From e91d876567dc9a4280ea5fd9d259caeed622ea50 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Dec 06 2011 20:59:27 +0000 Subject: +- Fixes related to /bin, /sbin +- Allow abrt to getattr on blk files +- Add type for rhev-agent log file +- Fix labeling for /dev/dmfm +- Dontaudit wicd leaking +- Allow systemd_logind_t to look at process info of apps that exc +- Label /etc/locale.conf correctly +- Allow user_mail_t to read /dev/random +- Allow postfix-smtpd to read MIMEDefang +- Add label for /var/log/suphp.log +- Allow swat_t to connect and read/write nmbd_t sock_file +- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf +- Allow systemd-tmpfiles to change user identity in object contex +- More fixes for rhev_agentd_t consolehelper policy --- diff --git a/policy-F16.patch b/policy-F16.patch index b1d4625..05c483c 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -364,6 +364,21 @@ index 63ef90e..a535b31 100644 seutil_sigchld_newrole(acct_t) ') +diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc +index d362d9c..10261ed 100644 +--- a/policy/modules/admin/alsa.fc ++++ b/policy/modules/admin/alsa.fc +@@ -11,8 +11,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) + /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) + + /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) ++/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) + + /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) ++/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) + + /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) + /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index 1392679..407f9f7 100644 --- a/policy/modules/admin/alsa.if @@ -569,20 +584,24 @@ index 0bfc958..af95b7a 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 7a6f06f..58b782e 100644 +index 7a6f06f..39f1adf 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc -@@ -1,8 +1,8 @@ +@@ -1,9 +1,11 @@ - +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/sur/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if index 63eb96b..d7a6063 100644 --- a/policy/modules/admin/bootloader.if @@ -847,6 +866,15 @@ index 6b02433..1e28e62 100644 optional_policy(` apache_exec_modules(certwatch_t) +diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc +index b7f053b..5d4fc31 100644 +--- a/policy/modules/admin/consoletype.fc ++++ b/policy/modules/admin/consoletype.fc +@@ -1,2 +1,4 @@ + + /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) ++ ++/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if index 0f57d3b..655d07f 100644 --- a/policy/modules/admin/consoletype.if @@ -951,6 +979,15 @@ index 5e062bc..3cbfffb 100644 +optional_policy(` + modutils_read_module_deps(ddcprobe_t) +') +diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc +index d6cc2d9..0685b19 100644 +--- a/policy/modules/admin/dmesg.fc ++++ b/policy/modules/admin/dmesg.fc +@@ -1,2 +1,4 @@ + + /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++ ++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 72bc6d8..1f55eba 100644 --- a/policy/modules/admin/dmesg.te @@ -1202,10 +1239,10 @@ index c4d8998..bd59f2e 100644 + xserver_stream_connect(firstboot_t) ') diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc -index c66934f..1aa1205 100644 +index c66934f..b1d31d0 100644 --- a/policy/modules/admin/kdump.fc +++ b/policy/modules/admin/kdump.fc -@@ -1,5 +1,7 @@ +@@ -1,5 +1,13 @@ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) @@ -1213,6 +1250,12 @@ index c66934f..1aa1205 100644 + /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) ++ ++/usr/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ ++/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) ++ diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if index 4198ff5..419c7a9 100644 --- a/policy/modules/admin/kdump.if @@ -1329,6 +1372,16 @@ index 9dd6880..4b7fa27 100644 userdom_read_user_tmpfs_files(kismet_t) optional_policy(` +diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc +index dd88f74..3317a0c 100644 +--- a/policy/modules/admin/kudzu.fc ++++ b/policy/modules/admin/kudzu.fc +@@ -2,4 +2,5 @@ + /sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) + /sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) + ++/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) + /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index 4f7bd3c..9143343 100644 --- a/policy/modules/admin/kudzu.te @@ -1801,14 +1854,19 @@ index ec29391..28c9672 100644 optional_policy(` diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc -index 407078f..a818e14 100644 +index 407078f..b5a91f8 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc -@@ -8,7 +8,7 @@ +@@ -6,9 +6,12 @@ + + /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) ++/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) -/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) +/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) @@ -2277,11 +2335,15 @@ index af55369..5d940f8 100644 + miscfiles_read_man_pages(prelink_t) +') diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc -index f387230..e13dbdd 100644 +index f387230..98adfd2 100644 --- a/policy/modules/admin/quota.fc +++ b/policy/modules/admin/quota.fc -@@ -10,10 +10,14 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +@@ -8,12 +8,18 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + + /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) ++/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) ++ /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) @@ -2433,16 +2495,22 @@ index 5dd42f5..bef4392 100644 + dbus_connect_system_bus(quota_nld_t) +') diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc -index 7077413..6bc0fa8 100644 +index 7077413..8aa9c0e 100644 --- a/policy/modules/admin/readahead.fc +++ b/policy/modules/admin/readahead.fc -@@ -1,3 +1,7 @@ - /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +@@ -1,3 +1,12 @@ +-/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) ++ ++/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++ /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++ ++/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++ /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) -+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + -+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) +/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if index 47c4723..64c8889 100644 @@ -3082,6 +3150,20 @@ index c8ef84b..eb4bd05 100644 optional_policy(` mount_exec(sectoolm_t) +diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc +index 48d1363..4a5b930 100644 +--- a/policy/modules/admin/shorewall.fc ++++ b/policy/modules/admin/shorewall.fc +@@ -7,6 +7,9 @@ + /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) + /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + ++/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) ++/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) ++ + /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if index 781ad7e..f7b8881 100644 --- a/policy/modules/admin/shorewall.if @@ -3224,6 +3306,24 @@ index 95bce88..95065c3 100644 optional_policy(` hostname_exec(shorewall_t) +diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc +index 97671a3..eb84cd0 100644 +--- a/policy/modules/admin/shutdown.fc ++++ b/policy/modules/admin/shutdown.fc +@@ -2,6 +2,11 @@ + + /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +-/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) ++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ ++/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ ++/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ ++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if index d0604cf..95c53c5 100644 --- a/policy/modules/admin/shutdown.if @@ -3517,6 +3617,15 @@ index fe1c377..724df48 100644 fstools_domtrans(sosreport_t) ') +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index 688abc2..3d89250 100644 +--- a/policy/modules/admin/su.fc ++++ b/policy/modules/admin/su.fc +@@ -3,3 +3,4 @@ + + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 8c5fa3c..ce3d33a 100644 --- a/policy/modules/admin/su.if @@ -5331,10 +5440,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..8fe4b66 100644 +index f5afe78..9b1de02 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,819 @@ +@@ -1,44 +1,862 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5397,13 +5506,13 @@ index f5afe78..8fe4b66 100644 +interface(`gnome_role_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; -+ attribute gnome_domain; ++ attribute gnomedomain; + type gnome_home_t; + type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; + class dbus send_msg; + ') + -+ type $1_gkeyringd_t, gnome_domain, gkeyringd_domain; ++ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; + typealias $1_gkeyringd_t alias gkeyringd_$1_t; + application_domain($1_gkeyringd_t, gkeyringd_exec_t) + ubac_constrained($1_gkeyringd_t) @@ -5600,10 +5709,10 @@ index f5afe78..8fe4b66 100644 +# +interface(`gnome_signal_all',` + gen_require(` -+ attribute gnome_domain; ++ attribute gnomedomain; + ') + -+ allow $1 gnome_domain:process signal; ++ allow $1 gnomedomain:process signal; +') + +######################################## @@ -6099,24 +6208,43 @@ index f5afe78..8fe4b66 100644 +## Manage generic gnome home files. +## +## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_generic_home_files',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, gnome_home_t, gnome_home_t) ++') ++ ++######################################## ++## ++## Manage generic gnome home directories. ++## ++## ## -## Role allowed access +## Domain allowed access. ## ## +# -+interface(`gnome_manage_generic_home_files',` ++interface(`gnome_manage_generic_home_dirs',` + gen_require(` + type gnome_home_t; + ') + + userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, gnome_home_t, gnome_home_t) ++ allow $1 gnome_home_t:dir manage_dir_perms; +') + +######################################## +## -+## Manage generic gnome home directories. ++## Append gconf home files +## ## ## @@ -6126,106 +6254,105 @@ index f5afe78..8fe4b66 100644 ## # -interface(`gnome_role',` -+interface(`gnome_manage_generic_home_dirs',` ++interface(`gnome_append_gconf_home_files',` gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; -+ type gnome_home_t; ++ type gconf_home_t; ') - role $1 types gconfd_t; -- ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## ++## manage gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') + - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; -+ userdom_search_user_home_dirs($1) -+ allow $1 gnome_home_t:dir manage_dir_perms; ++ allow $1 gconf_home_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_home_t, gconf_home_t) +') - ps_process_pattern($2, gconfd_t) +######################################## +## -+## Append gconf home files ++## Connect to gnome over an unix stream socket. +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The type of the user domain. ++## ++## +# -+interface(`gnome_append_gconf_home_files',` ++interface(`gnome_stream_connect',` + gen_require(` -+ type gconf_home_t; ++ attribute gnome_home_type; + ') - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; -+ append_files_pattern($1, gconf_home_t, gconf_home_t) ++ # Connect to pulseaudit server ++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ') ######################################## ## -## Execute gconf programs in -## in the caller domain. -+## manage gconf home files ++## list gnome homedir content (.config) ## ## ## -@@ -46,37 +821,117 @@ interface(`gnome_role',` +@@ -46,37 +864,92 @@ interface(`gnome_role',` ## ## # -interface(`gnome_exec_gconf',` -+interface(`gnome_manage_gconf_home_files',` ++interface(`gnome_list_home_config',` gen_require(` - type gconfd_exec_t; -+ type gconf_home_t; ++ type config_home_t; ') - can_exec($1, gconfd_exec_t) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ manage_files_pattern($1, gconf_home_t, gconf_home_t) ++ allow $1 config_home_t:dir list_dir_perms; ') ######################################## ## -## Read gconf config files. -+## Connect to gnome over an unix stream socket. ++## Set attributes of gnome homedir content (.config) ## +-## +## -+## -+## Domain allowed access. -+## -+## - ## ## -+## The type of the user domain. -+## -+## -+# -+interface(`gnome_stream_connect',` -+ gen_require(` -+ attribute gnome_home_type; -+ ') -+ -+ # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) -+') -+ -+######################################## -+## -+## list gnome homedir content (.config) -+## -+## -+## ## Domain allowed access. ## ## # -template(`gnome_read_gconf_config',` -+interface(`gnome_list_home_config',` ++interface(`gnome_setattr_home_config',` gen_require(` - type gconf_etc_t; + type config_home_t; @@ -6234,12 +6361,13 @@ index f5afe78..8fe4b66 100644 - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -+ allow $1 config_home_t:dir list_dir_perms; ++ setattr_dirs_pattern($1, config_home_t, config_home_t) ++ userdom_search_user_home_dirs($1) +') + +######################################## +## -+## Set attributes of gnome homedir content (.config) ++## read gnome homedir content (.config) +## +## +## @@ -6247,39 +6375,38 @@ index f5afe78..8fe4b66 100644 +## +## +# -+interface(`gnome_setattr_home_config',` ++interface(`gnome_read_home_config',` + gen_require(` + type config_home_t; + ') + -+ setattr_dirs_pattern($1, config_home_t, config_home_t) -+ userdom_search_user_home_dirs($1) ++ list_dirs_pattern($1, config_home_t, config_home_t) ++ read_files_pattern($1, config_home_t, config_home_t) ++ read_lnk_files_pattern($1, config_home_t, config_home_t) +') + -+######################################## ++####################################### +## -+## read gnome homedir content (.config) ++## delete gnome homedir content (.config) +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`gnome_read_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') ++interface(`gnome_delete_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') + -+ list_dirs_pattern($1, config_home_t, config_home_t) -+ read_files_pattern($1, config_home_t, config_home_t) -+ read_lnk_files_pattern($1, config_home_t, config_home_t) ++ delete_files_pattern($1, config_home_t, config_home_t) ') ####################################### ## -## Create, read, write, and delete gconf config files. -+## delete gnome homedir content (.config) ++## setattr gnome homedir content (.config) +## +## +## @@ -6287,12 +6414,12 @@ index f5afe78..8fe4b66 100644 +## +## +# -+interface(`gnome_delete_home_config',` ++interface(`gnome_setattr_home_config_dirs',` + gen_require(` + type config_home_t; + ') + -+ delete_files_pattern($1, config_home_t, config_home_t) ++ setattr_dirs_pattern($1, config_home_t, config_home_t) +') + +######################################## @@ -6301,7 +6428,7 @@ index f5afe78..8fe4b66 100644 ## ## ## -@@ -84,37 +939,53 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +957,53 @@ template(`gnome_read_gconf_config',` ## ## # @@ -6366,7 +6493,7 @@ index f5afe78..8fe4b66 100644 ## ## ## -@@ -122,17 +993,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1011,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -6388,7 +6515,7 @@ index f5afe78..8fe4b66 100644 ## ## ## -@@ -140,51 +1011,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1029,299 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -6705,15 +6832,13 @@ index f5afe78..8fe4b66 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..14d7e30 100644 +index 2505654..3c5d792 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te -@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0) - # Declarations +@@ -6,11 +6,28 @@ policy_module(gnome, 2.1.0) # --attribute gnomedomain; -+attribute gnome_domain; + attribute gnomedomain; +attribute gnome_home_type; +attribute gkeyringd_domain; @@ -6740,15 +6865,7 @@ index 2505654..14d7e30 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -23,19 +40,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t; - files_tmp_file(gconf_tmp_t) - ubac_constrained(gconf_tmp_t) - --type gconfd_t, gnomedomain; -+type gconfd_t, gnome_domain; - type gconfd_exec_t; - typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; - typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -30,12 +47,33 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; application_domain(gconfd_t, gconfd_exec_t) ubac_constrained(gconfd_t) @@ -6931,9 +7048,9 @@ index 2505654..14d7e30 100644 + ssh_read_user_home_files(gkeyringd_domain) +') + -+domain_use_interactive_fds(gnome_domain) ++domain_use_interactive_fds(gnomedomain) + -+userdom_use_inherited_user_terminals(gnome_domain) ++userdom_use_inherited_user_terminals(gnomedomain) + diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc index e9853d4..6864b58 100644 @@ -6953,7 +7070,7 @@ index e9853d4..6864b58 100644 +/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if -index 40e0a2a..93d212c 100644 +index 40e0a2a..46cc164 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -54,15 +54,16 @@ interface(`gpg_role',` @@ -6975,12 +7092,31 @@ index 40e0a2a..93d212c 100644 dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; ') ') -@@ -85,6 +86,43 @@ interface(`gpg_domtrans',` +@@ -85,6 +86,62 @@ interface(`gpg_domtrans',` domtrans_pattern($1, gpg_exec_t, gpg_t) ') +###################################### +## ++## Execute gpg in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_exec',` ++ gen_require(` ++ type gpg_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, gpg_exec_t) ++') ++ ++###################################### ++## +## Transition to a gpg web domain. +## +## @@ -7667,6 +7803,16 @@ index a0be4ef..a3d8afd 100644 + rpm_transition_script(livecd_t) + rpm_domtrans(livecd_t) +') +diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc +index 8549f9f..c475618 100644 +--- a/policy/modules/apps/loadkeys.fc ++++ b/policy/modules/apps/loadkeys.fc +@@ -1,3 +1,5 @@ + + /bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) + /bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) ++/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) ++/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if index b55edd0..7b8d952 100644 --- a/policy/modules/apps/loadkeys.if @@ -7779,7 +7925,7 @@ index 93ac529..800b5c8 100644 + +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..aa15d05 100644 +index fbb5c5a..e187982 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -7817,13 +7963,14 @@ index fbb5c5a..aa15d05 100644 ') ######################################## -@@ -197,12 +207,23 @@ interface(`mozilla_domtrans',` +@@ -197,12 +207,29 @@ interface(`mozilla_domtrans',` # interface(`mozilla_domtrans_plugin',` gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; + type mozilla_plugin_t, mozilla_plugin_exec_t; + type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; ++ type mozilla_plugin_rw_t; class dbus send_msg; ') @@ -7839,10 +7986,15 @@ index fbb5c5a..aa15d05 100644 + + ps_process_pattern($1, mozilla_plugin_t) + allow $1 mozilla_plugin_t:process signal_perms; ++ ++ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ can_exec($1, mozilla_plugin_rw_t) ') ######################################## -@@ -228,6 +249,27 @@ interface(`mozilla_run_plugin',` +@@ -228,6 +255,27 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; @@ -7870,7 +8022,7 @@ index fbb5c5a..aa15d05 100644 ') ######################################## -@@ -269,9 +311,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -269,9 +317,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -7899,7 +8051,7 @@ index fbb5c5a..aa15d05 100644 ## ## ## -@@ -279,28 +339,48 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -279,28 +345,48 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -7956,7 +8108,7 @@ index fbb5c5a..aa15d05 100644 + allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..344f2e4 100644 +index 2e9318b..fc7a18e 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -23,8 +23,9 @@ type mozilla_conf_t; @@ -8065,7 +8217,7 @@ index 2e9318b..344f2e4 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -296,16 +301,19 @@ optional_policy(` +@@ -296,25 +301,32 @@ optional_policy(` # mozilla_plugin local policy # @@ -8088,8 +8240,11 @@ index 2e9318b..344f2e4 100644 +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; can_exec(mozilla_plugin_t, mozilla_home_t) - read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -@@ -313,8 +321,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +-read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) + manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -8102,7 +8257,7 @@ index 2e9318b..344f2e4 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -322,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -322,6 +334,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -8113,7 +8268,7 @@ index 2e9318b..344f2e4 100644 can_exec(mozilla_plugin_t, mozilla_exec_t) kernel_read_kernel_sysctls(mozilla_plugin_t) -@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -332,11 +348,9 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -8127,7 +8282,7 @@ index 2e9318b..344f2e4 100644 corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -@@ -344,6 +356,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) +@@ -344,6 +358,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) @@ -8139,7 +8294,7 @@ index 2e9318b..344f2e4 100644 dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,33 +402,30 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -385,33 +404,30 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -8184,7 +8339,7 @@ index 2e9318b..344f2e4 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -425,7 +439,13 @@ optional_policy(` +@@ -425,7 +441,13 @@ optional_policy(` ') optional_policy(` @@ -8198,7 +8353,7 @@ index 2e9318b..344f2e4 100644 ') optional_policy(` -@@ -438,18 +458,89 @@ optional_policy(` +@@ -438,18 +460,88 @@ optional_policy(` ') optional_policy(` @@ -8245,8 +8400,6 @@ index 2e9318b..344f2e4 100644 +allow mozilla_plugin_config_t self:fifo_file rw_file_perms; +allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; + -+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) -+ +dev_search_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) @@ -8286,6 +8439,7 @@ index 2e9318b..344f2e4 100644 +userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) +userdom_read_user_home_content_files(mozilla_plugin_config_t) +userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) ++userdom_use_inherited_user_ptys(mozilla_plugin_config_t) + +domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) + @@ -8583,10 +8737,10 @@ index 0000000..8d7c751 +') diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te new file mode 100644 -index 0000000..a337d62 +index 0000000..5ddf179 --- /dev/null +++ b/policy/modules/apps/namespace.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,44 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -8618,6 +8772,8 @@ index 0000000..a337d62 +files_read_etc_files(namespace_init_t) +files_polyinstantiate_all(namespace_init_t) + ++mcs_file_write_all(namespace_init_t) ++ +auth_use_nsswitch(namespace_init_t) + +miscfiles_read_localization(namespace_init_t) @@ -11461,7 +11617,7 @@ index 3cfb128..d49274d 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..7942965 100644 +index 2533ea0..a36ed88 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -26,12 +26,18 @@ attribute telepathy_executable; @@ -11565,7 +11721,7 @@ index 2533ea0..7942965 100644 ') ####################################### -@@ -176,6 +190,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -176,6 +190,13 @@ tunable_policy(`use_samba_home_dirs',` manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) @@ -11575,10 +11731,11 @@ index 2533ea0..7942965 100644 +manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) +gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) ++gnome_manage_home_config(telepathy_mission_control_t) dev_read_rand(telepathy_mission_control_t) -@@ -184,14 +204,26 @@ fs_getattr_all_fs(telepathy_mission_control_t) +@@ -184,14 +205,26 @@ fs_getattr_all_fs(telepathy_mission_control_t) files_read_etc_files(telepathy_mission_control_t) files_read_usr_files(telepathy_mission_control_t) @@ -11611,7 +11768,7 @@ index 2533ea0..7942965 100644 ') ####################################### -@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,8 +238,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -11623,7 +11780,7 @@ index 2533ea0..7942965 100644 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) +@@ -228,6 +264,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) files_read_etc_files(telepathy_msn_t) files_read_usr_files(telepathy_msn_t) @@ -11632,7 +11789,7 @@ index 2533ea0..7942965 100644 libs_exec_ldconfig(telepathy_msn_t) logging_send_syslog_msg(telepathy_msn_t) -@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +284,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -11643,7 +11800,7 @@ index 2533ea0..7942965 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -361,14 +402,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; +@@ -361,14 +403,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; @@ -11662,7 +11819,7 @@ index 2533ea0..7942965 100644 miscfiles_read_localization(telepathy_domain) optional_policy(` -@@ -376,5 +419,23 @@ optional_policy(` +@@ -376,5 +420,23 @@ optional_policy(` ') optional_policy(` @@ -12569,9 +12726,18 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..c82360e 100644 +index 3fae11a..5d00aa0 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc +@@ -1,7 +1,7 @@ + # + # /bin + # +-/bin -d gen_context(system_u:object_r:bin_t,s0) ++/bin gen_context(system_u:object_r:bin_t,s0) + /bin/.* gen_context(system_u:object_r:bin_t,s0) + /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -97,8 +97,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -12581,7 +12747,7 @@ index 3fae11a..c82360e 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,18 +128,15 @@ ifdef(`distro_debian',` +@@ -130,18 +128,14 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -12591,7 +12757,7 @@ index 3fae11a..c82360e 100644 /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) - +- -/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - @@ -12602,7 +12768,16 @@ index 3fae11a..c82360e 100644 /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +163,7 @@ ifdef(`distro_gentoo',` +@@ -152,7 +146,7 @@ ifdef(`distro_gentoo',` + # + # /sbin + # +-/sbin -d gen_context(system_u:object_r:bin_t,s0) ++/sbin gen_context(system_u:object_r:bin_t,s0) + /sbin/.* gen_context(system_u:object_r:bin_t,s0) + /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) + /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +@@ -168,6 +162,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12610,7 +12785,7 @@ index 3fae11a..c82360e 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,6 +175,8 @@ ifdef(`distro_gentoo',` +@@ -179,67 +174,90 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -12619,7 +12794,34 @@ index 3fae11a..c82360e 100644 # # /usr # -@@ -198,48 +196,51 @@ ifdef(`distro_gentoo',` ++/usr/bin -d gen_context(system_u:object_r:bin_t,s0) + /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/.* gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) +-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + +-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) + + /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) @@ -12666,7 +12868,7 @@ index 3fae11a..c82360e 100644 - -/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12687,10 +12889,12 @@ index 3fae11a..c82360e 100644 +/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) @@ -12698,6 +12902,10 @@ index 3fae11a..c82360e 100644 +/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) @@ -12713,7 +12921,7 @@ index 3fae11a..c82360e 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -247,9 +248,13 @@ ifdef(`distro_gentoo',` +@@ -247,11 +265,18 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -12727,8 +12935,13 @@ index 3fae11a..c82360e 100644 +/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) ++/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) ++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -267,6 +272,10 @@ ifdef(`distro_gentoo',` + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -267,6 +292,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -12739,7 +12952,7 @@ index 3fae11a..c82360e 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',` +@@ -286,15 +315,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -12760,7 +12973,7 @@ index 3fae11a..c82360e 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +319,11 @@ ifdef(`distro_redhat', ` +@@ -306,10 +339,11 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -12774,7 +12987,7 @@ index 3fae11a..c82360e 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +333,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +353,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12786,7 +12999,7 @@ index 3fae11a..c82360e 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,7 +379,7 @@ ifdef(`distro_redhat', ` +@@ -363,7 +399,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -12795,7 +13008,7 @@ index 3fae11a..c82360e 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +391,8 @@ ifdef(`distro_suse', ` +@@ -375,8 +411,8 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12806,7 +13019,7 @@ index 3fae11a..c82360e 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +401,12 @@ ifdef(`distro_suse', ` +@@ -385,3 +421,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -12890,6 +13103,17 @@ index 9e9263a..650e796 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') +diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc +index f9b25c1..9af1f7a 100644 +--- a/policy/modules/kernel/corenetwork.fc ++++ b/policy/modules/kernel/corenetwork.fc +@@ -8,3 +8,6 @@ + + /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) + /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) ++ ++/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) ++/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 4f3b542..f4e36ee 100644 --- a/policy/modules/kernel/corenetwork.if.in @@ -14494,10 +14718,10 @@ index 35fed4f..51ad69a 100644 # diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 6cf8784..b48524e 100644 +index 6cf8784..26c13f2 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -15,11 +15,13 @@ +@@ -15,12 +15,14 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -14507,10 +14731,12 @@ index 6cf8784..b48524e 100644 /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) +-/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) - /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) @@ -57,8 +59,10 @@ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -14546,7 +14772,7 @@ index 6cf8784..b48524e 100644 ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -@@ -196,3 +200,8 @@ ifdef(`distro_redhat',` +@@ -196,3 +200,13 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -14555,6 +14781,11 @@ index 6cf8784..b48524e 100644 +# /sys +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) ++ ++/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) ++/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) ++/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) ++/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index f820f3b..cc3f02e 100644 --- a/policy/modules/kernel/devices.if @@ -16514,7 +16745,7 @@ index fae1ab1..facd6a8 100644 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; +dontaudit domain self:capability sys_ptrace; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c19518a..12e8e9c 100644 +index c19518a..04ef731 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -16591,7 +16822,15 @@ index c19518a..12e8e9c 100644 # # /run # -@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -206,6 +222,7 @@ HOME_ROOT/lost\+found/.* <> + + /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /usr/lost\+found/.* <> ++/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) + + /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) + +@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -16599,7 +16838,7 @@ index c19518a..12e8e9c 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -230,17 +245,20 @@ ifndef(`distro_redhat',` +@@ -230,17 +246,20 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -16621,7 +16860,7 @@ index c19518a..12e8e9c 100644 /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> -@@ -257,3 +275,5 @@ ifndef(`distro_redhat',` +@@ -257,3 +276,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -18535,6 +18774,19 @@ index 22821ff..4486d80 100644 ######################################## # +diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc +index cda5588..e89e4bf 100644 +--- a/policy/modules/kernel/filesystem.fc ++++ b/policy/modules/kernel/filesystem.fc +@@ -14,3 +14,8 @@ + # for systemd systems: + /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) + /sys/fs/cgroup/.* <> ++ ++/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) ++/usr/lib/udev/devices/hugepages/.* <> ++/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) ++/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 97fcdac..6342520 100644 --- a/policy/modules/kernel/filesystem.if @@ -20069,7 +20321,7 @@ index d70e0b3..99ff2ac 100644 ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 57c4a6a..5e2a7de 100644 +index 57c4a6a..9b4bc77 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -28,7 +28,7 @@ @@ -20081,6 +20333,13 @@ index 57c4a6a..5e2a7de 100644 /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -81,3 +81,6 @@ ifdef(`distro_redhat', ` + + /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) ++ ++/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 1700ef2..850d168 100644 --- a/policy/modules/kernel/storage.if @@ -20472,7 +20731,7 @@ index 1700ef2..850d168 100644 + dev_filetrans($1, removable_device_t, chr_file, "rio500") +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 7d45d15..eeb5889 100644 +index 7d45d15..22c9cfe 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc @@ -14,11 +14,12 @@ @@ -20485,16 +20744,18 @@ index 7d45d15..eeb5889 100644 /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) -+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) ++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',` +@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) ++ ++/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 01dd2f1..7a8e118 100644 --- a/policy/modules/kernel/terminal.if @@ -21315,7 +21576,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..de3c13e 100644 +index 2be17d2..8ea3385 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0) @@ -21332,21 +21593,21 @@ index 2be17d2..de3c13e 100644 # Local policy # -+kernel_read_ring_buffer(staff_usertype) -+kernel_getattr_core_if(staff_usertype) -+kernel_getattr_message_if(staff_usertype) -+kernel_read_software_raid_state(staff_usertype) -+kernel_read_fs_sysctls(staff_usertype) ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) ++kernel_read_fs_sysctls(staff_t) + -+fs_read_hugetlbfs_files(staff_usertype) ++fs_read_hugetlbfs_files(staff_t) + -+dev_read_cpuid(staff_usertype) ++dev_read_cpuid(staff_t) + -+domain_read_all_domains_state(staff_usertype) -+domain_getattr_all_domains(staff_usertype) ++domain_read_all_domains_state(staff_t) ++domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) + -+files_read_kernel_modules(staff_usertype) ++files_read_kernel_modules(staff_t) + +seutil_read_module_store(staff_t) +seutil_run_newrole(staff_t, staff_r) @@ -21354,14 +21615,14 @@ index 2be17d2..de3c13e 100644 +storage_read_scsi_generic(staff_t) +storage_write_scsi_generic(staff_t) + -+term_use_unallocated_ttys(staff_usertype) ++term_use_unallocated_ttys(staff_t) + +auth_domtrans_pam_console(staff_t) + +init_dbus_chat(staff_t) +init_dbus_chat_script(staff_t) + -+miscfiles_read_hwdata(staff_usertype) ++miscfiles_read_hwdata(staff_t) + +ifndef(`enable_mls',` + selinux_read_policy(staff_t) @@ -21391,7 +21652,7 @@ index 2be17d2..de3c13e 100644 +') + +optional_policy(` -+ chrome_role(staff_r, staff_usertype) ++ chrome_role(staff_r, staff_t) +') + +optional_policy(` @@ -21431,12 +21692,12 @@ index 2be17d2..de3c13e 100644 +') + +optional_policy(` -+ mozilla_run_plugin(staff_usertype, staff_r) ++ mozilla_run_plugin(staff_t, staff_r) +') + +optional_policy(` -+ modutils_read_module_config(staff_usertype) -+ modutils_read_module_deps(staff_usertype) ++ modutils_read_module_config(staff_t) ++ modutils_read_module_deps(staff_t) +') + +optional_policy(` @@ -21474,7 +21735,7 @@ index 2be17d2..de3c13e 100644 +') + +optional_policy(` -+ rpm_dbus_chat(staff_usertype) ++ rpm_dbus_chat(staff_t) +') + +optional_policy(` @@ -21514,7 +21775,7 @@ index 2be17d2..de3c13e 100644 +#') + +optional_policy(` -+ userhelper_console_role_template(staff, staff_r, staff_usertype) ++ userhelper_console_role_template(staff, staff_r, staff_t) +') + +optional_policy(` @@ -21592,7 +21853,7 @@ index 2be17d2..de3c13e 100644 ') + +tunable_policy(`allow_execmod',` -+ userdom_execmod_user_home_files(staff_usertype) ++ userdom_execmod_user_home_files(staff_t) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e14b961..37bdf8d 100644 @@ -22705,7 +22966,7 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..35524d6 +index 0000000..90af157 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,379 @@ @@ -22752,7 +23013,7 @@ index 0000000..35524d6 +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_unpriv_usertype(unconfined, unconfined_t) ++userdom_unpriv_type(unconfined_r, unconfined_t) + +type unconfined_exec_t; +init_system_domain(unconfined_t, unconfined_exec_t) @@ -22817,7 +23078,7 @@ index 0000000..35524d6 +') + +tunable_policy(`allow_execmod',` -+ userdom_execmod_user_home_files(unconfined_usertype) ++ userdom_execmod_user_home_files(unconfined_t) +') + +tunable_policy(`unconfined_login',` @@ -22829,55 +23090,55 @@ index 0000000..35524d6 + +optional_policy(` + gen_require(` -+ attribute unconfined_usertype; ++ type unconfined_t; + ') + + optional_policy(` -+ abrt_dbus_chat(unconfined_usertype) -+ abrt_run_helper(unconfined_usertype, unconfined_r) ++ abrt_dbus_chat(unconfined_t) ++ abrt_run_helper(unconfined_t, unconfined_r) + ') + + optional_policy(` -+ avahi_dbus_chat(unconfined_usertype) ++ avahi_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ blueman_dbus_chat(unconfined_usertype) ++ blueman_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ certmonger_dbus_chat(unconfined_usertype) ++ certmonger_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ devicekit_dbus_chat(unconfined_usertype) -+ devicekit_dbus_chat_disk(unconfined_usertype) -+ devicekit_dbus_chat_power(unconfined_usertype) ++ devicekit_dbus_chat(unconfined_t) ++ devicekit_dbus_chat_disk(unconfined_t) ++ devicekit_dbus_chat_power(unconfined_t) + ') + + optional_policy(` -+ hal_dbus_chat(unconfined_usertype) ++ hal_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ networkmanager_dbus_chat(unconfined_usertype) ++ networkmanager_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ policykit_role(unconfined_r, unconfined_usertype) ++ policykit_role(unconfined_r, unconfined_t) + ') + + optional_policy(` -+ rtkit_scheduled(unconfined_usertype) ++ rtkit_scheduled(unconfined_t) + ') + + optional_policy(` -+ setroubleshoot_dbus_chat(unconfined_usertype) ++ setroubleshoot_dbus_chat(unconfined_t) + setroubleshoot_dbus_chat_fixit(unconfined_t) + ') + + optional_policy(` -+ sandbox_transition(unconfined_usertype, unconfined_r) ++ sandbox_transition(unconfined_t, unconfined_r) + ') + + optional_policy(` @@ -22889,9 +23150,9 @@ index 0000000..35524d6 + type user_tmpfs_t; + ') + -+ xserver_rw_session(unconfined_usertype, user_tmpfs_t) -+ xserver_run_xauth(unconfined_usertype, unconfined_r) -+ xserver_dbus_chat_xdm(unconfined_usertype) ++ xserver_rw_session(unconfined_t, user_tmpfs_t) ++ xserver_run_xauth(unconfined_t, unconfined_r) ++ xserver_dbus_chat_xdm(unconfined_t) + ') +') + @@ -22913,10 +23174,10 @@ index 0000000..35524d6 +') + +optional_policy(` -+ chrome_role_notrans(unconfined_r, unconfined_usertype) ++ chrome_role_notrans(unconfined_r, unconfined_t) + + tunable_policy(`unconfined_chrome_sandbox_transition',` -+ chrome_domtrans_sandbox(unconfined_usertype) ++ chrome_domtrans_sandbox(unconfined_t) + ') +') + @@ -22931,39 +23192,39 @@ index 0000000..35524d6 + ') + ') + -+ init_dbus_chat(unconfined_usertype) -+ init_dbus_chat_script(unconfined_usertype) ++ init_dbus_chat(unconfined_t) ++ init_dbus_chat_script(unconfined_t) + + dbus_stub(unconfined_t) + + optional_policy(` -+ bluetooth_dbus_chat(unconfined_usertype) ++ bluetooth_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ consolekit_dbus_chat(unconfined_usertype) ++ consolekit_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ cups_dbus_chat_config(unconfined_usertype) ++ cups_dbus_chat_config(unconfined_t) + ') + + optional_policy(` -+ fprintd_dbus_chat(unconfined_usertype) ++ fprintd_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ gnomeclock_dbus_chat(unconfined_usertype) -+ gnome_dbus_chat_gconfdefault(unconfined_usertype) ++ gnomeclock_dbus_chat(unconfined_t) ++ gnome_dbus_chat_gconfdefault(unconfined_t) + gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + + optional_policy(` -+ ipsec_mgmt_dbus_chat(unconfined_usertype) ++ ipsec_mgmt_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ kerneloops_dbus_chat(unconfined_usertype) ++ kerneloops_dbus_chat(unconfined_t) + ') + + optional_policy(` @@ -22971,16 +23232,16 @@ index 0000000..35524d6 + ') + + optional_policy(` -+ oddjob_dbus_chat(unconfined_usertype) ++ oddjob_dbus_chat(unconfined_t) + ') + + optional_policy(` -+ vpn_dbus_chat(unconfined_usertype) ++ vpn_dbus_chat(unconfined_t) + ') +') + +optional_policy(` -+ firewallgui_dbus_chat(unconfined_usertype) ++ firewallgui_dbus_chat(unconfined_t) +') + +optional_policy(` @@ -23019,7 +23280,7 @@ index 0000000..35524d6 + mozilla_role_plugin(unconfined_r) + + tunable_policy(`unconfined_mozilla_plugin_transition', ` -+ mozilla_domtrans_plugin(unconfined_usertype) ++ mozilla_domtrans_plugin(unconfined_t) + ') +') + @@ -23089,7 +23350,7 @@ index 0000000..35524d6 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..454e627 100644 +index e5bfdd4..77967bd 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -12,15 +12,101 @@ role user_r; @@ -23097,13 +23358,13 @@ index e5bfdd4..454e627 100644 userdom_unpriv_user_template(user) +fs_exec_noxattr(user_t) -+fs_read_hugetlbfs_files(user_usertype) ++fs_read_hugetlbfs_files(user_t) + +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + +tunable_policy(`allow_execmod',` -+ userdom_execmod_user_home_files(user_usertype) ++ userdom_execmod_user_home_files(user_t) +') + +optional_policy(` @@ -23123,7 +23384,7 @@ index e5bfdd4..454e627 100644 +') + +optional_policy(` -+ chrome_role(user_r, user_usertype) ++ chrome_role(user_r, user_t) +') + +optional_policy(` @@ -23140,7 +23401,7 @@ index e5bfdd4..454e627 100644 +') + +optional_policy(` -+ mozilla_run_plugin(user_usertype, user_r) ++ mozilla_run_plugin(user_t, user_r) +') + +optional_policy(` @@ -23266,7 +23527,7 @@ index 0ecc786..3e7e984 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..0258e24 100644 +index e88b95f..9b6536a 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -23347,7 +23608,7 @@ index e88b95f..0258e24 100644 + + +optional_policy(` -+ chrome_role(xguest_r, xguest_usertype) ++ chrome_role(xguest_r, xguest_t) +') + +optional_policy(` @@ -23369,12 +23630,12 @@ index e88b95f..0258e24 100644 +') + +optional_policy(` -+ mozilla_run_plugin(xguest_usertype, xguest_r) ++ mozilla_run_plugin(xguest_t, xguest_r) +') + +optional_policy(` -+ pcscd_read_pub_files(xguest_usertype) -+ pcscd_stream_connect(xguest_usertype) ++ pcscd_read_pub_files(xguest_t) ++ pcscd_stream_connect(xguest_t) +') + +optional_policy(` @@ -23383,44 +23644,42 @@ index e88b95f..0258e24 100644 optional_policy(` tunable_policy(`xguest_connect_network',` -+ kernel_read_network_state(xguest_usertype) ++ kernel_read_network_state(xguest_t) + networkmanager_dbus_chat(xguest_t) -- corenet_tcp_connect_pulseaudio_port(xguest_t) -- corenet_tcp_connect_ipp_port(xguest_t) + networkmanager_read_lib_files(xguest_t) -+ corenet_tcp_connect_pulseaudio_port(xguest_usertype) -+ corenet_all_recvfrom_unlabeled(xguest_usertype) -+ corenet_all_recvfrom_netlabel(xguest_usertype) -+ corenet_tcp_sendrecv_generic_if(xguest_usertype) -+ corenet_raw_sendrecv_generic_if(xguest_usertype) -+ corenet_tcp_sendrecv_generic_node(xguest_usertype) -+ corenet_raw_sendrecv_generic_node(xguest_usertype) -+ corenet_tcp_sendrecv_http_port(xguest_usertype) -+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype) -+ corenet_tcp_sendrecv_squid_port(xguest_usertype) -+ corenet_tcp_sendrecv_ftp_port(xguest_usertype) -+ corenet_tcp_sendrecv_ipp_port(xguest_usertype) -+ corenet_tcp_connect_http_port(xguest_usertype) -+ corenet_tcp_connect_http_cache_port(xguest_usertype) -+ corenet_tcp_connect_squid_port(xguest_usertype) -+ corenet_tcp_connect_flash_port(xguest_usertype) -+ corenet_tcp_connect_ftp_port(xguest_usertype) -+ corenet_tcp_connect_ipp_port(xguest_usertype) -+ corenet_tcp_connect_generic_port(xguest_usertype) -+ corenet_tcp_connect_soundd_port(xguest_usertype) -+ corenet_sendrecv_http_client_packets(xguest_usertype) -+ corenet_sendrecv_http_cache_client_packets(xguest_usertype) -+ corenet_sendrecv_squid_client_packets(xguest_usertype) -+ corenet_sendrecv_ftp_client_packets(xguest_usertype) -+ corenet_sendrecv_ipp_client_packets(xguest_usertype) -+ corenet_sendrecv_generic_client_packets(xguest_usertype) + corenet_tcp_connect_pulseaudio_port(xguest_t) ++ corenet_all_recvfrom_unlabeled(xguest_t) ++ corenet_all_recvfrom_netlabel(xguest_t) ++ corenet_tcp_sendrecv_generic_if(xguest_t) ++ corenet_raw_sendrecv_generic_if(xguest_t) ++ corenet_tcp_sendrecv_generic_node(xguest_t) ++ corenet_raw_sendrecv_generic_node(xguest_t) ++ corenet_tcp_sendrecv_http_port(xguest_t) ++ corenet_tcp_sendrecv_http_cache_port(xguest_t) ++ corenet_tcp_sendrecv_squid_port(xguest_t) ++ corenet_tcp_sendrecv_ftp_port(xguest_t) ++ corenet_tcp_sendrecv_ipp_port(xguest_t) ++ corenet_tcp_connect_http_port(xguest_t) ++ corenet_tcp_connect_http_cache_port(xguest_t) ++ corenet_tcp_connect_squid_port(xguest_t) ++ corenet_tcp_connect_flash_port(xguest_t) ++ corenet_tcp_connect_ftp_port(xguest_t) + corenet_tcp_connect_ipp_port(xguest_t) ++ corenet_tcp_connect_generic_port(xguest_t) ++ corenet_tcp_connect_soundd_port(xguest_t) ++ corenet_sendrecv_http_client_packets(xguest_t) ++ corenet_sendrecv_http_cache_client_packets(xguest_t) ++ corenet_sendrecv_squid_client_packets(xguest_t) ++ corenet_sendrecv_ftp_client_packets(xguest_t) ++ corenet_sendrecv_ipp_client_packets(xguest_t) ++ corenet_sendrecv_generic_client_packets(xguest_t) + # Should not need other ports -+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype) -+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype) -+ corenet_tcp_connect_speech_port(xguest_usertype) -+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype) -+ corenet_tcp_connect_transproxy_port(xguest_usertype) ++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) ++ corenet_dontaudit_tcp_bind_generic_port(xguest_t) ++ corenet_tcp_connect_speech_port(xguest_t) ++ corenet_tcp_sendrecv_transproxy_port(xguest_t) ++ corenet_tcp_connect_transproxy_port(xguest_t) ') + + #optional_policy(` @@ -23717,7 +23976,7 @@ index 0b827c5..d83d4dc 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..a1cbdb4 100644 +index 30861ec..e203cd3 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -23837,15 +24096,16 @@ index 30861ec..a1cbdb4 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +154,8 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) ++dev_getattr_all_blk_files(abrt_t) +dev_read_rand(abrt_t) dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -23855,7 +24115,7 @@ index 30861ec..a1cbdb4 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -23864,7 +24124,7 @@ index 30861ec..a1cbdb4 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +185,26 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +186,26 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -23897,7 +24157,7 @@ index 30861ec..a1cbdb4 100644 ') optional_policy(` -@@ -167,6 +225,7 @@ optional_policy(` +@@ -167,6 +226,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -23905,7 +24165,7 @@ index 30861ec..a1cbdb4 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +237,35 @@ optional_policy(` +@@ -178,12 +238,35 @@ optional_policy(` ') optional_policy(` @@ -23942,7 +24202,7 @@ index 30861ec..a1cbdb4 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +282,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +283,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -23971,7 +24231,7 @@ index 30861ec..a1cbdb4 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +305,128 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +306,128 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -24637,7 +24897,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..a9959fa 100644 +index 9e39aa5..c738795 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -24660,17 +24920,19 @@ index 9e39aa5..a9959fa 100644 /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -@@ -16,6 +21,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u +@@ -16,6 +21,11 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) ++ ++/usr/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -24,16 +32,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u +@@ -24,16 +34,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -24695,7 +24957,7 @@ index 9e39aa5..a9959fa 100644 /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -@@ -43,8 +52,9 @@ ifdef(`distro_suse', ` +@@ -43,8 +54,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -24707,7 +24969,7 @@ index 9e39aa5..a9959fa 100644 /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -54,9 +64,11 @@ ifdef(`distro_suse', ` +@@ -54,9 +66,11 @@ ifdef(`distro_suse', ` /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -24719,7 +24981,7 @@ index 9e39aa5..a9959fa 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,20 +85,25 @@ ifdef(`distro_suse', ` +@@ -73,20 +87,26 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -24744,14 +25006,15 @@ index 9e39aa5..a9959fa 100644 /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0) ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -105,7 +122,27 @@ ifdef(`distro_debian', ` +@@ -104,8 +124,26 @@ ifdef(`distro_debian', ` + /var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/www/html(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -27155,15 +27418,17 @@ index a7a0e71..5352ef6 100644 ') diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc -index 59aa54f..f944a65 100644 +index 59aa54f..159f74f 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc -@@ -5,6 +5,8 @@ +@@ -5,6 +5,10 @@ /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) + ++/usr/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) ++ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) @@ -27766,7 +28031,7 @@ index 3e45431..a726c09 100644 admin_pattern($1, bluetooth_var_lib_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te -index 215b86b..619518f 100644 +index 215b86b..2bb14b2 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0) @@ -27784,19 +28049,7 @@ index 215b86b..619518f 100644 type bluetooth_conf_rw_t; files_type(bluetooth_conf_rw_t) -@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t) - #search debugfs - redhat bug 548206 - kernel_search_debugfs(bluetooth_t) - -+ifdef(`hide_broken_symptoms', ` -+ kernel_rw_unlabeled_socket(bluetooth_t) -+ dev_rw_generic_chr_files(bluetooth_t) -+') -+ - corenet_all_recvfrom_unlabeled(bluetooth_t) - corenet_all_recvfrom_netlabel(bluetooth_t) - corenet_tcp_sendrecv_generic_if(bluetooth_t) -@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) +@@ -147,6 +148,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` @@ -27807,7 +28060,7 @@ index 215b86b..619518f 100644 dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) -@@ -190,7 +200,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; +@@ -190,7 +195,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; allow bluetooth_helper_t self:shm create_shm_perms; allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow bluetooth_helper_t self:tcp_socket create_socket_perms; @@ -27815,7 +28068,7 @@ index 215b86b..619518f 100644 allow bluetooth_helper_t bluetooth_t:socket { read write }; -@@ -220,6 +229,8 @@ files_read_etc_runtime_files(bluetooth_helper_t) +@@ -220,6 +224,8 @@ files_read_etc_runtime_files(bluetooth_helper_t) files_read_usr_files(bluetooth_helper_t) files_dontaudit_list_default(bluetooth_helper_t) @@ -27824,7 +28077,7 @@ index 215b86b..619518f 100644 locallogin_dontaudit_use_fds(bluetooth_helper_t) logging_send_syslog_msg(bluetooth_helper_t) -@@ -236,9 +247,5 @@ optional_policy(` +@@ -236,9 +242,5 @@ optional_policy(` ') optional_policy(` @@ -28257,10 +28510,10 @@ index 048abbf..7368f57 100644 sysnet_read_config(httpd_bugzilla_script_t) diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc new file mode 100644 -index 0000000..24d9837 +index 0000000..a561ce0 --- /dev/null +++ b/policy/modules/services/cachefilesd.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,34 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. @@ -28284,10 +28537,15 @@ index 0000000..24d9837 +# MLS sensitivity: s0 +# MCS categories: + -+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) +/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) ++ ++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) ++ ++/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) ++ ++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) ++ +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) -+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if @@ -28992,6 +29250,18 @@ index 1d25efe..1b16191 100644 logging_log_filetrans(canna_t, canna_log_t, { file dir }) manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc +index 8a7177d..bc4f6e7 100644 +--- a/policy/modules/services/ccs.fc ++++ b/policy/modules/services/ccs.fc +@@ -2,5 +2,7 @@ + + /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) + ++/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) ++ + /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) + /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if index 6ee2cc8..3105b09 100644 --- a/policy/modules/services/ccs.if @@ -29462,6 +29732,20 @@ index 0000000..1ba0484 + +sysnet_dns_name_resolve(cfengine_monitord_t) +sysnet_domtrans_ifconfig(cfengine_monitord_t) +diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc +index b6bb46c..645d203 100644 +--- a/policy/modules/services/cgroup.fc ++++ b/policy/modules/services/cgroup.fc +@@ -11,5 +11,9 @@ + /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) + /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + ++/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) ++/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) ++/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) ++ + /var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) + /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index 33facaf..225e70c 100644 --- a/policy/modules/services/cgroup.if @@ -29586,15 +29870,17 @@ index dad226c..084063b 100644 miscfiles_read_localization(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc -index fd8cd0b..45096d8 100644 +index fd8cd0b..c11cd2f 100644 --- a/policy/modules/services/chronyd.fc +++ b/policy/modules/services/chronyd.fc -@@ -2,8 +2,12 @@ +@@ -2,8 +2,14 @@ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) +/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) + ++/usr/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) ++ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) @@ -31942,6 +32228,18 @@ index 838dec7..59d0f96 100644 miscfiles_read_localization(courier_pop_t) +diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc +index 789c8c7..d1723f5 100644 +--- a/policy/modules/services/cpucontrol.fc ++++ b/policy/modules/services/cpucontrol.fc +@@ -3,6 +3,7 @@ + + /sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) + ++/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) + /usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) + /usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) + /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index 13d2f63..861fad7 100644 --- a/policy/modules/services/cpucontrol.te @@ -31978,18 +32276,19 @@ index 13d2f63..861fad7 100644 ') diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 2eefc08..6ea5693 100644 +index 2eefc08..32a4a69 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc -@@ -2,6 +2,7 @@ +@@ -2,6 +2,8 @@ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) ++/usr/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0) /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) -@@ -14,14 +15,15 @@ +@@ -14,14 +16,15 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -32007,7 +32306,7 @@ index 2eefc08..6ea5693 100644 #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/cron/[^/]* -- <> -@@ -45,3 +47,5 @@ ifdef(`distro_suse', ` +@@ -45,3 +48,5 @@ ifdef(`distro_suse', ` /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -33346,10 +33645,18 @@ index 0000000..284fbae + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc -index 1b492ed..c79454d 100644 +index 1b492ed..ac5dae0 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc -@@ -28,11 +28,8 @@ +@@ -20,6 +20,7 @@ + /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + + /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + + /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +@@ -28,11 +29,8 @@ # keep as separate lines to ensure proper sorting /usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) @@ -33361,7 +33668,7 @@ index 1b492ed..c79454d 100644 /usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -@@ -56,6 +53,7 @@ +@@ -56,6 +54,7 @@ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -33369,7 +33676,7 @@ index 1b492ed..c79454d 100644 /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -@@ -64,10 +62,16 @@ +@@ -64,10 +63,16 @@ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -33886,14 +34193,16 @@ index a8b93c0..831ce70 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc -index 81eba14..d0ab56c 100644 +index 81eba14..b8cbe47 100644 --- a/policy/modules/services/dbus.fc +++ b/policy/modules/services/dbus.fc -@@ -3,7 +3,6 @@ +@@ -3,7 +3,8 @@ /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ ++/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -34746,17 +35055,18 @@ index 8ba9425..b10da2c 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc -index 418a5a0..c25fbdc 100644 +index 418a5a0..1041039 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc -@@ -2,13 +2,19 @@ +@@ -1,3 +1,7 @@ ++/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++ ++/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++ + /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) - /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - - /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) +@@ -8,7 +12,12 @@ /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -35303,14 +35613,16 @@ index f231f17..f277ea6 100644 + xserver_stream_connect(devicekit_power_t) +') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc -index 767e0c7..4fbde9d 100644 +index 767e0c7..c8306c2 100644 --- a/policy/modules/services/dhcp.fc +++ b/policy/modules/services/dhcp.fc -@@ -1,8 +1,10 @@ +@@ -1,8 +1,12 @@ -/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) + +/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) ++ ++/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) @@ -36261,15 +36573,17 @@ index dc1056c..bd60100 100644 + +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc -index b886676..ab3af9c 100644 +index b886676..2b4d0f6 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc -@@ -1,12 +1,14 @@ +@@ -1,12 +1,16 @@ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) +/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) + ++/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) ++ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -36923,16 +37237,19 @@ index acf6d4f..47969fe 100644 ') diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc new file mode 100644 -index 0000000..f96c4f2 +index 0000000..60c19b9 --- /dev/null +++ b/policy/modules/services/drbd.fc -@@ -0,0 +1,9 @@ +@@ -0,0 +1,12 @@ + +/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) +/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) + ++/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) ++/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) ++ +/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) + + @@ -38494,20 +38811,23 @@ index 7df52c7..8512254 100644 + policykit_dbus_chat_auth(fprintd_t) ') diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc -index 69dcd2a..80eefd3 100644 +index 69dcd2a..030dbb6 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc -@@ -6,6 +6,9 @@ +@@ -6,6 +6,12 @@ /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + ++/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ # # /usr # -@@ -29,3 +32,4 @@ +@@ -29,3 +35,4 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) @@ -39625,34 +39945,32 @@ index 7382f85..fa32fcf 100644 +gen_user(git_shell_u, user, git_shell_r, s0, s0) diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc new file mode 100644 -index 0000000..7d27335 +index 0000000..657d8f5 --- /dev/null +++ b/policy/modules/services/glance.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,13 @@ + -+/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) ++/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) + -+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) ++/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) ++ ++/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) ++/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) + +/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) + +/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0) + +/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) -+ -+/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) -+ -+/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if new file mode 100644 -index 0000000..8cc6d17 +index 0000000..8f0f77b --- /dev/null +++ b/policy/modules/services/glance.if -@@ -0,0 +1,276 @@ +@@ -0,0 +1,268 @@ + +## policy for glance + -+ +######################################## +## +## Transition to glance. @@ -39691,7 +40009,6 @@ index 0000000..8cc6d17 + domtrans_pattern($1, glance_api_exec_t, glance_api_t) +') + -+ +######################################## +## +## Read glance's log files. @@ -39887,13 +40204,9 @@ index 0000000..8cc6d17 +# +interface(`glance_admin',` + gen_require(` -+ type glance_registry_t; -+ type glance_api_t; -+ type glance_log_t; -+ type glance_var_lib_t; -+ type glance_var_run_t; -+ type glance_registry_initrc_exec_t; -+ type glance_api_initrc_exec_t; ++ type glance_registry_t, glance_api_t, glance_log_t; ++ type glance_var_lib_t, glance_var_run_t; ++ type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; + ') + + allow $1 glance_registry_t:process signal_perms; @@ -39922,15 +40235,13 @@ index 0000000..8cc6d17 + + files_search_pids($1) + admin_pattern($1, glance_var_run_t) -+ +') -+ diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 -index 0000000..34385c9 +index 0000000..4afb81f --- /dev/null +++ b/policy/modules/services/glance.te -@@ -0,0 +1,105 @@ +@@ -0,0 +1,104 @@ +policy_module(glance, 1.0.0) + +######################################## @@ -40014,7 +40325,6 @@ index 0000000..34385c9 +corenet_tcp_bind_generic_node(glance_registry_t) +corenet_tcp_bind_glance_registry_port(glance_registry_t) + -+ +######################################## +# +# glance-api local policy @@ -40077,10 +40387,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..a1d38a3 100644 +index 4fde46b..a250b06 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -14,19 +14,26 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # gnomeclock local policy # @@ -40104,15 +40414,16 @@ index 4fde46b..a1d38a3 100644 +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) --auth_use_nsswitch(gnomeclock_t) +fs_getattr_xattr_fs(gnomeclock_t) ++ + auth_use_nsswitch(gnomeclock_t) -clock_domtrans(gnomeclock_t) -+auth_use_nsswitch(gnomeclock_t) ++logging_send_syslog_msg(gnomeclock_t) miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -42524,10 +42835,10 @@ index 0000000..4aac893 + +sysnet_dns_name_resolve(l2tpd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index c62f23e..f8a4301 100644 +index c62f23e..63e3be1 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc -@@ -1,6 +1,10 @@ +@@ -1,6 +1,12 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) @@ -42535,11 +42846,13 @@ index c62f23e..f8a4301 100644 + +/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + -+/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ ++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -@@ -15,3 +19,4 @@ ifdef(`distro_debian',` +@@ -15,3 +21,4 @@ ifdef(`distro_debian',` /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) @@ -43652,46 +43965,41 @@ index 0000000..5b84980 +') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 -index 0000000..7f36870 +index 0000000..ea9dc7a --- /dev/null +++ b/policy/modules/services/matahari.fc -@@ -0,0 +1,30 @@ -+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0) -+ -+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) -+ -+/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) -+ -+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) -+ -+/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0) +@@ -0,0 +1,25 @@ ++/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++ ++/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) ++/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) + -+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) + -+/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) + ++/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) +/usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) ++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0) + -+/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) -+ -+/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) -+ -+/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) ++/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) + -+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) ++/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) + -+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) -+/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) -+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) ++/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) ++/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) ++/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if new file mode 100644 -index 0000000..0d771fd +index 0000000..2e8b6d8 --- /dev/null +++ b/policy/modules/services/matahari.if -@@ -0,0 +1,250 @@ +@@ -0,0 +1,244 @@ +## policy for matahari + +###################################### @@ -43718,7 +44026,6 @@ index 0000000..0d771fd + type matahari_$1_t, matahari_domain; + type matahari_$1_exec_t; + init_daemon_domain(matahari_$1_t, matahari_$1_exec_t) -+ +') + +######################################## @@ -43798,7 +44105,6 @@ index 0000000..0d771fd + manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t) +') + -+ +######################################## +## +## Read matahari PID files. @@ -43910,12 +44216,9 @@ index 0000000..0d771fd +# +interface(`matahari_admin',` + gen_require(` -+ type matahari_initrc_exec_t; -+ type matahari_hostd_t; -+ type matahari_netd_t; -+ type matahari_serviced_t; -+ type matahari_var_lib_t; -+ type matahari_var_run_t; ++ type matahari_initrc_exec_t, matahari_hostd_t; ++ type matahari_netd_t, matahari_serviced_t; ++ type matahari_var_lib_t, matahari_var_run_t; + ') + + init_labeled_script_domtrans($1, matahari_initrc_exec_t) @@ -43940,11 +44243,10 @@ index 0000000..0d771fd + + files_search_pids($1) + admin_pattern($1, matahari_var_run_t) -+ +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..372ed05 +index 0000000..4ea6ac3 --- /dev/null +++ b/policy/modules/services/matahari.te @@ -0,0 +1,97 @@ @@ -44027,7 +44329,7 @@ index 0000000..372ed05 +# matahari domain local policy +# + -+allow matahari_domain self:process { signal }; ++allow matahari_domain self:process signal; + +allow matahari_domain self:fifo_file rw_fifo_file_perms; +allow matahari_domain self:unix_stream_socket create_stream_socket_perms; @@ -45109,7 +45411,7 @@ index 7f68872..36ff69d 100644 + xserver_dontaudit_read_xdm_pid(mpd_t) +') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc -index 256166a..2320c87 100644 +index 256166a..71e7a36 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,4 +1,6 @@ @@ -45120,24 +45422,27 @@ index 256166a..2320c87 100644 /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -@@ -11,20 +13,25 @@ ifdef(`distro_redhat',` +@@ -11,20 +13,26 @@ ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') +-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) +/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) +/root/.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) -+ - /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++ +/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -45603,7 +45908,7 @@ index 343cee3..867dfac 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..7f55b85 100644 +index 64268e4..a7d94de 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -45864,7 +46169,7 @@ index 64268e4..7f55b85 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +304,47 @@ optional_policy(` +@@ -292,3 +304,49 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -45892,6 +46197,8 @@ index 64268e4..7f55b85 100644 +kernel_read_network_state(user_mail_domain) +kernel_request_load_module(user_mail_domain) + ++dev_read_urand(user_mail_domain) ++ +files_read_usr_files(user_mail_domain) + +optional_policy(` @@ -46889,10 +47196,10 @@ index 74da57f..b94bb3b 100644 /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..8e8f911 100644 +index 386543b..ea4e5e6 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc -@@ -1,6 +1,15 @@ +@@ -1,6 +1,17 @@ /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -46906,10 +47213,18 @@ index 386543b..8e8f911 100644 +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + +/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) ++ ++/usr/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -16,11 +25,13 @@ +@@ -12,15 +23,19 @@ + /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) ++/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) @@ -47295,7 +47610,7 @@ index 0619395..e5fb258 100644 ######################################## diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc -index 15448d5..3587f6a 100644 +index 15448d5..62284bf 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -1,5 +1,5 @@ @@ -47317,7 +47632,7 @@ index 15448d5..3587f6a 100644 /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) -@@ -19,3 +19,8 @@ +@@ -19,3 +19,13 @@ /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) @@ -47326,6 +47641,11 @@ index 15448d5..3587f6a 100644 +/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++ ++/usr/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0) ++/usr/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) ++/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index abe3f7f..d3595cf 100644 --- a/policy/modules/services/nis.if @@ -48218,15 +48538,17 @@ index ded9fb6..9d1e60a 100644 manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) files_pid_filetrans(ntop_t, ntop_var_run_t, file) diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc -index e79dccc..50202ef 100644 +index e79dccc..82a62e9 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc -@@ -10,6 +10,8 @@ +@@ -10,6 +10,10 @@ /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) +/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + ++/usr/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) ++ /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) @@ -48364,6 +48686,18 @@ index c61adc8..09bb140 100644 auth_use_nsswitch(ntpd_t) +diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc +index 0a929ef..371119d 100644 +--- a/policy/modules/services/nut.fc ++++ b/policy/modules/services/nut.fc +@@ -3,6 +3,7 @@ + /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) + + /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) ++/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) + /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + + /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te index ff962dd..c856c64 100644 --- a/policy/modules/services/nut.te @@ -49806,15 +50140,20 @@ index 0000000..1c69a1a + +sysnet_read_config(piranha_domain) diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc -index 5702ca4..08528da 100644 +index 5702ca4..498d856 100644 --- a/policy/modules/services/plymouthd.fc +++ b/policy/modules/services/plymouthd.fc -@@ -5,3 +5,5 @@ +@@ -2,6 +2,10 @@ + + /sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) + ++/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) ++ ++/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) ++ /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) -+ -+#/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index 9759ed8..34b79af 100644 --- a/policy/modules/services/plymouthd.if @@ -50938,6 +51277,19 @@ index 0000000..d958b53 +') + +userdom_home_manager(polipo_session_t) +diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc +index 76f5834..bebd9aa 100644 +--- a/policy/modules/services/portmap.fc ++++ b/policy/modules/services/portmap.fc +@@ -1,6 +1,8 @@ + + /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) + ++/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) ++ + ifdef(`distro_debian',` + /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index 333a1fe..e599723 100644 --- a/policy/modules/services/portmap.te @@ -50984,10 +51336,10 @@ index 333a1fe..e599723 100644 optional_policy(` diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc -index 4313a6f..1d9fa76 100644 +index 4313a6f..cc334a3 100644 --- a/policy/modules/services/portreserve.fc +++ b/policy/modules/services/portreserve.fc -@@ -1,6 +1,7 @@ +@@ -1,7 +1,10 @@ -/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) -/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) @@ -50997,6 +51349,9 @@ index 4313a6f..1d9fa76 100644 /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) ++/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) ++ + /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if index 7719d16..d283895 100644 --- a/policy/modules/services/portreserve.if @@ -51509,7 +51864,7 @@ index 46bee12..1fbe0fa 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..149da7a 100644 +index a32c4b3..c24aed3 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -51889,18 +52244,19 @@ index a32c4b3..149da7a 100644 ') optional_policy(` -@@ -599,6 +689,10 @@ optional_policy(` +@@ -599,6 +689,11 @@ optional_policy(` ') optional_policy(` + milter_stream_connect_all(postfix_smtpd_t) ++ spamassassin_read_pid_files(postfix_smtpd_t) +') + +optional_policy(` postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +705,6 @@ optional_policy(` +@@ -611,7 +706,6 @@ optional_policy(` # Postfix virtual local policy # @@ -51908,7 +52264,7 @@ index a32c4b3..149da7a 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +723,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -52249,25 +52605,39 @@ index db843e2..4389e81 100644 type postgrey_var_lib_t; files_type(postgrey_var_lib_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc -index 2d82c6d..adf5731 100644 +index 2d82c6d..fdee468 100644 --- a/policy/modules/services/ppp.fc +++ b/policy/modules/services/ppp.fc -@@ -11,11 +11,14 @@ +@@ -11,19 +11,26 @@ # Fix /etc/ppp {up,down} family scripts (see man pppd) /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + ++/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) # # /sbin # +-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) - /sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) + + # + # /usr + # ++/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) + /usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) + /usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) +-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) # -@@ -34,5 +37,7 @@ + # /var +@@ -34,5 +41,7 @@ # Fix pptp sockets /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) @@ -52562,6 +52932,18 @@ index 2af42e7..20f5d6b 100644 files_read_etc_files(pptp_t) +diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc +index 3bd847a..a52b025 100644 +--- a/policy/modules/services/prelude.fc ++++ b/policy/modules/services/prelude.fc +@@ -5,6 +5,7 @@ + + /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + ++/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + /usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) + /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) + /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 2316653..b295b91 100644 --- a/policy/modules/services/prelude.if @@ -54446,27 +54828,26 @@ index cb7ecb5..3df1532 100644 +') diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc new file mode 100644 -index 0000000..7908e1d +index 0000000..594c110 --- /dev/null +++ b/policy/modules/services/rabbitmq.fc @@ -0,0 +1,7 @@ + -+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) +/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -+#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0) ++/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) + -+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) +/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) ++ ++/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if new file mode 100644 -index 0000000..f15d8c3 +index 0000000..491bd1f --- /dev/null +++ b/policy/modules/services/rabbitmq.if -@@ -0,0 +1,23 @@ +@@ -0,0 +1,21 @@ + +## policy for rabbitmq + -+ +######################################## +## +## Transition to rabbitmq. @@ -54485,10 +54866,9 @@ index 0000000..f15d8c3 + corecmd_search_bin($1) + domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) +') -+ diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te new file mode 100644 -index 0000000..55aaca1 +index 0000000..591ca32 --- /dev/null +++ b/policy/modules/services/rabbitmq.te @@ -0,0 +1,86 @@ @@ -54521,7 +54901,7 @@ index 0000000..55aaca1 +allow rabbitmq_beam_t self:process { setsched signal signull }; + +allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; -+allow rabbitmq_beam_t self:tcp_socket { accept listen }; ++allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) @@ -54559,7 +54939,7 @@ index 0000000..55aaca1 + +domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) + -+allow rabbitmq_epmd_t self:process { signal }; ++allow rabbitmq_epmd_t self:process signal; + +allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; +allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; @@ -54972,6 +55352,15 @@ index 852840b..9405f78 100644 + milter_manage_spamass_state(razor_t) + ') ') +diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc +index dee4adc..a7e4bc7 100644 +--- a/policy/modules/services/rdisc.fc ++++ b/policy/modules/services/rdisc.fc +@@ -1,2 +1,4 @@ + + /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) ++ ++/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index 0a76027..a475797 100644 --- a/policy/modules/services/remotelogin.te @@ -55058,6 +55447,18 @@ index 0a76027..a475797 100644 unconfined_shell_domtrans(remote_login_t) ') +diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc +index af810b9..9c544e5 100644 +--- a/policy/modules/services/resmgr.fc ++++ b/policy/modules/services/resmgr.fc +@@ -3,5 +3,7 @@ + + /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) + ++/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) ++ + /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) + /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if index d457736..eabdd78 100644 --- a/policy/modules/services/resmgr.if @@ -55817,13 +56218,15 @@ index 93c896a..8c29c39 100644 +') diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc new file mode 100644 -index 0000000..4e7605a +index 0000000..9a8524d --- /dev/null +++ b/policy/modules/services/rhev.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,5 @@ +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + +/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) ++ ++/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if new file mode 100644 index 0000000..bf11e25 @@ -55908,10 +56311,10 @@ index 0000000..bf11e25 +') diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te new file mode 100644 -index 0000000..1ec5e7c +index 0000000..b5168a0 --- /dev/null +++ b/policy/modules/services/rhev.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,106 @@ +policy_module(rhev,1.0) + +######################################## @@ -55926,10 +56329,12 @@ index 0000000..1ec5e7c +type rhev_agentd_var_run_t; +files_pid_file(rhev_agentd_var_run_t) + -+# WHY IS USED /TMP DIRECTORY +type rhev_agentd_tmp_t; +files_tmp_file(rhev_agentd_tmp_t) + ++type rhev_agentd_log_t; ++logging_log_file(rhev_agentd_log_t) ++ +######################################## +# +# rhev_agentd_t local policy @@ -55946,6 +56351,8 @@ index 0000000..1ec5e7c +manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t) +files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file }) + ++manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) ++ +manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) +manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) +files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir }) @@ -55988,13 +56395,32 @@ index 0000000..1ec5e7c +') + +optional_policy(` -+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t) ++ xserver_dbus_chat_xdm(rhev_agentd_t) +') + ++###################################### ++# ++# rhev_agentd_t consolehelper local policy ++# ++ +optional_policy(` -+ xserver_dbus_chat_xdm(rhev_agentd_t) -+') ++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t) ++ ++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append; + ++ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t) ++ kernel_read_system_state(rhev_agentd_consolehelper_t) ++ ++ term_use_virtio_console(rhev_agentd_consolehelper_t) ++ ++ optional_policy(` ++ dbus_session_bus_client(rhev_agentd_consolehelper_t) ++ ') ++ ++ optional_policy(` ++ unconfined_dbus_chat(rhev_agentd_consolehelper_t) ++ ') ++') diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if index 96efae7..793a29f 100644 --- a/policy/modules/services/rhgb.if @@ -56021,7 +56447,7 @@ index 0f262a7..4d10897 100644 manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc new file mode 100644 -index 0000000..5094d93 +index 0000000..b2a8835 --- /dev/null +++ b/policy/modules/services/rhsmcertd.fc @@ -0,0 +1,12 @@ @@ -56030,19 +56456,19 @@ index 0000000..5094d93 + +/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) + -+/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) -+ -+/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) ++/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) + +/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) + -+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) ++/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) ++ ++/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if new file mode 100644 -index 0000000..61d0a4c +index 0000000..6572600 --- /dev/null +++ b/policy/modules/services/rhsmcertd.if -@@ -0,0 +1,308 @@ +@@ -0,0 +1,300 @@ + +## Subscription Management Certificate Daemon policy + @@ -56065,7 +56491,6 @@ index 0000000..61d0a4c + domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) +') + -+ +######################################## +## +## Execute rhsmcertd server in the rhsmcertd domain. @@ -56084,7 +56509,6 @@ index 0000000..61d0a4c + init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) +') + -+ +######################################## +## +## Read rhsmcertd's log files. @@ -56221,7 +56645,6 @@ index 0000000..61d0a4c + manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +') + -+ +######################################## +## +## Read rhsmcertd PID files. @@ -56322,11 +56745,8 @@ index 0000000..61d0a4c +# +interface(`rhsmcertd_admin',` + gen_require(` -+ type rhsmcertd_t; -+ type rhsmcertd_initrc_exec_t; -+ type rhsmcertd_log_t; -+ type rhsmcertd_var_lib_t; -+ type rhsmcertd_var_run_t; ++ type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; ++ type rhsmcertd_var_lib_t, rhsmcertd_var_run_t; + ') + + allow $1 rhsmcertd_t:process signal_perms; @@ -56348,9 +56768,7 @@ index 0000000..61d0a4c + + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) -+ +') -+ diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 index 0000000..4d1d0c7 @@ -57011,20 +57429,38 @@ index 30c4b75..e07c2ff 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc -index 5c70c0c..f9f0f54 100644 +index 5c70c0c..5a75e95 100644 --- a/policy/modules/services/rpc.fc +++ b/policy/modules/services/rpc.fc -@@ -6,6 +6,9 @@ +@@ -6,6 +6,12 @@ /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) + ++/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) ++/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) ++ # # /sbin # -@@ -29,3 +32,5 @@ +@@ -15,12 +21,14 @@ + # + # /usr + # ++/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) + /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) + /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) + /usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) ++/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + + # + # /var +@@ -29,3 +37,5 @@ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) @@ -57367,13 +57803,15 @@ index b1468ed..372f918 100644 ') diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc -index f5c47d6..5a965e9 100644 +index f5c47d6..482b584 100644 --- a/policy/modules/services/rpcbind.fc +++ b/policy/modules/services/rpcbind.fc -@@ -2,6 +2,7 @@ +@@ -2,6 +2,9 @@ /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) ++/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) ++ +/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) @@ -57776,10 +58214,10 @@ index a07b2f4..ee39810 100644 + +userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc -index 69a6074..596dbb3 100644 +index 69a6074..8ed95f2 100644 --- a/policy/modules/services/samba.fc +++ b/policy/modules/services/samba.fc -@@ -11,6 +11,8 @@ +@@ -11,9 +11,13 @@ /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) @@ -57788,7 +58226,12 @@ index 69a6074..596dbb3 100644 # # /usr # -@@ -36,6 +38,8 @@ ++/usr/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0) ++ + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +@@ -36,6 +40,8 @@ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) @@ -57797,7 +58240,7 @@ index 69a6074..596dbb3 100644 /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -@@ -51,3 +55,7 @@ +@@ -51,3 +57,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -58082,7 +58525,7 @@ index 82cb169..48c023e 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..bac0112 100644 +index e30bb63..5d2dfe7 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -58318,16 +58761,17 @@ index e30bb63..bac0112 100644 ######################################## # # SWAT Local policy -@@ -677,7 +695,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +695,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; -allow swat_t smbd_var_run_t:file { lock unlink }; +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) ++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +710,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +711,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -58342,7 +58786,7 @@ index e30bb63..bac0112 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +730,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +731,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -58350,7 +58794,7 @@ index e30bb63..bac0112 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +775,8 @@ logging_search_logs(swat_t) +@@ -754,6 +776,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -58359,7 +58803,7 @@ index e30bb63..bac0112 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +806,7 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -58368,7 +58812,7 @@ index e30bb63..bac0112 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +829,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -58390,7 +58834,7 @@ index e30bb63..bac0112 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +857,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -58398,7 +58842,7 @@ index e30bb63..bac0112 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t) +@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) @@ -58413,7 +58857,7 @@ index e30bb63..bac0112 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -58426,7 +58870,7 @@ index e30bb63..bac0112 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -58435,7 +58879,7 @@ index e30bb63..bac0112 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +957,18 @@ optional_policy(` +@@ -922,6 +958,18 @@ optional_policy(` # optional_policy(` @@ -58454,7 +58898,7 @@ index e30bb63..bac0112 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +979,12 @@ optional_policy(` +@@ -932,9 +980,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -58637,7 +59081,7 @@ index 0000000..0d53457 +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..96adff5 +index 0000000..64d3e6a --- /dev/null +++ b/policy/modules/services/sanlock.te @@ -0,0 +1,100 @@ @@ -58687,7 +59131,7 @@ index 0000000..96adff5 +# +# sanlock local policy +# -+allow sanlock_t self:capability { kill sys_nice ipc_lock }; ++allow sanlock_t self:capability { sys_nice ipc_lock }; +allow sanlock_t self:process { setsched signull }; + +allow sanlock_t self:fifo_file rw_fifo_file_perms; @@ -58711,11 +59155,11 @@ index 0000000..96adff5 + +dev_read_urand(sanlock_t) + -+logging_send_syslog_msg(sanlock_t) -+ +init_read_utmp(sanlock_t) +init_dontaudit_write_utmp(sanlock_t) + ++logging_send_syslog_msg(sanlock_t) ++ +miscfiles_read_localization(sanlock_t) + +tunable_policy(`sanlock_use_nfs',` @@ -58928,10 +59372,10 @@ index 0000000..40d0049 + diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te new file mode 100644 -index 0000000..c4d9192 +index 0000000..7fad050 --- /dev/null +++ b/policy/modules/services/sblim.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,105 @@ +policy_module(sblim, 1.0.0) + +######################################## @@ -58956,11 +59400,8 @@ index 0000000..c4d9192 +# +# sblim_gatherd local policy +# -+ -+#needed by ps -+allow sblim_gatherd_t self:capability { kill dac_override }; ++allow sblim_gatherd_t self:capability dac_override; +allow sblim_gatherd_t self:process signal; -+ +allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; +allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms; + @@ -58979,6 +59420,8 @@ index 0000000..c4d9192 + +fs_getattr_all_fs(sblim_gatherd_t) + ++sysnet_dns_name_resolve(sblim_gatherd_t) ++ +term_getattr_pty_fs(sblim_gatherd_t) + +init_read_utmp(sblim_gatherd_t) @@ -58995,7 +59438,6 @@ index 0000000..c4d9192 + +optional_policy(` + ssh_signull(sblim_gatherd_t) -+ sysnet_dns_name_resolve(sblim_gatherd_t) +') + +optional_policy(` @@ -59039,7 +59481,6 @@ index 0000000..c4d9192 +files_read_etc_files(sblim_domain) + +miscfiles_read_localization(sblim_domain) -+ diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc index a86ec50..ef4199b 100644 --- a/policy/modules/services/sendmail.fc @@ -59052,7 +59493,7 @@ index a86ec50..ef4199b 100644 /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if -index 7e94c7c..e918b16 100644 +index 7e94c7c..ca74cd9 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -51,10 +51,24 @@ interface(`sendmail_domtrans',` @@ -59101,13 +59542,32 @@ index 7e94c7c..e918b16 100644 ') ######################################## -@@ -295,3 +309,54 @@ interface(`sendmail_run_unconfined',` +@@ -295,3 +309,73 @@ interface(`sendmail_run_unconfined',` sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') + +######################################## +## ++## Set the attributes of sendmail pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sendmail_setattr_pid_files',` ++ gen_require(` ++ type sendmail_var_run_t; ++ ') ++ ++ allow $1 sendmail_var_run_t:file setattr_file_perms; ++ files_search_pids($1) ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an sendmail environment +## @@ -60692,7 +61152,7 @@ index 078bcd7..84d29ee 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..e494f5c 100644 +index 22adaca..c2efd25 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -60970,7 +61430,32 @@ index 22adaca..e494f5c 100644 optional_policy(` nis_use_ypbind($1_ssh_agent_t) -@@ -477,8 +494,27 @@ interface(`ssh_read_pipes',` +@@ -464,6 +481,24 @@ interface(`ssh_signal',` + + ######################################## + ## ++## Send a null signal to sshd processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_signull',` ++ gen_require(` ++ type sshd_t; ++ ') ++ ++ allow $1 sshd_t:process signull; ++') ++ ++######################################## ++## + ## Read a ssh server unnamed pipe. + ## + ## +@@ -477,8 +512,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -60999,7 +61484,7 @@ index 22adaca..e494f5c 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +530,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +548,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -61008,7 +61493,7 @@ index 22adaca..e494f5c 100644 ') ######################################## -@@ -586,6 +622,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +640,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -61033,7 +61518,7 @@ index 22adaca..e494f5c 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +672,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +690,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -61042,7 +61527,7 @@ index 22adaca..e494f5c 100644 files_search_pids($1) ') -@@ -643,6 +697,42 @@ interface(`ssh_agent_exec',` +@@ -643,6 +715,42 @@ interface(`ssh_agent_exec',` ######################################## ## @@ -61085,7 +61570,7 @@ index 22adaca..e494f5c 100644 ## Read ssh home directory content ## ## -@@ -682,6 +772,50 @@ interface(`ssh_domtrans_keygen',` +@@ -682,6 +790,50 @@ interface(`ssh_domtrans_keygen',` ######################################## ## @@ -61136,7 +61621,7 @@ index 22adaca..e494f5c 100644 ## Read ssh server keys ## ## -@@ -695,7 +829,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +847,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -61145,29 +61630,11 @@ index 22adaca..e494f5c 100644 ') ###################################### -@@ -735,3 +869,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +887,63 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + -+######################################## -+## -+## Send a null signal to sshd processes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ssh_signull',` -+ gen_require(` -+ type sshd_t; -+ ') -+ -+ allow $1 sshd_t:process signull; -+') -+ +##################################### +## +## Allow domain dyntransition to chroot_user_t domain. @@ -62701,14 +63168,13 @@ index d4349e9..f14d337 100644 ') diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc new file mode 100644 -index 0000000..c184667 +index 0000000..d810232 --- /dev/null +++ b/policy/modules/services/uuidd.fc -@@ -0,0 +1,9 @@ +@@ -0,0 +1,8 @@ + +/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) + -+ +/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) + +/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) @@ -62716,10 +63182,10 @@ index 0000000..c184667 +/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if new file mode 100644 -index 0000000..c82f178 +index 0000000..adf79eb --- /dev/null +++ b/policy/modules/services/uuidd.if -@@ -0,0 +1,196 @@ +@@ -0,0 +1,194 @@ +## policy for uuidd + +######################################## @@ -62893,10 +63359,8 @@ index 0000000..c82f178 +# +interface(`uuidd_admin',` + gen_require(` -+ type uuidd_t; -+ type uuidd_initrc_exec_t; -+ type uuidd_var_lib_t; -+ type uuidd_var_run_t; ++ type uuidd_t, uuidd_initrc_exec_t; ++ type uuidd_var_run_t, uuidd_var_lib_t; + ') + + allow $1 uuidd_t:process signal_perms; @@ -62918,10 +63382,10 @@ index 0000000..c82f178 +') diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te new file mode 100644 -index 0000000..ac053f3 +index 0000000..04589dc --- /dev/null +++ b/policy/modules/services/uuidd.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,44 @@ +policy_module(uuidd, 1.0.0) + +######################################## @@ -62946,9 +63410,8 @@ index 0000000..ac053f3 +# +# uuidd local policy +# -+allow uuidd_t self:capability { setuid }; -+allow uuidd_t self:process { signal }; -+ ++allow uuidd_t self:capability setuid; ++allow uuidd_t self:process signal; +allow uuidd_t self:fifo_file rw_fifo_file_perms; +allow uuidd_t self:unix_stream_socket create_stream_socket_perms; +allow uuidd_t self:udp_socket create_socket_perms; @@ -62967,7 +63430,6 @@ index 0000000..ac053f3 +files_read_etc_files(uuidd_t) + +miscfiles_read_localization(uuidd_t) -+ diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index 93975d6..7a665ff 100644 --- a/policy/modules/services/varnishd.if @@ -63037,48 +63499,29 @@ index f9310f3..7a350f1 100644 # diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc new file mode 100644 -index 0000000..71d9784 +index 0000000..2ba852c --- /dev/null +++ b/policy/modules/services/vdagent.fc -@@ -0,0 +1,11 @@ +@@ -0,0 +1,10 @@ ++/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) + -+/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) ++/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) ++/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) + +/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) +/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) + -+/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) -+/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) -+ + + diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..57471cc +index 0000000..6467d91 --- /dev/null +++ b/policy/modules/services/vdagent.if -@@ -0,0 +1,131 @@ +@@ -0,0 +1,128 @@ + +## policy for vdagent + -+##################################### -+## -+## Getattr on vdagent executable. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`vdagent_getattr_exec',` -+ gen_require(` -+ type vdagent_exec_t; -+ ') -+ -+ allow $1 vdagent_exec_t:file getattr; -+') -+ +######################################## +## +## Execute a domain transition to run vdagent. @@ -63097,6 +63540,24 @@ index 0000000..57471cc + domtrans_pattern($1, vdagent_exec_t, vdagent_t) +') + ++##################################### ++## ++## Getattr on vdagent executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_getattr_exec',` ++ gen_require(` ++ type vdagent_exec_t; ++ ') ++ ++ allow $1 vdagent_exec_t:file getattr; ++') ++ +####################################### +## +## Get the attributes of vdagent logs. @@ -63174,8 +63635,7 @@ index 0000000..57471cc +# +interface(`vdagent_admin',` + gen_require(` -+ type vdagent_t; -+ type vdagent_var_run_t; ++ type vdagent_t, vdagent_var_run_t; + ') + + allow $1 vdagent_t:process signal_perms; @@ -63186,9 +63646,7 @@ index 0000000..57471cc + + files_search_pids($1) + admin_pattern($1, vdagent_var_run_t) -+ +') -+ diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 index 0000000..4fd2377 @@ -65013,14 +65471,14 @@ index 1174ad8..f4c4c1b 100644 +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) diff --git a/policy/modules/services/wdmd.fc b/policy/modules/services/wdmd.fc new file mode 100644 -index 0000000..2f21759 +index 0000000..ad47e05 --- /dev/null +++ b/policy/modules/services/wdmd.fc @@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) + -+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) ++/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) + +/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if @@ -65145,10 +65603,10 @@ index 0000000..955f1ac +') diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te new file mode 100644 -index 0000000..307c99e +index 0000000..11b8863 --- /dev/null +++ b/policy/modules/services/wdmd.te -@@ -0,0 +1,51 @@ +@@ -0,0 +1,44 @@ +policy_module(wdmd,1.0.0) + +######################################## @@ -65181,25 +65639,18 @@ index 0000000..307c99e +manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) +files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file }) + ++dev_read_watchdog(wdmd_t) +dev_write_watchdog(wdmd_t) + +domain_use_interactive_fds(wdmd_t) + +files_read_etc_files(wdmd_t) + -+logging_send_syslog_msg(wdmd_t) -+ -+miscfiles_read_localization(wdmd_t) -+ +fs_read_anon_inodefs_files(wdmd_t) + -+gen_require(` -+ type watchdog_device_t; -+') ++logging_send_syslog_msg(wdmd_t) + -+#dev_read_watchdog(wdmd_t) -+#============= wdmd_t ============== -+allow wdmd_t watchdog_device_t:chr_file read; ++miscfiles_read_localization(wdmd_t) diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if index aa6e5a8..42a0efb 100644 --- a/policy/modules/services/xfs.if @@ -65356,7 +65807,7 @@ index 4966c94..cb2e1a3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..b6fb17a 100644 +index 130ced9..351ed06 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -65441,13 +65892,15 @@ index 130ced9..b6fb17a 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',` +@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',` xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + xserver_read_xdm_etc_files($2) + xserver_xdm_append_log($2) + ++ term_use_virtio_console($2) ++ + modutils_run_insmod(xserver_t, $1) # Client write xserver shm @@ -65466,7 +65919,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -143,13 +165,15 @@ interface(`xserver_role',` +@@ -143,13 +167,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -65484,7 +65937,7 @@ index 130ced9..b6fb17a 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +186,6 @@ interface(`xserver_role',` +@@ -162,7 +188,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -65492,7 +65945,7 @@ index 130ced9..b6fb17a 100644 ') ####################################### -@@ -197,7 +220,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +222,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -65501,7 +65954,7 @@ index 130ced9..b6fb17a 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +250,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +252,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -65510,7 +65963,7 @@ index 130ced9..b6fb17a 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -65519,7 +65972,7 @@ index 130ced9..b6fb17a 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +314,13 @@ interface(`xserver_user_client',` +@@ -291,13 +316,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -65537,7 +65990,7 @@ index 130ced9..b6fb17a 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -342,19 +365,23 @@ interface(`xserver_user_client',` +@@ -342,19 +367,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -65564,7 +66017,7 @@ index 130ced9..b6fb17a 100644 ') ############################## -@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -65580,7 +66033,7 @@ index 130ced9..b6fb17a 100644 ') ####################################### -@@ -444,8 +480,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +482,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -65592,7 +66045,7 @@ index 130ced9..b6fb17a 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -65613,7 +66066,7 @@ index 130ced9..b6fb17a 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -65642,7 +66095,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -65650,7 +66103,7 @@ index 130ced9..b6fb17a 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',` +@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',` ######################################## ## @@ -65675,7 +66128,7 @@ index 130ced9..b6fb17a 100644 ## Create a Xauthority file in the user home directory. ## ## -@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -65683,7 +66136,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -65692,7 +66145,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -638,6 +708,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +710,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -65718,7 +66171,7 @@ index 130ced9..b6fb17a 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -65727,7 +66180,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -65736,7 +66189,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -65745,7 +66198,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -65759,7 +66212,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -65793,7 +66246,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -65819,7 +66272,7 @@ index 130ced9..b6fb17a 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -65828,7 +66281,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -65856,7 +66309,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -65881,7 +66334,7 @@ index 130ced9..b6fb17a 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -65890,7 +66343,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -65899,7 +66352,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -65945,7 +66398,7 @@ index 130ced9..b6fb17a 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -65954,7 +66407,7 @@ index 130ced9..b6fb17a 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -65997,7 +66450,7 @@ index 130ced9..b6fb17a 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -66006,7 +66459,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -66018,7 +66471,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -66045,7 +66498,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -66054,7 +66507,7 @@ index 130ced9..b6fb17a 100644 ## ## ## -@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -66079,7 +66532,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -68086,6 +68539,14 @@ index ade6c2c..2b78f0d 100644 manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) +diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc +index d719d0b..7a7fc61 100644 +--- a/policy/modules/services/zosremote.fc ++++ b/policy/modules/services/zosremote.fc +@@ -1 +1,3 @@ + /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) ++ ++/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if index 702e768..13f0eef 100644 --- a/policy/modules/services/zosremote.if @@ -68179,7 +68640,7 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..c547c84 100644 +index 28ad538..7a39e35 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,3 +1,5 @@ @@ -68195,13 +68656,38 @@ index 28ad538..c547c84 100644 +/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) +/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0) -+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) ++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0) /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) -@@ -30,6 +37,8 @@ ifdef(`distro_gentoo', ` +@@ -16,13 +23,22 @@ ifdef(`distro_suse', ` + /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') + ++/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) ++ + /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) + +-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) +-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) ++/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) ++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ifdef(`distro_gentoo', ` + /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') ++/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) ++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++ ++/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + + /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) + +@@ -30,6 +46,8 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -68210,14 +68696,14 @@ index 28ad538..c547c84 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -45,5 +54,4 @@ ifdef(`distro_gentoo', ` +@@ -45,5 +63,4 @@ ifdef(`distro_gentoo', ` /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..5551d16 100644 +index 73554ec..11dfd81 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -68280,7 +68766,7 @@ index 73554ec..5551d16 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -120,16 +139,28 @@ interface(`auth_login_pgm_domain',` +@@ -120,16 +139,29 @@ interface(`auth_login_pgm_domain',` manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) files_var_filetrans($1, auth_cache_t, dir) @@ -68291,12 +68777,13 @@ index 73554ec..5551d16 100644 + # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) - ++ kernel_search_network_sysctl($1) ++ + tunable_policy(`authlogin_radius',` + corenet_udp_bind_all_unreserved_ports($1) + ') + corenet_tcp_connect_pki_ca_port($1) -+ + # for fingerprint readers dev_rw_input_dev($1) dev_rw_generic_usb_dev($1) @@ -68310,7 +68797,7 @@ index 73554ec..5551d16 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +176,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +177,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -68319,7 +68806,7 @@ index 73554ec..5551d16 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +188,87 @@ interface(`auth_login_pgm_domain',` +@@ -155,13 +189,87 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -68409,7 +68896,7 @@ index 73554ec..5551d16 100644 ## Use the login program as an entry point program. ## ## -@@ -368,13 +475,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -368,13 +476,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -68426,7 +68913,7 @@ index 73554ec..5551d16 100644 ') ######################################## -@@ -421,6 +530,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +531,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -68452,7 +68939,7 @@ index 73554ec..5551d16 100644 ') ######################################## -@@ -440,7 +568,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -440,7 +569,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -68460,7 +68947,7 @@ index 73554ec..5551d16 100644 ') ######################################## -@@ -637,6 +764,10 @@ interface(`auth_manage_shadow',` +@@ -637,6 +765,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -68471,7 +68958,7 @@ index 73554ec..5551d16 100644 ') ####################################### -@@ -736,7 +867,50 @@ interface(`auth_rw_faillog',` +@@ -736,7 +868,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -68523,7 +69010,7 @@ index 73554ec..5551d16 100644 ') ####################################### -@@ -932,9 +1106,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1107,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -68557,7 +69044,7 @@ index 73554ec..5551d16 100644 ') ######################################## -@@ -1387,6 +1582,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1583,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -68583,7 +69070,7 @@ index 73554ec..5551d16 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1537,37 +1751,49 @@ interface(`auth_manage_login_records',` +@@ -1537,37 +1752,49 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -68643,7 +69130,7 @@ index 73554ec..5551d16 100644 ##

## ## -@@ -1575,87 +1801,189 @@ interface(`auth_relabel_login_records',` +@@ -1575,87 +1802,192 @@ interface(`auth_relabel_login_records',` ## Domain allowed access. ## ## @@ -68693,6 +69180,9 @@ index 73554ec..5551d16 100644 + files_etc_filetrans($1, passwd_file_t, file, "passwd-") + files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD") + files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") ++ files_etc_filetrans($1, shadow_t, file, "group.lock") ++ files_etc_filetrans($1, shadow_t, file, "passwd.lock") ++ files_etc_filetrans($1, shadow_t, file, "passwd.adjunct") + files_etc_filetrans($1, shadow_t, file, "shadow") + files_etc_filetrans($1, shadow_t, file, "shadow-") + files_etc_filetrans($1, shadow_t, file, ".pwd.lock") @@ -69071,6 +69561,16 @@ index b7a5f00..93188ef 100644 + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) ') +diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc +index c5e05ca..c9ddbee 100644 +--- a/policy/modules/system/clock.fc ++++ b/policy/modules/system/clock.fc +@@ -3,3 +3,5 @@ + + /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + ++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++ diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if index e2f6d93..c78ccc6 100644 --- a/policy/modules/system/clock.if @@ -69195,7 +69695,7 @@ index dcc5f1c..5610417 100644 daemontools_manage_svc(svc_start_t) diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index a97a096..ab1e16a 100644 +index a97a096..368d3c2 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ @@ -69211,7 +69711,7 @@ index a97a096..ab1e16a 100644 /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -36,6 +34,8 @@ +@@ -36,12 +34,51 @@ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -69220,6 +69720,49 @@ index a97a096..ab1e16a 100644 /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + ++/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++ ++/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index c28da1c..10bc43c 100644 --- a/policy/modules/system/fstools.te @@ -69304,6 +69847,19 @@ index c28da1c..10bc43c 100644 xen_append_log(fsadm_t) xen_rw_image_files(fsadm_t) ') +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index e1a1848..909af45 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -3,6 +3,8 @@ + + /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) + ++/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++ + /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) + /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) + diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index ede3231..c8c15bd 100644 --- a/policy/modules/system/getty.te @@ -69330,6 +69886,15 @@ index ede3231..c8c15bd 100644 ppp_domtrans(getty_t) ') +diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc +index 9dfecf7..6d00f5c 100644 +--- a/policy/modules/system/hostname.fc ++++ b/policy/modules/system/hostname.fc +@@ -1,2 +1,4 @@ + + /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) ++ ++/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index c310775..d172193 100644 --- a/policy/modules/system/hostname.te @@ -69382,6 +69947,19 @@ index c310775..d172193 100644 nis_use_ypbind(hostname_t) ') +diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc +index caf736b..91c4c6f 100644 +--- a/policy/modules/system/hotplug.fc ++++ b/policy/modules/system/hotplug.fc +@@ -7,5 +7,8 @@ + /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) + /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) + ++/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) ++/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) ++ + /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) + /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if index 40eb10c..2a0a32c 100644 --- a/policy/modules/system/hotplug.if @@ -69433,16 +70011,15 @@ index 1a3d970..0995a02 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 354ce93..b8b14b9 100644 +index 354ce93..32b31b4 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', ` +@@ -33,9 +33,23 @@ ifdef(`distro_gentoo', ` # # /sbin # +/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + -+ +# +# systemd init scripts +# @@ -69461,17 +70038,31 @@ index 354ce93..b8b14b9 100644 ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', ` +@@ -50,11 +64,23 @@ ifdef(`distro_gentoo', ` + # + /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) + ++/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++# because nowadays, /sbin/init is often a symlink to /sbin/upstart ++/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ++ ++/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) ++ + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + +/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) # # /var -@@ -76,3 +94,4 @@ ifdef(`distro_suse', ` +@@ -76,3 +102,4 @@ ifdef(`distro_suse', ` /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -70407,7 +70998,7 @@ index 94fd8dd..ef5a3c8 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..4e87d49 100644 +index 29a9565..ddc7143 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -70607,11 +71198,12 @@ index 29a9565..4e87d49 100644 +storage_raw_rw_fixed_disk(init_t) + -+optional_policy(` + optional_policy(` +- auth_rw_login_records(init_t) + modutils_domtrans_insmod(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + postfix_exec(init_t) + mta_read_aliases(init_t) +') @@ -70718,12 +71310,11 @@ index 29a9565..4e87d49 100644 +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) + - optional_policy(` -- auth_rw_login_records(init_t) ++optional_policy(` + lvm_rw_pipes(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -71221,7 +71812,18 @@ index 29a9565..4e87d49 100644 ') optional_policy(` -@@ -790,10 +1151,12 @@ optional_policy(` +@@ -781,6 +1142,10 @@ optional_policy(` + ') + + optional_policy(` ++ sendmail_setattr_pid_files(initrc_t) ++') ++ ++optional_policy(` + # shorewall-init script run /var/lib/shorewall/firewall + shorewall_lib_domtrans(initrc_t) + ') +@@ -790,10 +1155,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -71234,7 +71836,7 @@ index 29a9565..4e87d49 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1168,6 @@ optional_policy(` +@@ -805,7 +1172,6 @@ optional_policy(` ') optional_policy(` @@ -71242,7 +71844,7 @@ index 29a9565..4e87d49 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1177,26 @@ optional_policy(` +@@ -815,11 +1181,26 @@ optional_policy(` ') optional_policy(` @@ -71270,7 +71872,7 @@ index 29a9565..4e87d49 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1206,18 @@ optional_policy(` +@@ -829,6 +1210,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -71289,7 +71891,7 @@ index 29a9565..4e87d49 100644 ') optional_policy(` -@@ -844,6 +1233,10 @@ optional_policy(` +@@ -844,6 +1237,10 @@ optional_policy(` ') optional_policy(` @@ -71300,7 +71902,7 @@ index 29a9565..4e87d49 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1247,160 @@ optional_policy(` +@@ -854,3 +1251,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -71691,7 +72293,7 @@ index 55a6cd8..94e11eb 100644 +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 05fb364..c054118 100644 +index 05fb364..dd07f08 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,7 +1,7 @@ @@ -71705,16 +72307,27 @@ index 05fb364..c054118 100644 /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -@@ -12,8 +12,4 @@ +@@ -12,8 +12,17 @@ /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -- --/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + ++/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) ++ ++/usr/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 7ba53db..db118e3 100644 --- a/policy/modules/system/iptables.if @@ -71869,6 +72482,17 @@ index f3e1b57..d7fd7fb 100644 shorewall_read_config(iptables_t) ') +diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc +index 14d9670..4c9d1b4 100644 +--- a/policy/modules/system/iscsi.fc ++++ b/policy/modules/system/iscsi.fc +@@ -5,3 +5,6 @@ + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) + /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) ++ ++/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index ddbd8be..65b5762 100644 --- a/policy/modules/system/iscsi.te @@ -71899,10 +72523,10 @@ index ddbd8be..65b5762 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..ffb8797 100644 +index 560dc48..39aace9 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc -@@ -28,7 +28,9 @@ ifdef(`distro_redhat',` +@@ -28,26 +28,23 @@ ifdef(`distro_redhat',` # /etc # /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) @@ -71912,9 +72536,11 @@ index 560dc48..ffb8797 100644 /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) -@@ -37,17 +39,12 @@ ifdef(`distro_redhat',` # - /lib -d gen_context(system_u:object_r:lib_t,s0) + # /lib(64)? + # +-/lib -d gen_context(system_u:object_r:lib_t,s0) ++/lib gen_context(system_u:object_r:lib_t,s0) /lib/.* gen_context(system_u:object_r:lib_t,s0) -/lib64 -d gen_context(system_u:object_r:lib_t,s0) -/lib64/.* gen_context(system_u:object_r:lib_t,s0) @@ -71938,7 +72564,20 @@ index 560dc48..ffb8797 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -119,64 +115,62 @@ ifdef(`distro_redhat',` +@@ -111,6 +107,12 @@ ifdef(`distro_redhat',` + # + # /usr + # ++/usr/lib -d gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/.* gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ++ ++/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -119,64 +121,62 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -72037,7 +72676,7 @@ index 560dc48..ffb8797 100644 ') ifdef(`distro_gentoo',` -@@ -195,7 +189,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -195,7 +195,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -72045,7 +72684,7 @@ index 560dc48..ffb8797 100644 /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -203,86 +196,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -203,86 +202,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -72190,7 +72829,7 @@ index 560dc48..ffb8797 100644 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -303,8 +297,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -303,8 +303,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -72200,7 +72839,7 @@ index 560dc48..ffb8797 100644 ') dnl end distro_redhat # -@@ -312,17 +305,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +311,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -72344,7 +72983,7 @@ index 560dc48..ffb8797 100644 + +/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -72361,6 +73000,8 @@ index 560dc48..ffb8797 100644 +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 808ba93..4ff705d 100644 --- a/policy/modules/system/libraries.if @@ -72543,15 +73184,18 @@ index e5836d3..eae9427 100644 - unconfined_domain(ldconfig_t) -') diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc -index be6a81b..9a27055 100644 +index be6a81b..a5303e9 100644 --- a/policy/modules/system/locallogin.fc +++ b/policy/modules/system/locallogin.fc -@@ -1,3 +1,5 @@ +@@ -1,3 +1,8 @@ +HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) +/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++ ++/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index 0e3c2a9..40adf5a 100644 --- a/policy/modules/system/locallogin.if @@ -72772,10 +73416,10 @@ index a0b379d..2291a13 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..cd16709 100644 +index 02f4c97..314efca 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -17,6 +17,13 @@ +@@ -17,12 +17,26 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -72784,12 +73428,26 @@ index 02f4c97..cd16709 100644 +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) + ++/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++ +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + ++/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) ++/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) ++/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) ++/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -38,7 +45,7 @@ ifdef(`distro_suse', ` + /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +-/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + + /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) + /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) +@@ -38,7 +52,7 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -72798,7 +73456,7 @@ index 02f4c97..cd16709 100644 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -73,4 +80,8 @@ ifdef(`distro_redhat',` +@@ -73,4 +87,8 @@ ifdef(`distro_redhat',` /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -73255,7 +73913,7 @@ index b6ec597..5684c8a 100644 optional_policy(` diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..7b22111 100644 +index 879bb1e..1121047 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -28,20 +28,24 @@ ifdef(`distro_gentoo',` @@ -73284,7 +73942,76 @@ index 879bb1e..7b22111 100644 /sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -97,5 +101,7 @@ ifdef(`distro_gentoo',` +@@ -88,8 +92,66 @@ ifdef(`distro_gentoo',` + # + # /usr + # +-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) +-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0) ++/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) ++ ++/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) + + # + # /var +@@ -97,5 +159,7 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) @@ -73594,19 +74321,21 @@ index a0a0ebf..5e4149d 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 172287e..ec1f0e8 100644 +index 172287e..88fc786 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc -@@ -9,7 +9,7 @@ ifdef(`distro_gentoo',` +@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',` # /etc # /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) +/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ++/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) -@@ -34,7 +34,7 @@ ifdef(`distro_redhat',` + +@@ -34,7 +35,7 @@ ifdef(`distro_redhat',` # /usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) @@ -73616,7 +74345,7 @@ index 172287e..ec1f0e8 100644 /usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 926ba65..38de7a8 100644 +index 926ba65..b2d74f7 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',` @@ -73654,7 +74383,7 @@ index 926ba65..38de7a8 100644 ') ######################################## -@@ -769,3 +788,41 @@ interface(`miscfiles_manage_localization',` +@@ -769,3 +788,42 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -73681,6 +74410,7 @@ index 926ba65..38de7a8 100644 + ') + + files_etc_filetrans($1, locale_t, file, "localtime") ++ files_etc_filetrans($1, locale_t, file, "locale.conf") + files_var_filetrans($1, man_t, dir, "man") + files_etc_filetrans($1, locale_t, file, "timezone") + files_etc_filetrans($1, locale_t, file, "clock") @@ -73709,7 +74439,7 @@ index 703944c..1d3a6a9 100644 # diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc -index 532181a..2410551 100644 +index 532181a..5944521 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -10,10 +10,8 @@ ifdef(`distro_gentoo',` @@ -73723,6 +74453,21 @@ index 532181a..2410551 100644 /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) +@@ -22,3 +20,14 @@ ifdef(`distro_gentoo',` + /sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) + /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) + /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++ ++/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) ++/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) ++/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) ++/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) ++/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) ++ ++/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) ++/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 9c0faab..91360ac 100644 --- a/policy/modules/system/modutils.if @@ -74044,10 +74789,10 @@ index a0eef20..6b39756 100644 ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index 72c746e..704d2d7 100644 +index 72c746e..fa210cd 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc -@@ -1,4 +1,16 @@ +@@ -1,4 +1,21 @@ +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -74060,6 +74805,11 @@ index 72c746e..704d2d7 100644 +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) + +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++ ++/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) @@ -74673,6 +75423,14 @@ index 15832c7..aa18423 100644 +sysnet_dns_name_resolve(showmount_t) + +userdom_use_inherited_user_terminals(showmount_t) +diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc +index b263a8a..9348c8c 100644 +--- a/policy/modules/system/netlabel.fc ++++ b/policy/modules/system/netlabel.fc +@@ -1 +1,3 @@ + /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) ++ ++/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index cbbda4a..8dcc346 100644 --- a/policy/modules/system/netlabel.te @@ -74690,6 +75448,20 @@ index cbbda4a..8dcc346 100644 + +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + +diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc +index 9cf0e56..2b5260a 100644 +--- a/policy/modules/system/pcmcia.fc ++++ b/policy/modules/system/pcmcia.fc +@@ -4,6 +4,9 @@ + /sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) + /sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) + ++/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) ++/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) ++ + /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) + + /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 4d06ae3..e81b7ac 100644 --- a/policy/modules/system/pcmcia.te @@ -74731,24 +75503,25 @@ index 4d06ae3..e81b7ac 100644 seutil_sigchld_newrole(cardmgr_t) ') diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc -index ed9c70d..7a6f23a 100644 +index ed9c70d..480267e 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc -@@ -1,6 +1,13 @@ +@@ -1,6 +1,14 @@ -/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) +/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) +/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) -+#669402 -+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) -+ ++/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++ + /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if index b1a85b5..db0d815 100644 --- a/policy/modules/system/raid.if @@ -74860,7 +75633,7 @@ index a19ecea..99c4da1 100644 ') diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index 2cc4bda..167c358 100644 +index 2cc4bda..bd86c17 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,13 @@ @@ -74880,7 +75653,7 @@ index 2cc4bda..167c358 100644 # # /root -@@ -32,17 +32,26 @@ +@@ -32,17 +32,27 @@ /usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0) /usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0) @@ -74888,6 +75661,7 @@ index 2cc4bda..167c358 100644 +/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) ++/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) @@ -75814,6 +76588,17 @@ index 7ed9819..ac8b214 100644 - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') +diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc +index bea4629..427e5f6 100644 +--- a/policy/modules/system/setrans.fc ++++ b/policy/modules/system/setrans.fc +@@ -2,4 +2,6 @@ + + /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) + ++/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) ++ + /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 1447687..cdc0223 100644 --- a/policy/modules/system/setrans.te @@ -75827,7 +76612,7 @@ index 1447687..cdc0223 100644 type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 694fd94..334e80e 100644 +index 694fd94..ff9af99 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -10,10 +10,10 @@ @@ -75844,7 +76629,28 @@ index 694fd94..334e80e 100644 /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -@@ -64,3 +64,5 @@ ifdef(`distro_redhat',` +@@ -48,6 +48,20 @@ ifdef(`distro_redhat',` + # + # /usr + # ++/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++ ++/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) ++/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) ++/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) ++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + + # +@@ -64,3 +78,5 @@ ifdef(`distro_redhat',` ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') @@ -76423,23 +77229,32 @@ index 34d0ec5..8aa3908 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..db57bc7 +index 0000000..0d3e625 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,19 @@ -+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) -+ -+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) -+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) -+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) +@@ -0,0 +1,28 @@ ++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) ++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) ++/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) ++/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + ++/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) ++/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) ++/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) ++ + +/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) +/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) +/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + ++/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) ++/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0) ++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) ++ +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) @@ -76448,10 +77263,10 @@ index 0000000..db57bc7 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..5571350 +index 0000000..1688a39 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,503 @@ +@@ -0,0 +1,504 @@ +## SELinux policy for systemd components + +####################################### @@ -76678,6 +77493,7 @@ index 0000000..5571350 + + allow $1 systemd_logind_t:dbus send_msg; + allow systemd_logind_t $1:dbus send_msg; ++ ps_process_pattern(systemd_logind_t, $1) +') + +####################################### @@ -76957,10 +77773,10 @@ index 0000000..5571350 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b7da774 +index 0000000..9e08125 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,378 @@ +@@ -0,0 +1,381 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -77162,6 +77978,8 @@ index 0000000..b7da774 + +dev_write_kmsg(systemd_tmpfiles_t) + ++domain_obj_id_change_exemption(systemd_tmpfiles_t) ++ +# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev +fs_manage_tmpfs_dirs(systemd_tmpfiles_t) +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) @@ -77246,6 +78064,7 @@ index 0000000..b7da774 + # we have /run/user/$USER/dconf + gnome_delete_home_config(systemd_tmpfiles_t) + gnome_delete_home_config_dirs(systemd_tmpfiles_t) ++ gnome_setattr_home_config_dirs(systemd_tmpfiles_t) +') + +optional_policy(` @@ -77340,7 +78159,7 @@ index 0000000..b7da774 + +miscfiles_read_localization(systemctl_domain) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 0291685..397e4f6 100644 +index 0291685..0e9e2b6 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,6 @@ @@ -77353,18 +78172,30 @@ index 0291685..397e4f6 100644 /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) -@@ -15,10 +15,13 @@ - /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) +@@ -10,6 +10,7 @@ + /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + + /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) +/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) + + /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) +@@ -21,4 +22,17 @@ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ++ +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) @@ -78584,7 +79415,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..b7ed01c 100644 +index 4b2878a..17cc2fc 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -80908,7 +81739,7 @@ index 4b2878a..b7ed01c 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3912,1205 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3912,1236 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -80965,6 +81796,38 @@ index 4b2878a..b7ed01c 100644 + ubac_constrained($2) +') + ++####################################### ++## ++## Define this type as a Allow apps to set rlimits on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`userdom_unpriv_type',` ++ gen_require(` ++ attribute unpriv_userdomain, userdomain; ++ ') ++ typeattribute $2 unpriv_userdomain; ++ typeattribute $2 userdomain; ++ ++ auth_use_nsswitch($2) ++ ubac_constrained($2) ++') ++ +######################################## +## +## Connect to users over an unix stream socket. @@ -82113,7 +82976,6 @@ index 4b2878a..b7ed01c 100644 + + typeattribute $1 userdom_home_manager_type; +') -+ diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 9b4a930..ced52ff 100644 --- a/policy/modules/system/userdomain.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 2c7dc94..245cbf7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 64%{?dist} +Release: 65%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -238,7 +238,7 @@ Based off of reference policy: Checked out revision 2.20091117 %setup -n serefpolicy-%{version} -q %patch -p1 %patch1 -p1 -b .unconfined -%patch2 -p1 -b .thumb +#%patch2 -p1 -b .thumb %install mkdir selinux_config @@ -470,6 +470,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Dec 6 2011 Miroslav Grepl 3.10.0-65 +- Fixes related to /bin, /sbin +- Allow abrt to getattr on blk files +- Add type for rhev-agent log file +- Fix labeling for /dev/dmfm +- Dontaudit wicd leaking +- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it +- Label /etc/locale.conf correctly +- Allow user_mail_t to read /dev/random +- Allow postfix-smtpd to read MIMEDefang +- Add label for /var/log/suphp.log +- Allow swat_t to connect and read/write nmbd_t sock_file +- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf +- Allow systemd-tmpfiles to change user identity in object contexts +- More fixes for rhev_agentd_t consolehelper policy + * Thu Dec 1 2011 Miroslav Grepl 3.10.0-64 - Use fs_use_xattr for squashf - Fix procs_type interface