) -@@ -63,16 +71,28 @@ fs_type(binfmt_misc_fs_t) +@@ -63,16 +71,34 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) ++type bpf_t alias bpffs_t; ++fs_type(bpf_t) ++files_mountpoint(bpf_t) ++dev_associate_sysfs(bpf_t) ++genfscon bpf / gen_context(system_u:object_r:bpf_t,s0) ++ +type oracleasmfs_t; +fs_type(oracleasmfs_t) +dev_node(oracleasmfs_t) @@ -23638,7 +23648,7 @@ index e7d173844..b10afaff0 100644 type configfs_t; fs_type(configfs_t) -@@ -88,6 +108,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +114,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -23650,7 +23660,7 @@ index e7d173844..b10afaff0 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +121,7 @@ type hugetlbfs_t; +@@ -96,6 +127,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -23658,7 +23668,7 @@ index e7d173844..b10afaff0 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -111,6 +137,12 @@ type inotifyfs_t; +@@ -111,6 +143,12 @@ type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -23671,7 +23681,7 @@ index e7d173844..b10afaff0 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +150,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +156,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -23696,7 +23706,7 @@ index e7d173844..b10afaff0 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,17 +192,16 @@ fs_type(spufs_t) +@@ -150,17 +198,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -23718,7 +23728,7 @@ index e7d173844..b10afaff0 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -172,6 +213,8 @@ type vxfs_t; +@@ -172,6 +219,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -23727,7 +23737,7 @@ index e7d173844..b10afaff0 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +225,8 @@ fs_type(tmpfs_t) +@@ -182,6 +231,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -23736,7 +23746,7 @@ index e7d173844..b10afaff0 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +306,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +312,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -23745,7 +23755,7 @@ index e7d173844..b10afaff0 100644 files_mountpoint(removable_t) # -@@ -280,6 +327,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +333,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -23753,7 +23763,7 @@ index e7d173844..b10afaff0 100644 ######################################## # -@@ -301,9 +349,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +355,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -27955,7 +27965,7 @@ index 3a45a3ef0..7499f24b5 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da111206f..621ec5afc 100644 +index da111206f..21ab89b20 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) @@ -27985,7 +27995,7 @@ index da111206f..621ec5afc 100644 domain_obj_id_change_exemption(secadm_t) -@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t) +@@ -30,14 +36,15 @@ mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_role(secadm_r, secadm_t) @@ -27995,6 +28005,14 @@ index da111206f..621ec5afc 100644 init_exec(secadm_t) + logging_read_audit_log(secadm_t) + logging_read_generic_logs(secadm_t) + logging_read_audit_config(secadm_t) ++logging_map_audit_config(secadm_t) ++logging_map_audit_log(secadm_t) + + optional_policy(` + aide_run(secadm_t, secadm_r) diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if index 234a940f9..a92415a9d 100644 --- a/policy/modules/roles/staff.if @@ -38755,7 +38773,7 @@ index e4376aa98..2c98c5647 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index f6743ea19..ad10a2afd 100644 +index f6743ea19..3ab3b0a02 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) @@ -38770,7 +38788,7 @@ index f6743ea19..ad10a2afd 100644 +') + +ifdef(`enable_mls',` -+ init_ranged_daemon_domain(getty_t, getty_exec_t, mls_systemhigh) ++ init_ranged_daemon_domain(getty_t, getty_exec_t, s0 - mls_systemhigh) +') + ######################################## @@ -39080,7 +39098,7 @@ index bc0ffc84e..37b8ea5ec 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f62e..5ed49090d 100644 +index 79a45f62e..fdd4340b3 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -39395,7 +39413,7 @@ index 79a45f62e..5ed49090d 100644 ') ######################################## -@@ -564,6 +677,107 @@ interface(`init_sigchld',` +@@ -564,6 +677,108 @@ interface(`init_sigchld',` allow $1 init_t:process sigchld; ') @@ -39468,6 +39486,7 @@ index 79a45f62e..5ed49090d 100644 + ') + + allow init_t $1:unix_stream_socket create_stream_socket_perms; ++ allow init_t $1:tcp_socket create_stream_socket_perms; + ') +') + @@ -39503,7 +39522,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Connect to init with a unix socket. -@@ -575,13 +789,88 @@ interface(`init_sigchld',` +@@ -575,13 +790,88 @@ interface(`init_sigchld',` ## # interface(`init_stream_connect',` @@ -39592,7 +39611,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Inherit and use file descriptors from init. -@@ -743,22 +1032,24 @@ interface(`init_write_initctl',` +@@ -743,22 +1033,24 @@ interface(`init_write_initctl',` interface(`init_telinit',` gen_require(` type initctl_t; @@ -39626,7 +39645,7 @@ index 79a45f62e..5ed49090d 100644 ') ######################################## -@@ -787,7 +1078,7 @@ interface(`init_rw_initctl',` +@@ -787,7 +1079,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -39635,7 +39654,7 @@ index 79a45f62e..5ed49090d 100644 ## ## # -@@ -830,11 +1121,12 @@ interface(`init_script_file_entry_type',` +@@ -830,11 +1122,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -39650,7 +39669,7 @@ index 79a45f62e..5ed49090d 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -845,11 +1137,11 @@ interface(`init_spec_domtrans_script',` +@@ -845,11 +1138,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -39664,7 +39683,7 @@ index 79a45f62e..5ed49090d 100644 ') ') -@@ -865,38 +1157,60 @@ interface(`init_spec_domtrans_script',` +@@ -865,38 +1158,60 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -39742,7 +39761,7 @@ index 79a45f62e..5ed49090d 100644 ## ## ## -@@ -933,9 +1247,14 @@ interface(`init_script_file_domtrans',` +@@ -933,9 +1248,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -39757,7 +39776,7 @@ index 79a45f62e..5ed49090d 100644 files_search_etc($1) ') -@@ -990,6 +1309,24 @@ interface(`init_run_daemon',` +@@ -990,6 +1310,24 @@ interface(`init_run_daemon',` role_transition $2 direct_init_entry system_r; ') @@ -39782,7 +39801,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Read the process state (/proc/pid) of init. -@@ -1010,6 +1347,62 @@ interface(`init_read_state',` +@@ -1010,6 +1348,62 @@ interface(`init_read_state',` allow $1 init_t:lnk_file read_lnk_file_perms; ') @@ -39845,7 +39864,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Ptrace init -@@ -1026,7 +1419,9 @@ interface(`init_ptrace',` +@@ -1026,7 +1420,9 @@ interface(`init_ptrace',` type init_t; ') @@ -39856,7 +39875,7 @@ index 79a45f62e..5ed49090d 100644 ') ######################################## -@@ -1123,6 +1518,63 @@ interface(`init_getattr_all_script_files',` +@@ -1123,6 +1519,63 @@ interface(`init_getattr_all_script_files',` allow $1 init_script_file_type:file getattr; ') @@ -39920,7 +39939,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Read all init script files. -@@ -1142,6 +1594,24 @@ interface(`init_read_all_script_files',` +@@ -1142,6 +1595,24 @@ interface(`init_read_all_script_files',` allow $1 init_script_file_type:file read_file_perms; ') @@ -39945,7 +39964,7 @@ index 79a45f62e..5ed49090d 100644 ####################################### ## ## Dontaudit read all init script files. -@@ -1195,12 +1665,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1666,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -39959,7 +39978,7 @@ index 79a45f62e..5ed49090d 100644 ') ######################################## -@@ -1312,6 +1777,24 @@ interface(`init_signal_script',` +@@ -1312,6 +1778,24 @@ interface(`init_signal_script',` allow $1 initrc_t:process signal; ') @@ -39984,7 +40003,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Send null signals to init scripts. -@@ -1437,6 +1920,27 @@ interface(`init_dbus_send_script',` +@@ -1437,6 +1921,27 @@ interface(`init_dbus_send_script',` allow $1 initrc_t:dbus send_msg; ') @@ -40012,7 +40031,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Send and receive messages from -@@ -1545,6 +2049,25 @@ interface(`init_getattr_script_status_files',` +@@ -1545,6 +2050,25 @@ interface(`init_getattr_script_status_files',` getattr_files_pattern($1, initrc_state_t, initrc_state_t) ') @@ -40038,7 +40057,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Do not audit attempts to read init script -@@ -1603,6 +2126,42 @@ interface(`init_rw_script_tmp_files',` +@@ -1603,6 +2127,42 @@ interface(`init_rw_script_tmp_files',` rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') @@ -40081,7 +40100,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Create files in a init script -@@ -1675,6 +2234,43 @@ interface(`init_read_utmp',` +@@ -1675,6 +2235,43 @@ interface(`init_read_utmp',` allow $1 initrc_var_run_t:file read_file_perms; ') @@ -40125,7 +40144,7 @@ index 79a45f62e..5ed49090d 100644 ######################################## ## ## Do not audit attempts to write utmp. -@@ -1765,7 +2361,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2362,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -40134,7 +40153,7 @@ index 79a45f62e..5ed49090d 100644 ') ######################################## -@@ -1806,7 +2402,134 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,7 +2403,134 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -40270,7 +40289,7 @@ index 79a45f62e..5ed49090d 100644 ## ## Allow the specified domain to connect to daemon with a tcp socket ## -@@ -1840,3 +2563,584 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2564,584 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -40856,7 +40875,7 @@ index 79a45f62e..5ed49090d 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..aaba216f6 100644 +index 17eda2480..ddb65f82a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -40977,7 +40996,7 @@ index 17eda2480..aaba216f6 100644 +allow init_t self:cap_userns all_cap_userns_perms; +allow init_t self:tcp_socket { listen accept }; +allow init_t self:packet_socket create_socket_perms; -+allow init_t self:socket create_socket_perms; ++allow init_t self:socket create_stream_socket_perms; +allow init_t self:key manage_key_perms; # is ~sys_module really needed? observed: # sys_boot @@ -41038,7 +41057,7 @@ index 17eda2480..aaba216f6 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +214,29 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +214,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -41046,6 +41065,9 @@ index 17eda2480..aaba216f6 100644 +kernel_rw_stream_socket_perms(init_t) +kernel_rw_unix_dgram_sockets(init_t) +kernel_mounton_systemd_ProtectKernelTunables(init_t) ++ ++# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing ++kernel_dontaudit_request_load_module(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) @@ -41069,7 +41091,7 @@ index 17eda2480..aaba216f6 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +244,105 @@ domain_signal_all_domains(init_t) +@@ -139,45 +247,105 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -41168,12 +41190,12 @@ index 17eda2480..aaba216f6 100644 +miscfiles_filetrans_named_content(init_t) + +udev_manage_rules_files(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_transition_login_userdomain(init_t) +userdom_noatsecure_login_userdomain(init_t) +userdom_sigchld_login_userdomain(init_t) @@ -41182,7 +41204,7 @@ index 17eda2480..aaba216f6 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +351,312 @@ ifdef(`distro_gentoo',` +@@ -186,29 +354,312 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -41244,13 +41266,14 @@ index 17eda2480..aaba216f6 100644 + +optional_policy(` + gssproxy_noatsecure(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + rpc_gssd_noatsecure(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + anaconda_domtrans_install(init_t) +') + @@ -41277,16 +41300,15 @@ index 17eda2480..aaba216f6 100644 + postfix_list_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + raid_manage_mdadm_pid(init_t) + raid_relabel_mdadm_var_run_content(init_t) + raid_stream_connect(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + systemd_allow_mount_dir(init_t) +') + @@ -41481,19 +41503,19 @@ index 17eda2480..aaba216f6 100644 + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + mount_rw_pid_files(init_t) +') + +optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) @@ -41504,7 +41526,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -216,7 +664,38 @@ optional_policy(` +@@ -216,7 +667,38 @@ optional_policy(` ') optional_policy(` @@ -41544,7 +41566,7 @@ index 17eda2480..aaba216f6 100644 ') ######################################## -@@ -225,9 +704,9 @@ optional_policy(` +@@ -225,9 +707,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -41556,7 +41578,7 @@ index 17eda2480..aaba216f6 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +737,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +740,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -41573,7 +41595,7 @@ index 17eda2480..aaba216f6 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +762,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +765,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -41616,7 +41638,7 @@ index 17eda2480..aaba216f6 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +799,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +802,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -41628,7 +41650,7 @@ index 17eda2480..aaba216f6 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +811,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +814,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -41639,7 +41661,7 @@ index 17eda2480..aaba216f6 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +822,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +825,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -41649,7 +41671,7 @@ index 17eda2480..aaba216f6 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +831,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +834,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -41657,7 +41679,7 @@ index 17eda2480..aaba216f6 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +838,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +841,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -41665,7 +41687,7 @@ index 17eda2480..aaba216f6 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +846,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +849,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -41683,7 +41705,7 @@ index 17eda2480..aaba216f6 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +864,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +867,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -41697,7 +41719,7 @@ index 17eda2480..aaba216f6 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +879,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +882,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -41711,7 +41733,7 @@ index 17eda2480..aaba216f6 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +892,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +895,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -41722,7 +41744,7 @@ index 17eda2480..aaba216f6 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +905,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +908,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -41730,7 +41752,7 @@ index 17eda2480..aaba216f6 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +924,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +927,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -41754,7 +41776,7 @@ index 17eda2480..aaba216f6 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +957,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +960,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -41762,7 +41784,7 @@ index 17eda2480..aaba216f6 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +990,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +993,10 @@ ifdef(`distro_gentoo',` sysnet_write_config(initrc_t) sysnet_setattr_config(initrc_t) @@ -41773,7 +41795,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` alsa_read_lib(initrc_t) ') -@@ -506,7 +1015,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +1018,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -41782,7 +41804,7 @@ index 17eda2480..aaba216f6 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +1030,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +1033,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -41790,7 +41812,7 @@ index 17eda2480..aaba216f6 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1051,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1054,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -41798,7 +41820,7 @@ index 17eda2480..aaba216f6 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,9 +1060,45 @@ ifdef(`distro_redhat',` +@@ -549,9 +1063,45 @@ ifdef(`distro_redhat',` alsa_manage_rw_config(initrc_t) ') @@ -41844,7 +41866,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -559,14 +1106,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1109,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -41876,7 +41898,7 @@ index 17eda2480..aaba216f6 100644 ') ') -@@ -577,6 +1141,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1144,39 @@ ifdef(`distro_suse',` ') ') @@ -41916,7 +41938,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1186,8 @@ optional_policy(` +@@ -589,6 +1189,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -41925,7 +41947,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -610,6 +1209,7 @@ optional_policy(` +@@ -610,6 +1212,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -41933,7 +41955,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -625,6 +1225,17 @@ optional_policy(` +@@ -625,6 +1228,17 @@ optional_policy(` dev_getattr_cpu_dev(initrc_t) ') @@ -41951,7 +41973,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` dev_getattr_printer_dev(initrc_t) -@@ -642,9 +1253,13 @@ optional_policy(` +@@ -642,9 +1256,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -41965,7 +41987,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -657,15 +1272,11 @@ optional_policy(` +@@ -657,15 +1275,11 @@ optional_policy(` ') optional_policy(` @@ -41983,7 +42005,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -685,6 +1296,15 @@ optional_policy(` +@@ -685,6 +1299,15 @@ optional_policy(` modutils_read_module_deps(initrc_t) ') @@ -41999,7 +42021,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` inn_exec_config(initrc_t) ') -@@ -726,6 +1346,7 @@ optional_policy(` +@@ -726,6 +1349,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -42007,7 +42029,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -743,7 +1364,13 @@ optional_policy(` +@@ -743,7 +1367,13 @@ optional_policy(` ') optional_policy(` @@ -42022,7 +42044,7 @@ index 17eda2480..aaba216f6 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1392,10 @@ optional_policy(` +@@ -765,6 +1395,10 @@ optional_policy(` openvpn_read_config(initrc_t) ') @@ -42033,7 +42055,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) -@@ -774,10 +1405,20 @@ optional_policy(` +@@ -774,10 +1408,20 @@ optional_policy(` postfix_list_spool(initrc_t) ') @@ -42054,7 +42076,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` quota_manage_flags(initrc_t) ') -@@ -786,6 +1427,10 @@ optional_policy(` +@@ -786,6 +1430,10 @@ optional_policy(` raid_manage_mdadm_pid(initrc_t) ') @@ -42065,7 +42087,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1453,6 @@ optional_policy(` +@@ -808,8 +1456,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -42074,7 +42096,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -817,6 +1460,10 @@ optional_policy(` +@@ -817,6 +1463,10 @@ optional_policy(` samba_read_winbind_pid(initrc_t) ') @@ -42085,7 +42107,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) -@@ -827,10 +1474,12 @@ optional_policy(` +@@ -827,10 +1477,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -42098,7 +42120,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1506,63 @@ optional_policy(` +@@ -857,21 +1509,63 @@ optional_policy(` ') optional_policy(` @@ -42163,7 +42185,7 @@ index 17eda2480..aaba216f6 100644 ') optional_policy(` -@@ -886,6 +1577,10 @@ optional_policy(` +@@ -886,6 +1580,10 @@ optional_policy(` xfs_read_sockets(initrc_t) ') @@ -42174,7 +42196,7 @@ index 17eda2480..aaba216f6 100644 optional_policy(` # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1592,218 @@ optional_policy(` +@@ -897,3 +1595,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -47163,7 +47185,7 @@ index 7449974f6..b79290062 100644 + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8b2..3a6ded940 100644 +index 7a363b8b2..f977273eb 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -47264,13 +47286,14 @@ index 7a363b8b2..3a6ded940 100644 unconfined_domain(depmod_t) ') -@@ -103,11 +111,12 @@ optional_policy(` +@@ -103,11 +111,13 @@ optional_policy(` # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; +allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; ++allow insmod_t self:system module_load; allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms; @@ -47278,7 +47301,7 @@ index 7a363b8b2..3a6ded940 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) +@@ -115,20 +125,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) @@ -47310,7 +47333,7 @@ index 7a363b8b2..3a6ded940 100644 kernel_setsched(insmod_t) corecmd_exec_bin(insmod_t) -@@ -142,40 +160,55 @@ dev_rw_agp(insmod_t) +@@ -142,40 +161,55 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -47370,7 +47393,7 @@ index 7a363b8b2..3a6ded940 100644 kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +217,33 @@ optional_policy(` +@@ -184,28 +218,33 @@ optional_policy(` ') optional_policy(` @@ -47411,7 +47434,7 @@ index 7a363b8b2..3a6ded940 100644 ') optional_policy(` -@@ -225,6 +263,7 @@ optional_policy(` +@@ -225,6 +264,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -47419,7 +47442,7 @@ index 7a363b8b2..3a6ded940 100644 ') optional_policy(` -@@ -232,6 +271,10 @@ optional_policy(` +@@ -232,6 +272,10 @@ optional_policy(` unconfined_dontaudit_rw_pipes(insmod_t) ') @@ -47430,7 +47453,7 @@ index 7a363b8b2..3a6ded940 100644 optional_policy(` # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +334,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +335,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -51321,10 +51344,10 @@ index a392fc4bc..6365b8834 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 000000000..ad76288fa +index 000000000..8a7754761 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,85 @@ +@@ -0,0 +1,87 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) @@ -51410,6 +51433,9 @@ index 000000000..ad76288fa +/var/run/systemd/units(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) + +/var/run/initramfs(/.*)? <> ++ ++/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) +\ No newline at end of file diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 index 000000000..edbfeb000 @@ -53443,10 +53469,10 @@ index 000000000..edbfeb000 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..74b1b182b +index 000000000..9164e8665 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1050 @@ +@@ -0,0 +1,1052 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -53686,6 +53712,7 @@ index 000000000..74b1b182b + +storage_setattr_removable_dev(systemd_logind_t) +storage_setattr_scsi_generic_dev(systemd_logind_t) ++storage_setattr_fixed_disk_dev(systemd_logind_t) + +term_use_unallocated_ttys(systemd_logind_t) + @@ -54198,7 +54225,7 @@ index 000000000..74b1b182b +# rfkill policy +# + -+allow systemd_rfkill_t self:capability net_admin; ++allow systemd_rfkill_t self:capability { net_admin sys_admin}; +allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) @@ -54206,6 +54233,7 @@ index 000000000..74b1b182b +init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir, "rfkill") + +kernel_dgram_send(systemd_rfkill_t) ++kernel_dontaudit_request_load_module(systemd_rfkill_t) + +dev_read_sysfs(systemd_rfkill_t) +dev_rw_wireless(systemd_rfkill_t) @@ -55932,7 +55960,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..43497fa3e 100644 +index 9dc60c6c0..6eb0f4ae8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -58088,12 +58116,16 @@ index 9dc60c6c0..43497fa3e 100644 ######################################## ## ## Mmap user home files. -@@ -1858,10 +2616,28 @@ interface(`userdom_mmap_user_home_content_files',` - type user_home_dir_t, user_home_t; +@@ -1855,13 +2613,31 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` + # + interface(`userdom_mmap_user_home_content_files',` + gen_require(` +- type user_home_dir_t, user_home_t; ++ type user_home_t; ') - mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ allow $1 user_home_t:file map; files_search_home($1) ') @@ -58282,7 +58314,7 @@ index 9dc60c6c0..43497fa3e 100644 ') ######################################## -@@ -2024,20 +2877,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,21 +2877,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -58296,17 +58328,18 @@ index 9dc60c6c0..43497fa3e 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## + ## Do not audit attempts to execute user home files. @@ -2075,6 +2922,7 @@ interface(`userdom_manage_user_home_content_files',` manage_files_pattern($1, user_home_t, user_home_t) @@ -58460,11 +58493,13 @@ index 9dc60c6c0..43497fa3e 100644 ######################################## ## -@@ -2538,7 +3439,27 @@ interface(`userdom_manage_user_tmp_files',` - ######################################## - ## - ## Create, read, write, and delete user --## temporary symbolic links. +@@ -2535,6 +3436,26 @@ interface(`userdom_manage_user_tmp_files',` + files_search_tmp($1) + ') + ++######################################## ++## ++## Create, read, write, and delete user +## temporary files. +## +## @@ -58482,13 +58517,9 @@ index 9dc60c6c0..43497fa3e 100644 + files_search_tmp($1) +') + -+######################################## -+## -+## Create, read, write, and delete user -+## temporary symbolic links. - ## - ## - ## + ######################################## + ## + ## Create, read, write, and delete user @@ -2555,6 +3476,27 @@ interface(`userdom_manage_user_tmp_symlinks',` files_search_tmp($1) ') diff --git a/policy-f27-contrib.patch b/policy-f27-contrib.patch index fdfe695..f0c8d79 100644 --- a/policy-f27-contrib.patch +++ b/policy-f27-contrib.patch @@ -5663,7 +5663,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..ec925fc02 100644 +index 6649962b6..8b9945a53 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6306,7 +6306,7 @@ index 6649962b6..ec925fc02 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -381,30 +484,40 @@ allow httpd_t self:shm create_shm_perms; +@@ -381,30 +484,41 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -6347,13 +6347,14 @@ index 6649962b6..ec925fc02 100644 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) ++list_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +# cjp: need to refine create interfaces to +# cut this back to add_name only logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,13 +525,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,13 +526,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -6377,7 +6378,7 @@ index 6649962b6..ec925fc02 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; -@@ -428,6 +550,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -428,6 +551,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) @@ -6385,7 +6386,7 @@ index 6649962b6..ec925fc02 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -435,9 +558,11 @@ manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -435,9 +559,11 @@ manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -6397,7 +6398,7 @@ index 6649962b6..ec925fc02 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +575,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +576,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6641,7 +6642,7 @@ index 6649962b6..ec925fc02 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +758,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +759,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6701,7 +6702,7 @@ index 6649962b6..ec925fc02 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +810,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +811,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6804,7 +6805,7 @@ index 6649962b6..ec925fc02 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +869,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +870,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6885,7 +6886,7 @@ index 6649962b6..ec925fc02 100644 ') optional_policy(` -@@ -749,24 +922,32 @@ optional_policy(` +@@ -749,24 +923,32 @@ optional_policy(` ') optional_policy(` @@ -6924,7 +6925,7 @@ index 6649962b6..ec925fc02 100644 ') optional_policy(` -@@ -775,6 +956,10 @@ optional_policy(` +@@ -775,6 +957,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6935,7 +6936,7 @@ index 6649962b6..ec925fc02 100644 ') optional_policy(` -@@ -786,35 +971,62 @@ optional_policy(` +@@ -786,35 +972,62 @@ optional_policy(` ') optional_policy(` @@ -7011,7 +7012,7 @@ index 6649962b6..ec925fc02 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1034,31 @@ optional_policy(` +@@ -822,8 +1035,31 @@ optional_policy(` ') optional_policy(` @@ -7043,7 +7044,7 @@ index 6649962b6..ec925fc02 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1067,8 @@ optional_policy(` +@@ -832,6 +1068,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -7052,7 +7053,7 @@ index 6649962b6..ec925fc02 100644 ') optional_policy(` -@@ -841,38 +1078,81 @@ optional_policy(` +@@ -841,38 +1079,81 @@ optional_policy(` openca_kill(httpd_t) ') @@ -7142,7 +7143,7 @@ index 6649962b6..ec925fc02 100644 ') optional_policy(` -@@ -883,65 +1163,189 @@ optional_policy(` +@@ -883,65 +1164,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7354,7 +7355,7 @@ index 6649962b6..ec925fc02 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1354,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1355,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7508,7 +7509,7 @@ index 6649962b6..ec925fc02 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1439,107 @@ optional_policy(` +@@ -1083,172 +1440,107 @@ optional_policy(` ') ') @@ -7746,7 +7747,7 @@ index 6649962b6..ec925fc02 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1547,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1548,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7844,7 +7845,7 @@ index 6649962b6..ec925fc02 100644 ######################################## # -@@ -1321,8 +1622,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1623,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7861,7 +7862,7 @@ index 6649962b6..ec925fc02 100644 ') ######################################## -@@ -1330,49 +1638,43 @@ optional_policy(` +@@ -1330,49 +1639,46 @@ optional_policy(` # User content local policy # @@ -7909,12 +7910,15 @@ index 6649962b6..ec925fc02 100644 + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) userdom_read_user_home_content_files(httpd_user_script_t) - ') - --optional_policy(` -- postgresql_unpriv_client(httpd_user_script_t) -') - +-optional_policy(` +- postgresql_unpriv_client(httpd_user_script_t) ++ userdom_mmap_user_home_content_files(httpd_t) ++ userdom_mmap_user_home_content_files(httpd_suexec_t) ++ userdom_mmap_user_home_content_files(httpd_user_script_t) + ') + ######################################## # -# Passwd local policy @@ -7930,7 +7934,7 @@ index 6649962b6..ec925fc02 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1384,36 +1686,109 @@ domain_use_interactive_fds(httpd_passwd_t) +@@ -1384,36 +1690,109 @@ domain_use_interactive_fds(httpd_passwd_t) auth_use_nsswitch(httpd_passwd_t) @@ -29433,7 +29437,7 @@ index 50d0084d4..94e193606 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e56772..24c8623c6 100644 +index cf0e56772..645cd5fe6 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -29445,7 +29449,13 @@ index cf0e56772..24c8623c6 100644 allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; allow fail2ban_t self:tcp_socket { accept listen }; -@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t) +@@ -63,11 +63,12 @@ manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) + + kernel_read_system_state(fail2ban_t) ++kernel_read_network_state(fail2ban_t) ++ + corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) @@ -29453,7 +29463,7 @@ index cf0e56772..24c8623c6 100644 corenet_all_recvfrom_netlabel(fail2ban_t) corenet_tcp_sendrecv_generic_if(fail2ban_t) corenet_tcp_sendrecv_generic_node(fail2ban_t) -@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t) +@@ -82,7 +83,6 @@ domain_use_interactive_fds(fail2ban_t) domain_dontaudit_read_all_domains_state(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) @@ -29461,7 +29471,7 @@ index cf0e56772..24c8623c6 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -92,23 +90,37 @@ fs_getattr_all_fs(fail2ban_t) +@@ -92,23 +92,37 @@ fs_getattr_all_fs(fail2ban_t) auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) @@ -29503,7 +29513,7 @@ index cf0e56772..24c8623c6 100644 optional_policy(` iptables_domtrans(fail2ban_t) ') -@@ -117,6 +129,10 @@ optional_policy(` +@@ -117,6 +131,10 @@ optional_policy(` libs_exec_ldconfig(fail2ban_t) ') @@ -29514,7 +29524,7 @@ index cf0e56772..24c8623c6 100644 optional_policy(` shorewall_domtrans(fail2ban_t) ') -@@ -126,27 +142,37 @@ optional_policy(` +@@ -126,27 +144,37 @@ optional_policy(` # Client Local policy # @@ -38023,10 +38033,10 @@ index 000000000..8a2013af9 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 000000000..90f346186 +index 000000000..2114bde0b --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,75 @@ +@@ -0,0 +1,80 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -38090,6 +38100,11 @@ index 000000000..90f346186 +userdom_manage_user_tmp_files(gssproxy_t) + +optional_policy(` ++ apache_domtrans(gssproxy_t) ++ apache_systemctl(gssproxy_t) ++') ++ ++optional_policy(` + ipa_read_lib(gssproxy_t) +') + @@ -50315,7 +50330,7 @@ index 327f3f726..d6ae4eab6 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd37..6975de1e6 100644 +index e6136fd37..da8ae4b16 100644 --- a/mandb.te +++ b/mandb.te @@ -10,22 +10,46 @@ roleattribute system_r mandb_roles; @@ -50341,7 +50356,7 @@ index e6136fd37..6975de1e6 100644 # -allow mandb_t self:capability { setuid setgid }; -+allow mandb_t self:capability { setuid setgid fsetid }; ++allow mandb_t self:capability { dac_read_search dac_override setuid setgid fsetid }; allow mandb_t self:process { setsched signal }; allow mandb_t self:fifo_file rw_fifo_file_perms; allow mandb_t self:unix_stream_socket create_stream_socket_perms; @@ -60088,7 +60103,7 @@ index 0641e970f..f3b111172 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682e6..c1f43fc58 100644 +index 7b3e682e6..7ecc1c88e 100644 --- a/nagios.te +++ b/nagios.te @@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0) @@ -60152,7 +60167,7 @@ index 7b3e682e6..c1f43fc58 100644 type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -63,30 +94,33 @@ files_pid_file(nrpe_var_run_t) +@@ -63,44 +94,49 @@ files_pid_file(nrpe_var_run_t) allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; @@ -60194,8 +60209,11 @@ index 7b3e682e6..c1f43fc58 100644 allow nagios_t nagios_plugin_domain:process signal_perms; -@@ -96,11 +130,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; - allow nagios_t nagios_etc_t:file read_file_perms; + allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; + + allow nagios_t nagios_etc_t:dir list_dir_perms; +-allow nagios_t nagios_etc_t:file read_file_perms; ++allow nagios_t nagios_etc_t:file { read_file_perms map }; allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; -allow nagios_t nagios_log_t:dir setattr_dir_perms; @@ -60213,7 +60231,7 @@ index 7b3e682e6..c1f43fc58 100644 manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -@@ -110,11 +146,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +@@ -110,11 +146,15 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) @@ -60221,6 +60239,7 @@ index 7b3e682e6..c1f43fc58 100644 +manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file }) ++allow nagios_t nagios_spool_t:file map; manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) @@ -60230,7 +60249,7 @@ index 7b3e682e6..c1f43fc58 100644 kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -123,7 +162,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +163,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -60238,7 +60257,7 @@ index 7b3e682e6..c1f43fc58 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,18 +181,16 @@ domain_read_all_domains_state(nagios_t) +@@ -143,18 +182,16 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -60258,7 +60277,7 @@ index 7b3e682e6..c1f43fc58 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -162,6 +198,47 @@ mta_send_mail(nagios_t) +@@ -162,6 +199,47 @@ mta_send_mail(nagios_t) mta_signal_system_mail(nagios_t) mta_kill_system_mail(nagios_t) @@ -60306,7 +60325,7 @@ index 7b3e682e6..c1f43fc58 100644 optional_policy(` netutils_kill_ping(nagios_t) ') -@@ -178,35 +255,38 @@ optional_policy(` +@@ -178,35 +256,38 @@ optional_policy(` # # CGI local policy # @@ -60363,7 +60382,7 @@ index 7b3e682e6..c1f43fc58 100644 ') ######################################## -@@ -214,7 +294,7 @@ optional_policy(` +@@ -214,7 +295,7 @@ optional_policy(` # Nrpe local policy # @@ -60372,7 +60391,7 @@ index 7b3e682e6..c1f43fc58 100644 dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; -@@ -229,9 +309,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +@@ -229,9 +310,11 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -60380,10 +60399,12 @@ index 7b3e682e6..c1f43fc58 100644 kernel_read_kernel_sysctls(nrpe_t) kernel_read_software_raid_state(nrpe_t) -kernel_read_system_state(nrpe_t) ++ ++can_exec(nagios_t, nagios_exec_t) corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -252,8 +332,8 @@ dev_read_urand(nrpe_t) +@@ -252,8 +335,8 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) @@ -60393,7 +60414,7 @@ index 7b3e682e6..c1f43fc58 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,10 +342,40 @@ auth_use_nsswitch(nrpe_t) +@@ -262,10 +345,40 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -60436,7 +60457,7 @@ index 7b3e682e6..c1f43fc58 100644 optional_policy(` inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') -@@ -309,16 +419,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -309,16 +422,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # Mail local policy # @@ -60457,7 +60478,7 @@ index 7b3e682e6..c1f43fc58 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,9 +455,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,9 +458,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -60472,7 +60493,7 @@ index 7b3e682e6..c1f43fc58 100644 fs_getattr_all_fs(nagios_checkdisk_plugin_t) storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) -@@ -357,9 +472,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +475,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -60486,7 +60507,7 @@ index 7b3e682e6..c1f43fc58 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +508,11 @@ optional_policy(` +@@ -391,6 +511,11 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -60498,7 +60519,7 @@ index 7b3e682e6..c1f43fc58 100644 ') optional_policy(` -@@ -402,32 +524,40 @@ optional_policy(` +@@ -402,32 +527,40 @@ optional_policy(` # System local policy # @@ -60542,7 +60563,7 @@ index 7b3e682e6..c1f43fc58 100644 ####################################### # # Event local policy -@@ -442,9 +572,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,9 +575,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -61428,7 +61449,7 @@ index 86dc29dfa..cb39739a5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f20095e..c2b391ef2 100644 +index 55f20095e..1e368cd95 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -61854,7 +61875,7 @@ index 55f20095e..c2b391ef2 100644 optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) -+ ssh_exec(NetworkManager_t) ++ ssh_basic_client_template(NetworkManager, NetworkManager_t, system_r) +') + +optional_policy(` @@ -71358,10 +71379,10 @@ index 000000000..abb250dba +') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 000000000..0b2159a58 +index 000000000..4e5b2ce6b --- /dev/null +++ b/pcp.te -@@ -0,0 +1,325 @@ +@@ -0,0 +1,327 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -71472,7 +71493,7 @@ index 000000000..0b2159a58 +# pcp_pmcd local policy +# + -+allow pcp_pmcd_t self:capability { net_admin sys_admin sys_ptrace }; ++allow pcp_pmcd_t self:capability { dac_read_search dac_override net_admin sys_admin sys_ptrace }; +allow pcp_pmcd_t self:process { setsched }; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms; + @@ -71516,6 +71537,7 @@ index 000000000..0b2159a58 +storage_getattr_fixed_disk_dev(pcp_pmcd_t) + +userdom_read_user_tmp_files(pcp_pmcd_t) ++userdom_manage_unpriv_user_semaphores(pcp_pmcd_t) + +optional_policy(` + cron_read_pid_files(pcp_pmcd_t) @@ -71628,6 +71650,7 @@ index 000000000..0b2159a58 +allow pcp_pmie_t pcp_pmcd_t:process signal; + +kernel_read_system_state(pcp_pmie_t) ++kernel_dontaudit_request_load_module(pcp_pmie_t) + +can_exec(pcp_pmie_t, pcp_pmie_exec_t) + @@ -71653,7 +71676,7 @@ index 000000000..0b2159a58 +# pcp_pmlogger local policy +# + -+allow pcp_pmlogger_t self:capability chown; ++allow pcp_pmlogger_t self:capability { dac_read_search dac_override chown }; +allow pcp_pmlogger_t self:process setpgid; +allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read }; + @@ -95381,7 +95404,7 @@ index ef3b22507..b7bd65539 100644 admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) diff --git a/rpm.te b/rpm.te -index 6fc360e60..219964375 100644 +index 6fc360e60..357b304ff 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -95479,7 +95502,7 @@ index 6fc360e60..219964375 100644 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +@@ -99,23 +99,20 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -95497,6 +95520,7 @@ index 6fc360e60..219964375 100644 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) -files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) +files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) ++allow rpm_t rpm_var_lib_t:file map; manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) @@ -95507,7 +95531,7 @@ index 6fc360e60..219964375 100644 kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) -@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t) +@@ -126,41 +123,34 @@ kernel_rw_irq_sysctls(rpm_t) corecmd_exec_all_executables(rpm_t) @@ -95563,7 +95587,7 @@ index 6fc360e60..219964375 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t) +@@ -183,29 +173,49 @@ selinux_compute_relabel_context(rpm_t) selinux_compute_user_contexts(rpm_t) storage_raw_write_fixed_disk(rpm_t) @@ -95615,7 +95639,7 @@ index 6fc360e60..219964375 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -224,13 +233,17 @@ optional_policy(` +@@ -224,13 +234,17 @@ optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -95637,7 +95661,7 @@ index 6fc360e60..219964375 100644 ') ######################################## -@@ -239,18 +252,20 @@ optional_policy(` +@@ -239,18 +253,20 @@ optional_policy(` # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; @@ -95661,7 +95685,7 @@ index 6fc360e60..219964375 100644 allow rpm_script_t rpm_tmp_t:file read_file_perms; -@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -267,8 +283,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -95672,7 +95696,7 @@ index 6fc360e60..219964375 100644 kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t) +@@ -277,45 +294,29 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) @@ -95724,7 +95748,7 @@ index 6fc360e60..219964375 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,73 +331,130 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,73 +332,130 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -95875,7 +95899,7 @@ index 6fc360e60..219964375 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +466,6 @@ optional_policy(` +@@ -409,6 +467,6 @@ optional_policy(` ') optional_policy(` @@ -97998,7 +98022,7 @@ index 50d07fb2e..a15cd5b6b 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441e7..2ba0df201 100644 +index 2b7c441e7..4604774f8 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -98806,7 +98830,7 @@ index 2b7c441e7..2ba0df201 100644 ') optional_policy(` -@@ -606,18 +697,29 @@ optional_policy(` +@@ -606,18 +697,30 @@ optional_policy(` ######################################## # @@ -98835,6 +98859,7 @@ index 2b7c441e7..2ba0df201 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) ++allow smbcontrol_t samba_var_t:file map; + +allow smbcontrol_t nmbd_t:unix_dgram_socket sendto; +allow smbcontrol_t smbd_t:unix_dgram_socket sendto; @@ -98842,7 +98867,7 @@ index 2b7c441e7..2ba0df201 100644 samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -627,39 +729,38 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,39 +730,38 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -98894,7 +98919,7 @@ index 2b7c441e7..2ba0df201 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +769,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +770,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -98930,7 +98955,7 @@ index 2b7c441e7..2ba0df201 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +796,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +797,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -99023,7 +99048,7 @@ index 2b7c441e7..2ba0df201 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +875,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +876,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -99047,7 +99072,7 @@ index 2b7c441e7..2ba0df201 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +889,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +890,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -99090,7 +99115,7 @@ index 2b7c441e7..2ba0df201 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +919,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +920,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -99104,7 +99129,7 @@ index 2b7c441e7..2ba0df201 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +942,20 @@ optional_policy(` +@@ -840,17 +943,21 @@ optional_policy(` # Winbind local policy # @@ -99121,6 +99146,7 @@ index 2b7c441e7..2ba0df201 100644 +allow winbind_t self:unix_stream_socket create_stream_socket_perms; +allow winbind_t self:tcp_socket create_stream_socket_perms; +allow winbind_t self:udp_socket create_socket_perms; ++allow winbind_t self:socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -99131,7 +99157,7 @@ index 2b7c441e7..2ba0df201 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +965,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +967,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -99142,7 +99168,7 @@ index 2b7c441e7..2ba0df201 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -870,41 +973,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -870,41 +975,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) files_var_filetrans(winbind_t, samba_var_t, dir, "samba") @@ -99201,7 +99227,7 @@ index 2b7c441e7..2ba0df201 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +1020,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +1022,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -99260,7 +99286,7 @@ index 2b7c441e7..2ba0df201 100644 ') optional_policy(` -@@ -959,31 +1081,36 @@ optional_policy(` +@@ -959,31 +1083,36 @@ optional_policy(` # Winbind helper local policy # @@ -99304,7 +99330,7 @@ index 2b7c441e7..2ba0df201 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1124,38 @@ optional_policy(` +@@ -997,25 +1126,38 @@ optional_policy(` ######################################## # @@ -104972,7 +104998,7 @@ index 000000000..88490d5c6 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 000000000..7175431ff +index 000000000..c0f644f3d --- /dev/null +++ b/snapper.te @@ -0,0 +1,89 @@ @@ -105017,7 +105043,7 @@ index 000000000..7175431ff +manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) -+allow snapperd_t snapperd_data_t:dir mounton; ++allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton }; +allow snapperd_t snapperd_data_t:file relabelfrom; +snapper_filetrans_named_content(snapperd_t) + @@ -112905,10 +112931,10 @@ index 000000000..ae28ea326 +/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) diff --git a/tomcat.if b/tomcat.if new file mode 100644 -index 000000000..e5cec8fda +index 000000000..e032dfcd5 --- /dev/null +++ b/tomcat.if -@@ -0,0 +1,396 @@ +@@ -0,0 +1,397 @@ + +## policy for tomcat + @@ -112976,6 +113002,7 @@ index 000000000..e5cec8fda + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir }) ++ allow $1_t $1_tmp_t:file map; + + can_exec($1_t, $1_exec_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 3106b31..20f56ce 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 283.28%{?dist} +Release: 283.29%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -716,6 +716,46 @@ exit 0 %endif %changelog +* Sun Mar 25 2018 Lukas Vrabec - 3.13.1-283.29 +- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) +- Allow nagios to exec itself and mmap nagios spool files BZ(1559683) +- Allow nagios to mmap nagios config files BZ(1559683) +- Add a policy for conntrackd +- Fix typo in NetworkManager module +- Fix bug in gssproxy SELinux module +- Allow networkmanager to be run ssh client BZ(1558441) +- Allow pcp domains to do dc override BZ(1557913) +- Dontaudit pcp_pmie_t to reaquest lost kernel module +- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955) +- Allow httpd_t to read httpd_log_t dirs BZ(1554912) +- Allow fail2ban_t to read system network state BZ(1557752) +- Allow dac override capability to mandb_t domain BZ(1529399) +- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439) +- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359) +- Allow snapperd to relabel snapperd_data_t +- Add allow to map for pki_tomcat_t +- Allow rpm domain to mmap rpm_var_lib_t files +- Allow tor_t domain to execute bin_t files BZ(1496274) +- Allow iscsid_t domain to mmap kernel modules BZ(1553759) +- Update minidlna SELinux policy BZ(1554087) +- Allow motion_t domain to read sysfs_t files BZ(1554142 +- Allow systemd create stream socket permissions BZ(1560195) +- Allow insmod_t to load modules BZ(1544189) +- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595) +- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862) +- Improve userdom_mmap_user_home_content_files +- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414) +- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module +- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227) +- Allow secadm_t domain to mmap audit config and log files +- Update init_abstract_socket_activation() to allow also creating tcp sockets +- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. +- Create new type bpf_t and label /sys/fs/bpf with this type +- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) +- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) +- Allow xdm_t domain to sys_ptrace BZ(1554150) +- Allow application_domain_type also mmap inherited user temp files BZ(1552765) + * Mon Mar 12 2018 Lukas Vrabec - 3.13.1-283.28 - Allow tor_t domain to execute bin_t files BZ(1496274) - Allow iscsid_t domain to mmap kernel modules BZ(1553759)