From e2a28e430a0f44202e03395db25ac34f023c5ee6 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 10 2011 21:06:36 +0000 Subject: - More dontaudits of writes from readahead - Dontaudit readahead_t file_type:dir write, to cover up kernel bug - systemd_tmpfiles needs to relabel faillog directory as well as the file - Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost --- diff --git a/policy-F15.patch b/policy-F15.patch index d97462d..0864f46 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -454,10 +454,10 @@ index 9de382b..682e78e 100644 optional_policy(` apache_exec_modules(certwatch_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index cd5e005..24f73ca 100644 +index cd5e005..a4a739e 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te -@@ -48,6 +48,7 @@ mls_file_read_all_levels(consoletype_t) +@@ -48,11 +48,13 @@ mls_file_read_all_levels(consoletype_t) mls_file_write_all_levels(consoletype_t) term_use_all_terms(consoletype_t) @@ -465,7 +465,13 @@ index cd5e005..24f73ca 100644 init_use_fds(consoletype_t) init_use_script_ptys(consoletype_t) -@@ -79,16 +80,18 @@ optional_policy(` + init_use_script_fds(consoletype_t) + init_rw_script_pipes(consoletype_t) ++init_rw_inherited_script_tmp_files(consoletype_t) + + userdom_use_user_terminals(consoletype_t) + +@@ -79,16 +81,18 @@ optional_policy(` ') optional_policy(` @@ -488,7 +494,7 @@ index cd5e005..24f73ca 100644 ') optional_policy(` -@@ -114,6 +117,7 @@ optional_policy(` +@@ -114,6 +118,7 @@ optional_policy(` optional_policy(` userdom_use_unpriv_users_fds(consoletype_t) @@ -1432,7 +1438,7 @@ index 47c4723..ca58272 100644 +') + diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te -index b4ac57e..d3b51b7 100644 +index b4ac57e..9702e8c 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -1462,21 +1468,26 @@ index b4ac57e..d3b51b7 100644 kernel_read_all_sysctls(readahead_t) kernel_read_system_state(readahead_t) -@@ -53,10 +56,13 @@ domain_read_all_domains_state(readahead_t) +@@ -53,10 +56,18 @@ domain_read_all_domains_state(readahead_t) files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) +files_dontaudit_read_security_files(readahead_t) -+files_dontaudit_write_all_files(readahead_t) files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) files_dontaudit_getattr_non_security_blk_files(readahead_t) +files_dontaudit_all_access_check(readahead_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ files_dontaudit_write_all_files(readahead_t) ++ dev_dontaudit_write_all_chr_files(readahead_t) ++ dev_dontaudit_write_all_blk_files(readahead_t) ++') fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -66,12 +72,14 @@ fs_read_cgroup_files(readahead_t) +@@ -66,12 +77,14 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -2354,7 +2365,7 @@ index d5aaf0e..689b2fd 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..9b0f49e 100644 +index 6a5004b..b6ede9a 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -2365,7 +2376,7 @@ index 6a5004b..9b0f49e 100644 application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; -@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t) +@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t) files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) @@ -2377,7 +2388,12 @@ index 6a5004b..9b0f49e 100644 files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) -@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t) ++mcs_file_read_all(tmpreaper_t) ++mcs_file_write_all(tmpreaper_t) + mls_file_read_all_levels(tmpreaper_t) + mls_file_write_all_levels(tmpreaper_t) + +@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -2388,7 +2404,7 @@ index 6a5004b..9b0f49e 100644 ifdef(`distro_redhat',` userdom_list_user_home_content(tmpreaper_t) -@@ -52,7 +58,9 @@ optional_policy(` +@@ -52,7 +60,9 @@ optional_policy(` ') optional_policy(` @@ -2398,7 +2414,7 @@ index 6a5004b..9b0f49e 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,6 +74,14 @@ optional_policy(` +@@ -66,6 +76,14 @@ optional_policy(` ') optional_policy(` @@ -5385,7 +5401,7 @@ index 9a6d67d..d88c02c 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..9b22659 100644 +index 2a91fa8..224d6dc 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5467,7 +5483,7 @@ index 2a91fa8..9b22659 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,183 @@ optional_policy(` +@@ -266,3 +291,191 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -5586,6 +5602,14 @@ index 2a91fa8..9b22659 100644 +userdom_read_home_certs(mozilla_plugin_t) +userdom_dontaudit_write_home_certs(mozilla_plugin_t) + ++tunable_policy(`allow_execmem',` ++ allow mozilla_plugin_t self:process { execmem execstack }; ++') ++ ++tunable_policy(`allow_execstack',` ++ allow mozilla_plugin_t self:process { execstack }; ++') ++ +optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) + alsa_read_home_files(mozilla_plugin_t) @@ -7628,10 +7652,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..2280381 +index 0000000..f2201d7 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,474 @@ +@@ -0,0 +1,476 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7768,6 +7792,7 @@ index 0000000..2280381 +manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); +manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); +manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++dontaudit sandbox_domain sandbox_file_t:dir mounton; + +gen_require(` + type usr_t, lib_t, locale_t; @@ -7849,6 +7874,7 @@ index 0000000..2280381 +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) +fs_list_inotifyfs(sandbox_x_domain) ++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain) + +auth_dontaudit_read_login_records(sandbox_x_domain) +auth_dontaudit_write_login_records(sandbox_x_domain) @@ -9946,7 +9972,7 @@ index 3ff4f60..89ffda6 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index aad8c52..6ac24b0 100644 +index aad8c52..edc8af9 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` @@ -9993,7 +10019,32 @@ index aad8c52..6ac24b0 100644 ## ## ## -@@ -1260,6 +1279,24 @@ interface(`domain_exec_all_entry_files',` +@@ -886,6 +905,24 @@ interface(`domain_getsched_all_domains',` + + ######################################## + ## ++## Get the capability information of all domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_getcap_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:process getcap; ++') ++ ++######################################## ++## + ## Get the attributes of all domains + ## sockets, for all socket types. + ## +@@ -1260,6 +1297,24 @@ interface(`domain_exec_all_entry_files',` ######################################## ## @@ -10018,7 +10069,7 @@ index aad8c52..6ac24b0 100644 ## dontaudit checking for execute on all entry point files ## ## -@@ -1473,3 +1510,22 @@ interface(`domain_unconfined',` +@@ -1473,3 +1528,22 @@ interface(`domain_unconfined',` typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') @@ -10333,7 +10384,7 @@ index 16108f6..2abd3eb 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..d451c3f 100644 +index 958ca84..b1242ff 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -11521,7 +11572,7 @@ index 958ca84..d451c3f 100644 + attribute file_type; + ') + -+ dontaudit $1 file_type:file_class_set write; ++ dontaudit $1 file_type:dir_file_class_set write; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 6e01635..212a736 100644 @@ -12702,7 +12753,7 @@ index a9b8982..57c4a6a 100644 +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 3723150..bde6daa 100644 +index 3723150..d6d1dbe 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -12714,20 +12765,30 @@ index 3723150..bde6daa 100644 typeattribute $1 fixed_disk_raw_read; ') -@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',` +@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',` type fixed_disk_device_t; ') + allow $1 self:capability mknod; + allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; ++ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms; dev_add_entry_generic_dirs($1) ') + diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 3994e57..43aa641 100644 +index 3994e57..a1923fe 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -18,6 +18,7 @@ +@@ -6,6 +6,7 @@ + /dev/console -c gen_context(system_u:object_r:console_device_t,s0) + /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) +@@ -18,6 +19,7 @@ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) @@ -12735,7 +12796,7 @@ index 3994e57..43aa641 100644 /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -40,3 +41,5 @@ ifdef(`distro_gentoo',` +@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') @@ -20408,13 +20469,14 @@ index 0258b48..8fde016 100644 manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc new file mode 100644 -index 0000000..7a01ff6 +index 0000000..0a83e88 --- /dev/null +++ b/policy/modules/services/colord.fc -@@ -0,0 +1,4 @@ +@@ -0,0 +1,5 @@ + +/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) + ++/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) +/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if new file mode 100644 @@ -20466,10 +20528,10 @@ index 0000000..38cb883 + diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..0ecb72e +index 0000000..173e56f --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,78 @@ +policy_module(colord,1.0.0) + +######################################## @@ -20509,6 +20571,7 @@ index 0000000..0ecb72e + +corenet_udp_bind_generic_node(colord_t) +corenet_udp_bind_ipp_port(colord_t) ++corenet_tcp_connect_ipp_port(colord_t) + +dev_read_raw_memory(colord_t) +dev_write_raw_memory(colord_t) @@ -20519,6 +20582,8 @@ index 0000000..0ecb72e +dev_read_urand(colord_t) +dev_list_sysfs(colord_t) +dev_read_generic_usb_dev(colord_t) ++storage_read_scsi_generic(colord_t) ++storage_write_scsi_generic(colord_t) + +domain_use_interactive_fds(colord_t) + @@ -20536,6 +20601,13 @@ index 0000000..0ecb72e +') + +optional_policy(` ++ policykit_dbus_chat(colord_t) ++ policykit_domtrans_auth(colord_t) ++ policykit_read_lib(colord_t) ++ policykit_read_reload(colord_t) ++') ++ ++optional_policy(` + udev_read_db(colord_t) +') diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if @@ -22048,7 +22120,7 @@ index a8b93c0..831ce70 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..2f38c31 100644 +index 0d5711c..cee56c8 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -22073,7 +22145,18 @@ index 0d5711c..2f38c31 100644 ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; -@@ -76,7 +75,7 @@ template(`dbus_role_template',` +@@ -62,8 +61,9 @@ template(`dbus_role_template',` + # Local policy + # + ++ dontaudit $1_dbusd_t self:capability sys_resource; + allow $1_dbusd_t self:process { getattr sigkill signal }; +- dontaudit $1_dbusd_t self:process ptrace; ++ dontaudit $1_dbusd_t self:process { ptrace setrlimit }; + allow $1_dbusd_t self:file { getattr read write }; + allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; + allow $1_dbusd_t self:dbus { send_msg acquire_svc }; +@@ -76,7 +76,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions @@ -22082,7 +22165,7 @@ index 0d5711c..2f38c31 100644 allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -88,14 +87,16 @@ template(`dbus_role_template',` +@@ -88,14 +88,16 @@ template(`dbus_role_template',` files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) @@ -22102,7 +22185,7 @@ index 0d5711c..2f38c31 100644 kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t) -@@ -116,7 +117,7 @@ template(`dbus_role_template',` +@@ -116,7 +118,7 @@ template(`dbus_role_template',` dev_read_urand($1_dbusd_t) @@ -22111,7 +22194,7 @@ index 0d5711c..2f38c31 100644 domain_read_all_domains_state($1_dbusd_t) files_read_etc_files($1_dbusd_t) -@@ -149,17 +150,25 @@ template(`dbus_role_template',` +@@ -149,17 +151,25 @@ template(`dbus_role_template',` term_use_all_terms($1_dbusd_t) @@ -22139,7 +22222,7 @@ index 0d5711c..2f38c31 100644 xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) ') -@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',` +@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -22152,7 +22235,7 @@ index 0d5711c..2f38c31 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -197,6 +208,34 @@ interface(`dbus_system_bus_client',` +@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',` ####################################### ## @@ -22187,7 +22270,7 @@ index 0d5711c..2f38c31 100644 ## Template for creating connections to ## a user DBUS. ## -@@ -217,6 +256,8 @@ interface(`dbus_session_bus_client',` +@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',` # For connecting to the bus allow $1 session_bus_type:unix_stream_socket connectto; @@ -22196,7 +22279,7 @@ index 0d5711c..2f38c31 100644 ') ######################################## -@@ -431,14 +472,28 @@ interface(`dbus_system_domain',` +@@ -431,14 +473,28 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -22226,7 +22309,7 @@ index 0d5711c..2f38c31 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +552,23 @@ interface(`dbus_unconfined',` +@@ -497,3 +553,23 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -22251,17 +22334,17 @@ index 0d5711c..2f38c31 100644 +') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 86d09b4..1c0dd9b 100644 +index 86d09b4..8e05351 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te -@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t) - - type system_dbusd_var_lib_t; - files_type(system_dbusd_var_lib_t) -+init_sock_file(system_dbusd_var_lib_t) +@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) ++init_sock_file(system_dbusd_var_run_t) + + ifdef(`enable_mcs',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) @@ -52,9 +53,9 @@ ifdef(`enable_mls',` # dac_override: /var/run/dbus is owned by messagebus on Debian @@ -35577,18 +35660,19 @@ index 852840b..1244ab2 100644 + ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index 0a76027..364903e 100644 +index 0a76027..3c00e89 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te -@@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t) +@@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t) fs_search_auto_mountpoints(remote_login_t) term_relabel_all_ptys(remote_login_t) +term_use_all_ptys(remote_login_t) ++term_setattr_all_ptys(remote_login_t) auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) -@@ -77,7 +78,7 @@ files_list_mnt(remote_login_t) +@@ -77,7 +79,7 @@ files_list_mnt(remote_login_t) # for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) @@ -35597,7 +35681,7 @@ index 0a76027..364903e 100644 miscfiles_read_localization(remote_login_t) -@@ -87,9 +88,7 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,9 +89,7 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) @@ -35608,7 +35692,7 @@ index 0a76027..364903e 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) -@@ -106,15 +105,15 @@ optional_policy(` +@@ -106,15 +106,15 @@ optional_policy(` ') optional_policy(` @@ -39577,7 +39661,7 @@ index 22adaca..d9913e0 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..f5c37de 100644 +index 2dad3c8..d060ae4 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -39716,7 +39800,7 @@ index 2dad3c8..f5c37de 100644 seutil_read_config(ssh_t) -@@ -169,14 +176,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) +@@ -169,14 +176,19 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -39725,6 +39809,7 @@ index 2dad3c8..f5c37de 100644 userdom_read_user_tmp_files(ssh_t) +userdom_write_user_tmp_files(ssh_t) +userdom_read_user_home_content_symlinks(ssh_t) ++userdom_read_home_certs(ssh_t) tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) @@ -39740,7 +39825,7 @@ index 2dad3c8..f5c37de 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',` +@@ -196,10 +208,15 @@ tunable_policy(`user_tcp_server',` ') optional_policy(` @@ -39756,7 +39841,7 @@ index 2dad3c8..f5c37de 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +226,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -39765,7 +39850,7 @@ index 2dad3c8..f5c37de 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +248,43 @@ optional_policy(` +@@ -232,33 +249,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -39818,7 +39903,7 @@ index 2dad3c8..f5c37de 100644 ') optional_policy(` -@@ -266,11 +292,24 @@ optional_policy(` +@@ -266,11 +293,24 @@ optional_policy(` ') optional_policy(` @@ -39844,7 +39929,7 @@ index 2dad3c8..f5c37de 100644 ') optional_policy(` -@@ -284,6 +323,11 @@ optional_policy(` +@@ -284,6 +324,11 @@ optional_policy(` ') optional_policy(` @@ -39856,7 +39941,7 @@ index 2dad3c8..f5c37de 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +336,26 @@ optional_policy(` +@@ -292,26 +337,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -39902,7 +39987,7 @@ index 2dad3c8..f5c37de 100644 ') dnl endif TODO ######################################## -@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,12 +369,15 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -39919,7 +40004,7 @@ index 2dad3c8..f5c37de 100644 kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) -@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,7 +401,7 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -45028,7 +45113,7 @@ index 88df85d..2fa3974 100644 ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2952cef..4485fd5 100644 +index 2952cef..d845132 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -10,6 +10,7 @@ @@ -45051,12 +45136,12 @@ index 2952cef..4485fd5 100644 /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) -+/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ++/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 42b4f0f..e6b751b 100644 +index 42b4f0f..76bba85 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -45124,15 +45209,16 @@ index 42b4f0f..e6b751b 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',` +@@ -141,6 +158,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) ++ auth_manage_faillog($1) + auth_manage_pam_pid($1) auth_use_pam($1) init_rw_utmp($1) -@@ -151,8 +169,45 @@ interface(`auth_login_pgm_domain',` +@@ -151,8 +170,45 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -45180,7 +45266,7 @@ index 42b4f0f..e6b751b 100644 ') ') -@@ -365,13 +420,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -365,13 +421,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -45197,7 +45283,7 @@ index 42b4f0f..e6b751b 100644 ') ######################################## -@@ -418,6 +475,7 @@ interface(`auth_run_chk_passwd',` +@@ -418,6 +476,7 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -45205,7 +45291,7 @@ index 42b4f0f..e6b751b 100644 ') ######################################## -@@ -694,7 +752,7 @@ interface(`auth_relabel_shadow',` +@@ -694,7 +753,7 @@ interface(`auth_relabel_shadow',` ') files_search_etc($1) @@ -45214,7 +45300,7 @@ index 42b4f0f..e6b751b 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -736,6 +794,43 @@ interface(`auth_rw_faillog',` +@@ -736,6 +795,46 @@ interface(`auth_rw_faillog',` allow $1 faillog_t:file rw_file_perms; ') @@ -45233,6 +45319,7 @@ index 42b4f0f..e6b751b 100644 + type faillog_t; + ') + ++ allow $1 faillog_t:dir relabel_dir_perms; + allow $1 faillog_t:file relabel_file_perms; +') + @@ -45252,13 +45339,15 @@ index 42b4f0f..e6b751b 100644 + ') + + logging_search_logs($1) ++ files_search_pids($1) ++ allow $1 faillog_t:dir manage_dir_perms; + allow $1 faillog_t:file manage_file_perms; +') + ####################################### ## ## Read the last logins log. -@@ -874,6 +969,46 @@ interface(`auth_exec_pam',` +@@ -874,6 +973,46 @@ interface(`auth_exec_pam',` ######################################## ## @@ -45305,7 +45394,7 @@ index 42b4f0f..e6b751b 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -896,6 +1031,26 @@ interface(`auth_manage_var_auth',` +@@ -896,6 +1035,26 @@ interface(`auth_manage_var_auth',` ######################################## ## @@ -45332,7 +45421,7 @@ index 42b4f0f..e6b751b 100644 ## Read PAM PID files. ## ## -@@ -1093,6 +1248,24 @@ interface(`auth_delete_pam_console_data',` +@@ -1093,6 +1252,24 @@ interface(`auth_delete_pam_console_data',` ######################################## ## @@ -45357,7 +45446,7 @@ index 42b4f0f..e6b751b 100644 ## Read all directories on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1326,6 +1499,25 @@ interface(`auth_setattr_login_records',` +@@ -1326,6 +1503,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -45383,7 +45472,7 @@ index 42b4f0f..e6b751b 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',` +@@ -1500,28 +1696,36 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -45427,7 +45516,7 @@ index 42b4f0f..e6b751b 100644 optional_policy(` kerberos_use($1) ') -@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1735,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -45810,7 +45899,7 @@ index ede3231..6cdbda3 100644 auth_rw_login_records(getty_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index c310775..d5fc685 100644 +index c310775..80e513b 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t) @@ -45832,6 +45921,14 @@ index c310775..d5fc685 100644 fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) +@@ -46,6 +49,7 @@ term_use_all_ptys(hostname_t) + init_use_fds(hostname_t) + init_use_script_fds(hostname_t) + init_use_script_ptys(hostname_t) ++init_rw_inherited_script_tmp_files(hostname_t) + + logging_send_syslog_msg(hostname_t) + diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 882c6a2..d0ff4ec 100644 --- a/policy/modules/system/hotplug.te @@ -45893,7 +45990,7 @@ index 354ce93..f7cda1c 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..6a82950 100644 +index cc83689..3596325 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -46327,7 +46424,32 @@ index cc83689..6a82950 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1674,7 +1886,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1519,6 +1731,24 @@ interface(`init_rw_script_tmp_files',` + + ######################################## + ## ++## Read and write init script inherited temporary data. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_rw_inherited_script_tmp_files',` ++ gen_require(` ++ type initrc_tmp_t; ++ ') ++ ++ allow $1 initrc_tmp_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Create files in a init script + ## temporary data directory. + ## +@@ -1674,7 +1904,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -46336,7 +46458,7 @@ index cc83689..6a82950 100644 ') ######################################## -@@ -1749,3 +1961,120 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +1979,120 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -46458,7 +46580,7 @@ index cc83689..6a82950 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..2370758 100644 +index ea29513..cd82670 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -46817,7 +46939,15 @@ index ea29513..2370758 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +492,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -316,6 +485,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) + domain_dontaudit_getattr_all_tcp_sockets(initrc_t) + domain_dontaudit_getattr_all_dgram_sockets(initrc_t) + domain_dontaudit_getattr_all_pipes(initrc_t) ++domain_obj_id_change_exemption(initrc_t) + + files_getattr_all_dirs(initrc_t) + files_getattr_all_files(initrc_t) +@@ -323,8 +493,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -46829,7 +46959,7 @@ index ea29513..2370758 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +511,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +512,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -46843,7 +46973,7 @@ index ea29513..2370758 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +526,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +527,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -46852,7 +46982,7 @@ index ea29513..2370758 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +540,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +541,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -46860,7 +46990,7 @@ index ea29513..2370758 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +552,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +553,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -46868,7 +46998,7 @@ index ea29513..2370758 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +573,12 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +574,12 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -46884,7 +47014,7 @@ index ea29513..2370758 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -478,7 +656,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +657,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -46893,7 +47023,7 @@ index ea29513..2370758 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -524,6 +702,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +703,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -46917,7 +47047,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -531,10 +726,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +727,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -46935,7 +47065,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -549,6 +751,39 @@ ifdef(`distro_suse',` +@@ -549,6 +752,39 @@ ifdef(`distro_suse',` ') ') @@ -46975,7 +47105,7 @@ index ea29513..2370758 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +796,8 @@ optional_policy(` +@@ -561,6 +797,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -46984,7 +47114,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -577,6 +814,7 @@ optional_policy(` +@@ -577,6 +815,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -46992,7 +47122,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -589,6 +827,11 @@ optional_policy(` +@@ -589,6 +828,11 @@ optional_policy(` ') optional_policy(` @@ -47004,7 +47134,7 @@ index ea29513..2370758 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +848,13 @@ optional_policy(` +@@ -605,9 +849,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -47018,7 +47148,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -649,6 +896,11 @@ optional_policy(` +@@ -649,6 +897,11 @@ optional_policy(` ') optional_policy(` @@ -47030,7 +47160,7 @@ index ea29513..2370758 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +958,13 @@ optional_policy(` +@@ -706,7 +959,13 @@ optional_policy(` ') optional_policy(` @@ -47044,7 +47174,7 @@ index ea29513..2370758 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +987,10 @@ optional_policy(` +@@ -729,6 +988,10 @@ optional_policy(` ') optional_policy(` @@ -47055,7 +47185,7 @@ index ea29513..2370758 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1000,20 @@ optional_policy(` +@@ -738,10 +1001,20 @@ optional_policy(` ') optional_policy(` @@ -47076,7 +47206,7 @@ index ea29513..2370758 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1022,10 @@ optional_policy(` +@@ -750,6 +1023,10 @@ optional_policy(` ') optional_policy(` @@ -47087,7 +47217,7 @@ index ea29513..2370758 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1047,6 @@ optional_policy(` +@@ -771,8 +1048,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -47096,7 +47226,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -781,14 +1055,21 @@ optional_policy(` +@@ -781,14 +1056,21 @@ optional_policy(` ') optional_policy(` @@ -47118,7 +47248,7 @@ index ea29513..2370758 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -810,11 +1091,19 @@ optional_policy(` +@@ -810,11 +1092,19 @@ optional_policy(` ') optional_policy(` @@ -47139,7 +47269,7 @@ index ea29513..2370758 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1113,25 @@ optional_policy(` +@@ -824,6 +1114,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -47165,7 +47295,7 @@ index ea29513..2370758 100644 ') optional_policy(` -@@ -849,3 +1157,37 @@ optional_policy(` +@@ -849,3 +1158,37 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -51291,10 +51421,10 @@ index 0000000..1d17a7b +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..23d4b0c +index 0000000..17f7ea8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,138 @@ +@@ -0,0 +1,144 @@ + +policy_module(systemd, 1.0.0) + @@ -51397,6 +51527,11 @@ index 0000000..23d4b0c + +seutil_read_file_contexts(systemd_tmpfiles_t) + ++mcs_file_read_all(systemd_tmpfiles_t) ++mcs_file_write_all(systemd_tmpfiles_t) ++mls_file_read_all_levels(systemd_tmpfiles_t) ++mls_file_write_all_levels(systemd_tmpfiles_t) ++ +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) + @@ -51409,6 +51544,7 @@ index 0000000..23d4b0c +') + +optional_policy(` ++ rpm_read_db(systemd_tmpfiles_t) + rpm_delete_db(systemd_tmpfiles_t) +') + @@ -52468,7 +52604,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..774a8cc 100644 +index 28b88de..16bb892 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -53656,7 +53792,7 @@ index 28b88de..774a8cc 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,6 +1342,8 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1342,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -53665,7 +53801,12 @@ index 28b88de..774a8cc 100644 domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) -@@ -1119,15 +1358,19 @@ template(`userdom_admin_user_template',` + domain_getattr_all_domains($1_t) ++ domain_getcap_all_domains($1_t) + domain_dontaudit_ptrace_all_domains($1_t) + # signal all domains: + domain_kill_all_domains($1_t) +@@ -1119,15 +1359,19 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -53685,7 +53826,7 @@ index 28b88de..774a8cc 100644 term_use_all_terms($1_t) -@@ -1141,7 +1384,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1385,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -53697,7 +53838,7 @@ index 28b88de..774a8cc 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1456,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1457,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -53706,7 +53847,7 @@ index 28b88de..774a8cc 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1470,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1471,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -53714,7 +53855,7 @@ index 28b88de..774a8cc 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1486,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1487,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -53722,7 +53863,7 @@ index 28b88de..774a8cc 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1529,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1530,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -53760,7 +53901,7 @@ index 28b88de..774a8cc 100644 ubac_constrained($1) ') -@@ -1395,6 +1671,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1672,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -53768,7 +53909,7 @@ index 28b88de..774a8cc 100644 files_search_home($1) ') -@@ -1441,6 +1718,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1719,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53783,7 +53924,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -1456,9 +1741,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1742,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53795,7 +53936,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -1515,10 +1802,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1803,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -53808,7 +53949,7 @@ index 28b88de..774a8cc 100644 ## ## ## -@@ -1526,33 +1813,69 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,33 +1814,69 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -53898,7 +54039,7 @@ index 28b88de..774a8cc 100644 ## ## Domain allowed to transition. ## -@@ -1589,6 +1912,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1913,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -53907,7 +54048,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -1603,10 +1928,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1929,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53922,7 +54063,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -1649,6 +1976,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1977,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -53948,7 +54089,7 @@ index 28b88de..774a8cc 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2046,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2047,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -53981,7 +54122,7 @@ index 28b88de..774a8cc 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2082,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2083,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -53999,7 +54140,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -1810,8 +2179,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2180,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -54009,7 +54150,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -1827,21 +2195,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2196,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -54035,7 +54176,7 @@ index 28b88de..774a8cc 100644 ######################################## ## ## Do not audit attempts to execute user home files. -@@ -2182,7 +2544,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2545,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -54044,7 +54185,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -2435,13 +2797,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2798,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -54060,7 +54201,7 @@ index 28b88de..774a8cc 100644 ## ## ## -@@ -2462,26 +2825,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2826,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -54087,7 +54228,7 @@ index 28b88de..774a8cc 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3158,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3159,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54096,7 +54237,7 @@ index 28b88de..774a8cc 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3174,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3175,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54112,7 +54253,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -2917,7 +3262,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3263,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54121,7 +54262,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -2972,7 +3317,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3318,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54168,7 +54309,7 @@ index 28b88de..774a8cc 100644 ') ######################################## -@@ -3009,6 +3392,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3393,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -54176,7 +54317,7 @@ index 28b88de..774a8cc 100644 kernel_search_proc($1) ') -@@ -3139,3 +3523,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3524,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index be2a38e..0a5cc30 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,12 @@ exit 0 %endif %changelog +* Thu Mar 10 2011 Miroslav Grepl 3.9.16-3 +- More dontaudits of writes from readahead +- Dontaudit readahead_t file_type:dir write, to cover up kernel bug +- systemd_tmpfiles needs to relabel faillog directory as well as the file +- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost + * Tue Mar 8 2011 Miroslav Grepl 3.9.16-1 - Update to upstream - Fixes for telepathy