From f5eb99f70b808c2b3830c5d65d9b1df5599c3a0b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 17 2011 15:46:18 +0000 Subject: - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if to generic_if - Should not use deprecated interface - Switch from using all_nodes to generic_node and from all_if to generic_if - Add support for xfce4-notifyd - Fix file context to show several labels as SystemHigh - seunshare needs to be able to mounton nfs/cifs/fusefs homedirs - Add etc_runtime_t label for /etc/securetty - Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly - login.krb needs to be able to write user_tmp_t - dirsrv needs to bind to port 7390 for dogtag - Fix a bug in gpg policy - gpg sends audit messages - Allow qpid to manage matahari files --- diff --git a/policy-F15.patch b/policy-F15.patch index 08cb6ad..73343e7 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -3310,7 +3310,7 @@ index 00a19e3..1354800 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..7cbfcb4 100644 +index f5afe78..65118f7 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,43 +1,521 @@ @@ -3555,10 +3555,11 @@ index f5afe78..7cbfcb4 100644 +## manage gnome homedir content (.config) +## +## -+## + ## +-## Role allowed access +## Domain allowed access. -+## -+## + ## + ## +# +interface(`gnome_manage_config',` + gen_require(` @@ -3774,28 +3775,21 @@ index f5afe78..7cbfcb4 100644 +## Create gconf_home_t objects in the /root directory +## +## - ## --## Role allowed access ++## +## Domain allowed access. - ## - ## --## ++## ++## +## - ## --## User domain for the role ++## +## The class of the object to be created. - ## - ## - # --interface(`gnome_role',` ++## ++## ++# +interface(`gnome_admin_home_gconf_filetrans',` - gen_require(` -- type gconfd_t, gconfd_exec_t; -- type gconf_tmp_t; ++ gen_require(` + type gconf_home_t; - ') - -- role $1 types gconfd_t; ++ ') ++ + userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) +') + @@ -3803,17 +3797,23 @@ index f5afe78..7cbfcb4 100644 +## +## read gconf config files +## -+## -+## + ## + ## +-## User domain for the role +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`gnome_role',` +interface(`gnome_read_gconf_config',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconfd_exec_t; +- type gconf_tmp_t; + type gconf_etc_t; -+ ') + ') +- role $1 types gconfd_t; +- - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; @@ -3959,7 +3959,7 @@ index f5afe78..7cbfcb4 100644 ') ######################################## -@@ -151,40 +633,300 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +633,328 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -4202,13 +4202,14 @@ index f5afe78..7cbfcb4 100644 +# +interface(`gnome_dbus_chat_gkeyringd',` + gen_require(` -+ type gkeyringd_t; ++ attribute gkeyringd_domain; + class dbus send_msg; + ') + -+ allow $2 gkeyringd_t:dbus send_msg; -+ allow gkeyringd_t $2:dbus send_msg; ++ allow $1 gkeyringd_domain:dbus send_msg; ++ allow gkeyringd_domain $1:dbus send_msg; +') ++ +######################################## +## +## Create directories in user home directories @@ -4270,6 +4271,33 @@ index f5afe78..7cbfcb4 100644 + manage_files_pattern($1, config_usr_t, config_usr_t) + manage_lnk_files_pattern($1, config_usr_t, config_usr_t) +') ++ ++######################################## ++## ++## Execute gnome-keyring in the user gkeyring domain ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the gkeyring domain. ++## ++## ++# ++interface(`gnome_transition_gkeyringd',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ ') ++ ++ allow $1 gkeyringd_domain:process transition; ++ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; ++ allow gkeyringd_domain $1:process { sigchld signull }; ++ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; ++') ++ diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 2505654..857e7df 100644 --- a/policy/modules/apps/gnome.te @@ -5471,7 +5499,7 @@ index 9a6d67d..d88c02c 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..6e6b57c 100644 +index 2a91fa8..3188ebc 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5553,7 +5581,7 @@ index 2a91fa8..6e6b57c 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,191 @@ optional_policy(` +@@ -266,3 +291,192 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -5648,6 +5676,7 @@ index 2a91fa8..6e6b57c 100644 +miscfiles_read_fonts(mozilla_plugin_t) +miscfiles_read_certs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) + +sysnet_dns_name_resolve(mozilla_plugin_t) + @@ -7241,7 +7270,7 @@ index c1d5f50..429b9ce 100644 + + diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index 5ef2f7d..d5ed1df 100644 +index 5ef2f7d..6f02ecd 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true) @@ -7253,7 +7282,7 @@ index 5ef2f7d..d5ed1df 100644 ##

## gen_tunable(qemu_use_comm, false) -@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t) +@@ -55,14 +55,15 @@ storage_raw_read_removable_device(qemu_t) userdom_search_user_home_content(qemu_t) userdom_read_user_tmpfs_files(qemu_t) @@ -7261,6 +7290,17 @@ index 5ef2f7d..d5ed1df 100644 tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; + +- corenet_udp_sendrecv_all_if(qemu_t) +- corenet_udp_sendrecv_all_nodes(qemu_t) ++ corenet_udp_sendrecv_generic_if(qemu_t) ++ corenet_udp_sendrecv_generic_node(qemu_t) + corenet_udp_sendrecv_all_ports(qemu_t) +- corenet_udp_bind_all_nodes(qemu_t) ++ corenet_udp_bind_generic_node(qemu_t) + corenet_udp_bind_all_ports(qemu_t) + corenet_tcp_bind_all_ports(qemu_t) + corenet_tcp_connect_all_ports(qemu_t) @@ -90,7 +91,9 @@ tunable_policy(`qemu_use_usb',` ') @@ -7772,7 +7812,7 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..f2201d7 +index 0000000..26d0f56 --- /dev/null +++ b/policy/modules/apps/sandbox.te @@ -0,0 +1,476 @@ @@ -7842,13 +7882,13 @@ index 0000000..f2201d7 + +corenet_all_recvfrom_unlabeled(sandbox_xserver_t) +corenet_all_recvfrom_netlabel(sandbox_xserver_t) -+corenet_tcp_sendrecv_all_if(sandbox_xserver_t) -+corenet_udp_sendrecv_all_if(sandbox_xserver_t) -+corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t) -+corenet_udp_sendrecv_all_nodes(sandbox_xserver_t) ++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t) ++corenet_udp_sendrecv_generic_if(sandbox_xserver_t) ++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t) ++corenet_udp_sendrecv_generic_node(sandbox_xserver_t) +corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) +corenet_udp_sendrecv_all_ports(sandbox_xserver_t) -+corenet_tcp_bind_all_nodes(sandbox_xserver_t) ++corenet_tcp_bind_generic_node(sandbox_xserver_t) +corenet_tcp_bind_xserver_port(sandbox_xserver_t) +corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) +corenet_sendrecv_all_client_packets(sandbox_xserver_t) @@ -8141,10 +8181,10 @@ index 0000000..f2201d7 + +corenet_all_recvfrom_unlabeled(sandbox_web_type) +corenet_all_recvfrom_netlabel(sandbox_web_type) -+corenet_tcp_sendrecv_all_if(sandbox_web_type) -+corenet_raw_sendrecv_all_if(sandbox_web_type) -+corenet_tcp_sendrecv_all_nodes(sandbox_web_type) -+corenet_raw_sendrecv_all_nodes(sandbox_web_type) ++corenet_tcp_sendrecv_generic_if(sandbox_web_type) ++corenet_raw_sendrecv_generic_if(sandbox_web_type) ++corenet_tcp_sendrecv_generic_node(sandbox_web_type) ++corenet_raw_sendrecv_generic_node(sandbox_web_type) +corenet_tcp_sendrecv_http_port(sandbox_web_type) +corenet_tcp_sendrecv_http_cache_port(sandbox_web_type) +corenet_tcp_sendrecv_squid_port(sandbox_web_type) @@ -8237,10 +8277,10 @@ index 0000000..f2201d7 + +corenet_all_recvfrom_unlabeled(sandbox_net_client_t) +corenet_all_recvfrom_netlabel(sandbox_net_client_t) -+corenet_tcp_sendrecv_all_if(sandbox_net_client_t) -+corenet_udp_sendrecv_all_if(sandbox_net_client_t) -+corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t) -+corenet_udp_sendrecv_all_nodes(sandbox_net_client_t) ++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t) ++corenet_udp_sendrecv_generic_if(sandbox_net_client_t) ++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t) ++corenet_udp_sendrecv_generic_node(sandbox_net_client_t) +corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) +corenet_udp_sendrecv_all_ports(sandbox_net_client_t) +corenet_tcp_connect_all_ports(sandbox_net_client_t) @@ -8365,10 +8405,10 @@ index 1dc7a85..787df80 100644 + ') ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..44aa6d1 100644 +index 7590165..080ea54 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,48 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -8434,6 +8474,17 @@ index 7590165..44aa6d1 100644 ') ') + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_mounton_nfs(seunshare_domain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_mounton_cifs(seunshare_domain) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_mounton_fusefs(seunshare_domain) ++') diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te index e43c380..410027f 100644 --- a/policy/modules/apps/slocate.te @@ -8668,10 +8719,10 @@ index 0000000..6878d68 + diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..db7941f +index 0000000..b52b636 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,333 @@ +@@ -0,0 +1,334 @@ + +policy_module(telepathy, 1.0.0) + @@ -8881,9 +8932,10 @@ index 0000000..db7941f +') + +optional_policy(` -+ gnome_read_gconf_home_files(telepathy_mission_control_t) -+ gnome_setattr_cache_home_dir(telepathy_mission_control_t) ++ gnome_read_gconf_home_files(telepathy_mission_control_t) ++ gnome_setattr_cache_home_dir(telepathy_mission_control_t) + gnome_read_generic_cache_files(telepathy_mission_control_t) ++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) +') + +####################################### @@ -9395,7 +9447,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..5574b5c 100644 +index 34c9d01..e65d58a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -9447,7 +9499,12 @@ index 34c9d01..5574b5c 100644 /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -247,6 +252,8 @@ ifdef(`distro_gentoo',` +@@ -244,9 +249,13 @@ ifdef(`distro_gentoo',` + + /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib(64)?/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) ++ /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -9456,7 +9513,7 @@ index 34c9d01..5574b5c 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -307,6 +314,7 @@ ifdef(`distro_redhat', ` +@@ -307,6 +316,7 @@ ifdef(`distro_redhat', ` /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -9464,7 +9521,7 @@ index 34c9d01..5574b5c 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -316,9 +324,11 @@ ifdef(`distro_redhat', ` +@@ -316,9 +326,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -9584,7 +9641,7 @@ index 5a07a43..e97e47f 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..72c9dc8 100644 +index 0757523..5a4a625 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -9657,8 +9714,11 @@ index 0757523..72c9dc8 100644 network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -98,7 +118,9 @@ network_port(dict, tcp,2628,s0) +@@ -96,9 +116,12 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) + network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) + network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) ++network_port(dogtag, tcp,7390,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(epmap, tcp,135,s0, udp,135,s0) +network_port(festival, tcp,1314,s0) @@ -9667,7 +9727,7 @@ index 0757523..72c9dc8 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -112,7 +134,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -112,7 +135,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -9676,7 +9736,7 @@ index 0757523..72c9dc8 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -126,43 +148,58 @@ network_port(iscsi, tcp,3260,s0) +@@ -126,43 +149,58 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -9739,7 +9799,7 @@ index 0757523..72c9dc8 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,24 +214,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,24 +215,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -9773,7 +9833,7 @@ index 0757523..72c9dc8 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -205,16 +247,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,16 +248,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -9794,7 +9854,7 @@ index 0757523..72c9dc8 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -276,5 +319,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn +@@ -276,5 +320,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -10448,7 +10508,7 @@ index bc534c1..b70ea07 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 16108f6..2abd3eb 100644 +index 16108f6..33ea07b 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -10459,20 +10519,20 @@ index 16108f6..2abd3eb 100644 ') ifdef(`distro_suse',` -@@ -58,6 +59,13 @@ ifdef(`distro_suse',` +@@ -57,6 +58,13 @@ ifdef(`distro_suse',` + /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0) ++ +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) -+ -+ + /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) - /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -68,7 +76,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -11804,7 +11864,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..fbbd1ce 100644 +index dfe361a..40bfd0f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -12067,7 +12127,32 @@ index dfe361a..fbbd1ce 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1892,6 +2047,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',` + + ######################################## + ## ++## Mounton a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir mounton; ++') ++ ++######################################## ++## + ## Search directories + ## on a FUSEFS filesystem. + ## +@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -12094,7 +12179,7 @@ index dfe361a..fbbd1ce 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2106,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -12122,7 +12207,7 @@ index dfe361a..fbbd1ce 100644 ## ## ## -@@ -1946,6 +2140,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -12164,7 +12249,7 @@ index dfe361a..fbbd1ce 100644 ######################################## ## -@@ -1999,6 +2228,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -12172,7 +12257,7 @@ index dfe361a..fbbd1ce 100644 ') ######################################## -@@ -2331,6 +2561,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -12180,7 +12265,7 @@ index dfe361a..fbbd1ce 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2600,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -12188,7 +12273,7 @@ index dfe361a..fbbd1ce 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2627,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -12214,7 +12299,7 @@ index dfe361a..fbbd1ce 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2686,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -12257,7 +12342,7 @@ index dfe361a..fbbd1ce 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2736,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -12266,7 +12351,7 @@ index dfe361a..fbbd1ce 100644 ') ######################################## -@@ -2637,6 +2924,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -12291,7 +12376,7 @@ index dfe361a..fbbd1ce 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2958,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -12317,7 +12402,7 @@ index dfe361a..fbbd1ce 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3103,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -12325,7 +12410,7 @@ index dfe361a..fbbd1ce 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3144,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -12333,7 +12418,7 @@ index dfe361a..fbbd1ce 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3171,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -12342,7 +12427,7 @@ index dfe361a..fbbd1ce 100644 ## ## ## -@@ -2859,6 +3185,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -12350,7 +12435,7 @@ index dfe361a..fbbd1ce 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3989,6 +4316,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4334,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -12393,7 +12478,7 @@ index dfe361a..fbbd1ce 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4634,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -12402,7 +12487,7 @@ index dfe361a..fbbd1ce 100644 ') ######################################## -@@ -4681,3 +5046,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -16913,7 +16998,7 @@ index 6480167..09c61a0 100644 + dontaudit $1 httpd_tmp_t:file { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..b09a425 100644 +index 3136c6a..da3eab1 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -17395,13 +17480,13 @@ index 3136c6a..b09a425 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(httpd_t) ++ fs_list_auto_mountpoints(httpd_t) fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_nfs',` -+ fs_list_auto_mountpoints(httpd_t) ++ fs_list_auto_mountpoints(httpd_t) + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) @@ -17703,7 +17788,7 @@ index 3136c6a..b09a425 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1058,37 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1058,49 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -17741,6 +17826,24 @@ index 3136c6a..b09a425 100644 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; + +- corenet_tcp_bind_all_nodes(httpd_sys_script_t) +- corenet_udp_bind_all_nodes(httpd_sys_script_t) ++ corenet_tcp_bind_generic_node(httpd_sys_script_t) ++ corenet_udp_bind_generic_node(httpd_sys_script_t) + corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_all_recvfrom_netlabel(httpd_sys_script_t) +- corenet_tcp_sendrecv_all_if(httpd_sys_script_t) +- corenet_udp_sendrecv_all_if(httpd_sys_script_t) +- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) +- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) + corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) + corenet_udp_sendrecv_all_ports(httpd_sys_script_t) + corenet_tcp_connect_all_ports(httpd_sys_script_t) @@ -822,14 +1108,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') @@ -18928,7 +19031,7 @@ index 0000000..3964548 +') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te new file mode 100644 -index 0000000..b73c9f2 +index 0000000..5fa8122 --- /dev/null +++ b/policy/modules/services/bugzilla.te @@ -0,0 +1,57 @@ @@ -18955,10 +19058,10 @@ index 0000000..b73c9f2 + +corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) +corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) +corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) +corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) @@ -21928,7 +22031,7 @@ index f7583ab..9941737 100644 ') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc -index 1b492ed..3d09c0e 100644 +index 1b492ed..76480c2 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc @@ -56,6 +56,7 @@ @@ -21939,7 +22042,15 @@ index 1b492ed..3d09c0e 100644 /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -@@ -71,3 +72,9 @@ +@@ -64,10 +65,16 @@ + + /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) + /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -23720,10 +23831,10 @@ index 0000000..9d8f5de +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..2a9e3f9 +index 0000000..24f776b --- /dev/null +++ b/policy/modules/services/dirsrv.te -@@ -0,0 +1,176 @@ +@@ -0,0 +1,178 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -23807,6 +23918,7 @@ index 0000000..2a9e3f9 + +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) +manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) + +manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) @@ -23821,8 +23933,9 @@ index 0000000..2a9e3f9 +corenet_tcp_sendrecv_generic_if(dirsrv_t) +corenet_tcp_sendrecv_generic_node(dirsrv_t) +corenet_tcp_sendrecv_all_ports(dirsrv_t) -+corenet_tcp_bind_all_nodes(dirsrv_t) ++corenet_tcp_bind_generic_node(dirsrv_t) +corenet_tcp_bind_ldap_port(dirsrv_t) ++corenet_tcp_bind_dogtag_port(dirsrv_t) +corenet_tcp_bind_all_rpc_ports(dirsrv_t) +corenet_udp_bind_all_rpc_ports(dirsrv_t) +corenet_tcp_connect_all_ports(dirsrv_t) @@ -26221,11 +26334,15 @@ index a627b34..4b27e25 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te -index 03742d8..2a87d1e 100644 +index 03742d8..c65263e 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te -@@ -46,6 +46,8 @@ corenet_tcp_sendrecv_all_ports(gpsd_t) - corenet_tcp_bind_all_nodes(gpsd_t) +@@ -43,9 +43,11 @@ corenet_all_recvfrom_netlabel(gpsd_t) + corenet_tcp_sendrecv_generic_if(gpsd_t) + corenet_tcp_sendrecv_generic_node(gpsd_t) + corenet_tcp_sendrecv_all_ports(gpsd_t) +-corenet_tcp_bind_all_nodes(gpsd_t) ++corenet_tcp_bind_generic_node(gpsd_t) corenet_tcp_bind_gpsd_port(gpsd_t) +dev_read_sysfs(gpsd_t) @@ -26245,9 +26362,18 @@ index 03742d8..2a87d1e 100644 ') diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if -index 2d0b4e1..804d347 100644 +index 2d0b4e1..e268ede 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if +@@ -91,7 +91,7 @@ template(`hadoop_domain_template',` + + corenet_all_recvfrom_unlabeled(hadoop_$1_t) + corenet_all_recvfrom_netlabel(hadoop_$1_t) +- corenet_tcp_bind_all_nodes(hadoop_$1_t) ++ corenet_tcp_bind_generic_node(hadoop_$1_t) + corenet_tcp_sendrecv_generic_if(hadoop_$1_t) + corenet_udp_sendrecv_generic_if(hadoop_$1_t) + corenet_tcp_sendrecv_generic_node(hadoop_$1_t) @@ -175,8 +175,6 @@ template(`hadoop_domain_template',` files_read_etc_files(hadoop_$1_initrc_t) files_read_usr_files(hadoop_$1_initrc_t) @@ -28322,7 +28448,7 @@ index 0000000..8e22c5e +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..6800643 +index 0000000..fbad798 --- /dev/null +++ b/policy/modules/services/matahari.te @@ -0,0 +1,116 @@ @@ -28375,7 +28501,7 @@ index 0000000..6800643 + +dev_read_sysfs(matahari_hostd_t) +dev_read_urand(matahari_hostd_t) -+dev_write_mtrr(matahari_hostd_t) ++dev_rw_mtrr(matahari_hostd_t) + +domain_use_interactive_fds(matahari_hostd_t) +domain_read_all_domains_state(matahari_hostd_t) @@ -31580,9 +31706,18 @@ index c61adc8..b5b5992 100644 term_use_ptmx(ntpd_t) diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te -index ff962dd..69c07c1 100644 +index ff962dd..3cf3fe3 100644 --- a/policy/modules/services/nut.te +++ b/policy/modules/services/nut.te +@@ -47,7 +47,7 @@ kernel_read_kernel_sysctls(nut_upsd_t) + + corenet_tcp_bind_ups_port(nut_upsd_t) + corenet_tcp_bind_generic_port(nut_upsd_t) +-corenet_tcp_bind_all_nodes(nut_upsd_t) ++corenet_tcp_bind_generic_node(nut_upsd_t) + + files_read_usr_files(nut_upsd_t) + @@ -133,6 +133,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t) # /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) @@ -32289,7 +32424,7 @@ index 1c2a091..ea5ae69 100644 # interface(`pcscd_domtrans',` diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te -index ceafba6..eca6852 100644 +index ceafba6..9eb6967 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -7,7 +7,6 @@ policy_module(pcscd, 1.7.0) @@ -32300,6 +32435,22 @@ index ceafba6..eca6852 100644 init_daemon_domain(pcscd_t, pcscd_exec_t) # pid files +@@ -25,6 +24,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms; + allow pcscd_t self:unix_stream_socket create_stream_socket_perms; + allow pcscd_t self:unix_dgram_socket create_socket_perms; + allow pcscd_t self:tcp_socket create_stream_socket_perms; ++allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +@@ -77,3 +77,7 @@ optional_policy(` + optional_policy(` + rpm_use_script_fds(pcscd_t) + ') ++ ++optional_policy(` ++ udev_read_db(pcscd_t) ++') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index 3185114..514e127 100644 --- a/policy/modules/services/pegasus.te @@ -36417,7 +36568,7 @@ index 852840b..1244ab2 100644 + ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index 0a76027..3c00e89 100644 +index 0a76027..7083808 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t) @@ -36438,7 +36589,7 @@ index 0a76027..3c00e89 100644 miscfiles_read_localization(remote_login_t) -@@ -87,9 +89,7 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,9 +89,8 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) @@ -36446,10 +36597,11 @@ index 0a76027..3c00e89 100644 -# Search for mail spool file. -mta_getattr_spool(remote_login_t) +userdom_use_user_ptys(remote_login_t) ++userdom_rw_user_tmp_files(remote_login_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) -@@ -106,15 +106,15 @@ optional_policy(` +@@ -106,15 +107,15 @@ optional_policy(` ') optional_policy(` @@ -44236,7 +44388,7 @@ index 130ced9..33c8170 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 6c01261..7add988 100644 +index 6c01261..4bd148a 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -44872,17 +45024,23 @@ index 6c01261..7add988 100644 ') optional_policy(` -@@ -517,7 +738,37 @@ optional_policy(` +@@ -517,7 +738,43 @@ optional_policy(` ') optional_policy(` - cpufreqselector_dbus_chat(xdm_t) + # Use dbus to start other processes as xdm_t + dbus_role_template(xdm, system_r, xdm_t) ++ ++ #fixes for xfce4-notifyd ++ allow xdm_dbusd_t self:unix_stream_socket connectto; ++ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto; + + dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; + xserver_xdm_append_log(xdm_dbusd_t) + xserver_read_xdm_pid(xdm_dbusd_t) ++ ++ miscfiles_read_fonts(xdm_dbusd_t) + + corecmd_bin_entry_type(xdm_t) + @@ -44911,7 +45069,7 @@ index 6c01261..7add988 100644 ') optional_policy(` -@@ -527,6 +778,14 @@ optional_policy(` +@@ -527,6 +784,15 @@ optional_policy(` ') optional_policy(` @@ -44920,13 +45078,14 @@ index 6c01261..7add988 100644 + gnome_manage_gconf_home_files(xdm_t) + gnome_read_config(xdm_t) + gnome_read_gconf_config(xdm_t) ++ gnome_transition_gkeyringd(xdm_t) +') + +optional_policy(` hostname_exec(xdm_t) ') -@@ -544,28 +803,65 @@ optional_policy(` +@@ -544,28 +810,65 @@ optional_policy(` ') optional_policy(` @@ -45001,7 +45160,7 @@ index 6c01261..7add988 100644 ') optional_policy(` -@@ -577,6 +873,14 @@ optional_policy(` +@@ -577,6 +880,14 @@ optional_policy(` ') optional_policy(` @@ -45016,7 +45175,7 @@ index 6c01261..7add988 100644 xfs_stream_connect(xdm_t) ') -@@ -601,7 +905,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -601,7 +912,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -45025,7 +45184,7 @@ index 6c01261..7add988 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -615,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -615,8 +926,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -45041,7 +45200,7 @@ index 6c01261..7add988 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -635,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -635,12 +953,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -45063,7 +45222,7 @@ index 6c01261..7add988 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -648,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -648,6 +973,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -45071,7 +45230,7 @@ index 6c01261..7add988 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -674,7 +993,6 @@ dev_rw_apm_bios(xserver_t) +@@ -674,7 +1000,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -45079,7 +45238,7 @@ index 6c01261..7add988 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -684,11 +1002,17 @@ dev_wx_raw_memory(xserver_t) +@@ -684,11 +1009,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -45097,7 +45256,7 @@ index 6c01261..7add988 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -699,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -699,8 +1030,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -45111,7 +45270,7 @@ index 6c01261..7add988 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -713,8 +1042,6 @@ init_getpgid(xserver_t) +@@ -713,8 +1049,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -45120,7 +45279,7 @@ index 6c01261..7add988 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -722,11 +1049,12 @@ logging_send_audit_msgs(xserver_t) +@@ -722,11 +1056,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -45135,7 +45294,7 @@ index 6c01261..7add988 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -780,16 +1108,36 @@ optional_policy(` +@@ -780,16 +1115,36 @@ optional_policy(` ') optional_policy(` @@ -45173,7 +45332,7 @@ index 6c01261..7add988 100644 unconfined_domtrans(xserver_t) ') -@@ -798,6 +1146,10 @@ optional_policy(` +@@ -798,6 +1153,10 @@ optional_policy(` ') optional_policy(` @@ -45184,7 +45343,7 @@ index 6c01261..7add988 100644 xfs_stream_connect(xserver_t) ') -@@ -813,10 +1165,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -813,10 +1172,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -45198,7 +45357,7 @@ index 6c01261..7add988 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -824,7 +1176,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -824,7 +1183,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -45207,7 +45366,7 @@ index 6c01261..7add988 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -837,6 +1189,9 @@ init_use_fds(xserver_t) +@@ -837,6 +1196,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -45217,7 +45376,7 @@ index 6c01261..7add988 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -844,6 +1199,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -844,6 +1206,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -45229,7 +45388,7 @@ index 6c01261..7add988 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -852,11 +1212,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -852,11 +1219,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -45246,7 +45405,7 @@ index 6c01261..7add988 100644 ') optional_policy(` -@@ -864,6 +1227,10 @@ optional_policy(` +@@ -864,6 +1234,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -45257,7 +45416,7 @@ index 6c01261..7add988 100644 ######################################## # # Rules common to all X window domains -@@ -907,7 +1274,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -907,7 +1281,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -45266,7 +45425,7 @@ index 6c01261..7add988 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -961,11 +1328,31 @@ allow x_domain self:x_resource { read write }; +@@ -961,11 +1335,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -45298,7 +45457,7 @@ index 6c01261..7add988 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -987,18 +1374,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -987,18 +1381,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -47376,7 +47535,7 @@ index cc83689..3596325 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..cd82670 100644 +index ea29513..b8a5c6d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -47523,7 +47682,7 @@ index ea29513..cd82670 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +231,105 @@ tunable_policy(`init_upstart',` +@@ -186,12 +231,106 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -47555,6 +47714,7 @@ index ea29513..cd82670 100644 + + dev_write_kmsg(init_t) + dev_write_urand(init_t) ++ dev_rw_lvm_control(init_t) + dev_rw_autofs(init_t) + dev_manage_generic_symlinks(init_t) + dev_manage_generic_dirs(init_t) @@ -47629,7 +47789,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -199,10 +337,25 @@ optional_policy(` +@@ -199,10 +338,25 @@ optional_policy(` ') optional_policy(` @@ -47655,7 +47815,7 @@ index ea29513..cd82670 100644 unconfined_domain(init_t) ') -@@ -212,7 +365,7 @@ optional_policy(` +@@ -212,7 +366,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -47664,7 +47824,7 @@ index ea29513..cd82670 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +394,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +395,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -47679,7 +47839,7 @@ index ea29513..cd82670 100644 init_write_initctl(initrc_t) -@@ -258,11 +413,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +414,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -47703,7 +47863,20 @@ index ea29513..cd82670 100644 corecmd_exec_all_executables(initrc_t) -@@ -279,6 +446,7 @@ corenet_sendrecv_all_client_packets(initrc_t) + corenet_all_recvfrom_unlabeled(initrc_t) + corenet_all_recvfrom_netlabel(initrc_t) +-corenet_tcp_sendrecv_all_if(initrc_t) +-corenet_udp_sendrecv_all_if(initrc_t) +-corenet_tcp_sendrecv_all_nodes(initrc_t) +-corenet_udp_sendrecv_all_nodes(initrc_t) ++corenet_tcp_sendrecv_generic_if(initrc_t) ++corenet_udp_sendrecv_generic_if(initrc_t) ++corenet_tcp_sendrecv_generic_node(initrc_t) ++corenet_udp_sendrecv_generic_node(initrc_t) + corenet_tcp_sendrecv_all_ports(initrc_t) + corenet_udp_sendrecv_all_ports(initrc_t) + corenet_tcp_connect_all_ports(initrc_t) +@@ -279,6 +447,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -47711,7 +47884,7 @@ index ea29513..cd82670 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +460,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -47719,7 +47892,7 @@ index ea29513..cd82670 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +468,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -47735,7 +47908,7 @@ index ea29513..cd82670 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +485,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +486,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -47743,7 +47916,7 @@ index ea29513..cd82670 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +493,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +494,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -47755,7 +47928,7 @@ index ea29513..cd82670 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +512,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +513,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -47769,7 +47942,7 @@ index ea29513..cd82670 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +527,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +528,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -47778,7 +47951,7 @@ index ea29513..cd82670 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +541,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +542,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -47786,7 +47959,7 @@ index ea29513..cd82670 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +553,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +554,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -47794,7 +47967,7 @@ index ea29513..cd82670 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +574,12 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +575,12 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -47810,7 +47983,7 @@ index ea29513..cd82670 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -478,7 +657,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +658,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -47819,7 +47992,7 @@ index ea29513..cd82670 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -524,6 +703,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +704,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -47843,7 +48016,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -531,10 +727,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +728,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -47861,7 +48034,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -549,6 +752,39 @@ ifdef(`distro_suse',` +@@ -549,6 +753,39 @@ ifdef(`distro_suse',` ') ') @@ -47901,7 +48074,7 @@ index ea29513..cd82670 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +797,8 @@ optional_policy(` +@@ -561,6 +798,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -47910,7 +48083,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -577,6 +815,7 @@ optional_policy(` +@@ -577,6 +816,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -47918,7 +48091,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -589,6 +828,11 @@ optional_policy(` +@@ -589,6 +829,11 @@ optional_policy(` ') optional_policy(` @@ -47930,7 +48103,7 @@ index ea29513..cd82670 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +849,13 @@ optional_policy(` +@@ -605,9 +850,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -47944,7 +48117,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -649,6 +897,11 @@ optional_policy(` +@@ -649,6 +898,11 @@ optional_policy(` ') optional_policy(` @@ -47956,7 +48129,7 @@ index ea29513..cd82670 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +959,13 @@ optional_policy(` +@@ -706,7 +960,13 @@ optional_policy(` ') optional_policy(` @@ -47970,7 +48143,7 @@ index ea29513..cd82670 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +988,10 @@ optional_policy(` +@@ -729,6 +989,10 @@ optional_policy(` ') optional_policy(` @@ -47981,7 +48154,7 @@ index ea29513..cd82670 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1001,20 @@ optional_policy(` +@@ -738,10 +1002,20 @@ optional_policy(` ') optional_policy(` @@ -48002,7 +48175,7 @@ index ea29513..cd82670 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1023,10 @@ optional_policy(` +@@ -750,6 +1024,10 @@ optional_policy(` ') optional_policy(` @@ -48013,7 +48186,7 @@ index ea29513..cd82670 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1048,6 @@ optional_policy(` +@@ -771,8 +1049,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -48022,7 +48195,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -781,14 +1056,21 @@ optional_policy(` +@@ -781,14 +1057,21 @@ optional_policy(` ') optional_policy(` @@ -48044,7 +48217,7 @@ index ea29513..cd82670 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -810,11 +1092,19 @@ optional_policy(` +@@ -810,11 +1093,19 @@ optional_policy(` ') optional_policy(` @@ -48065,7 +48238,7 @@ index ea29513..cd82670 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1114,25 @@ optional_policy(` +@@ -824,6 +1115,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -48091,7 +48264,7 @@ index ea29513..cd82670 100644 ') optional_policy(` -@@ -849,3 +1158,37 @@ optional_policy(` +@@ -849,3 +1159,37 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48270,7 +48443,7 @@ index 8232f91..8897e32 100644 + allow ipsec_mgmt_t $1:dbus send_msg; +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 98d6081..ba4b965 100644 +index 98d6081..c214645 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,7 +73,7 @@ role system_r types setkey_t; @@ -48303,6 +48476,26 @@ index 98d6081..ba4b965 100644 allow ipsec_mgmt_t ipsec_t:process sigchld; kernel_read_kernel_sysctls(ipsec_t) +@@ -127,13 +128,13 @@ corecmd_exec_bin(ipsec_t) + + # Pluto needs network access + corenet_all_recvfrom_unlabeled(ipsec_t) +-corenet_tcp_sendrecv_all_if(ipsec_t) +-corenet_raw_sendrecv_all_if(ipsec_t) +-corenet_tcp_sendrecv_all_nodes(ipsec_t) +-corenet_raw_sendrecv_all_nodes(ipsec_t) ++corenet_tcp_sendrecv_generic_if(ipsec_t) ++corenet_raw_sendrecv_generic_if(ipsec_t) ++corenet_tcp_sendrecv_generic_node(ipsec_t) ++corenet_raw_sendrecv_generic_node(ipsec_t) + corenet_tcp_sendrecv_all_ports(ipsec_t) +-corenet_tcp_bind_all_nodes(ipsec_t) +-corenet_udp_bind_all_nodes(ipsec_t) ++corenet_tcp_bind_generic_node(ipsec_t) ++corenet_udp_bind_generic_node(ipsec_t) + corenet_tcp_bind_reserved_port(ipsec_t) + corenet_tcp_bind_isakmp_port(ipsec_t) + corenet_udp_bind_isakmp_port(ipsec_t) @@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t) files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t) @@ -48421,6 +48614,25 @@ index 98d6081..ba4b965 100644 nscd_socket_use(ipsec_mgmt_t) ') +@@ -352,12 +390,12 @@ corecmd_exec_shell(racoon_t) + corecmd_exec_bin(racoon_t) + + corenet_all_recvfrom_unlabeled(racoon_t) +-corenet_tcp_sendrecv_all_if(racoon_t) +-corenet_udp_sendrecv_all_if(racoon_t) +-corenet_tcp_sendrecv_all_nodes(racoon_t) +-corenet_udp_sendrecv_all_nodes(racoon_t) +-corenet_tcp_bind_all_nodes(racoon_t) +-corenet_udp_bind_all_nodes(racoon_t) ++corenet_tcp_sendrecv_generic_if(racoon_t) ++corenet_udp_sendrecv_generic_if(racoon_t) ++corenet_tcp_sendrecv_generic_node(racoon_t) ++corenet_udp_sendrecv_generic_node(racoon_t) ++corenet_tcp_bind_generic_node(racoon_t) ++corenet_udp_bind_generic_node(racoon_t) + corenet_udp_bind_isakmp_port(racoon_t) + corenet_udp_bind_ipsecnat_port(racoon_t) + @@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -48486,7 +48698,7 @@ index 5c94dfe..59bfb17 100644 ######################################## diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index a3fdcb3..96b3872 100644 +index a3fdcb3..3240adf 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -13,9 +13,6 @@ role system_r types iptables_t; @@ -48541,7 +48753,8 @@ index a3fdcb3..96b3872 100644 domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) - files_read_etc_runtime_files(iptables_t) +-files_read_etc_runtime_files(iptables_t) ++files_rw_etc_runtime_files(iptables_t) +files_read_usr_files(iptables_t) auth_use_nsswitch(iptables_t) @@ -49150,7 +49363,7 @@ index 2b7e5f3..76b4ce1 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 571599b..7e33883 100644 +index 571599b..8a12739 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,11 @@ @@ -49173,7 +49386,23 @@ index 571599b..7e33883 100644 /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) ifdef(`distro_suse', ` -@@ -54,18 +60,24 @@ ifdef(`distro_redhat',` +@@ -37,13 +43,14 @@ ifdef(`distro_suse', ` + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) ++/var/log/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) ++/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) + + ifndef(`distro_gentoo',` + /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +@@ -54,18 +61,24 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') @@ -49188,13 +49417,15 @@ index 571599b..7e33883 100644 /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +-/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) ++/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) - /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) +-/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) ++/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -50239,7 +50470,7 @@ index 8b5c196..6dc92dd 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..e7aff81 100644 +index 15832c7..00f5ea9 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -50429,7 +50660,7 @@ index 15832c7..e7aff81 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,10 +212,13 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +212,29 @@ ifdef(`distro_ubuntu',` ') ') @@ -50443,6 +50674,30 @@ index 15832c7..e7aff81 100644 ') optional_policy(` + # for nfs + corenet_all_recvfrom_unlabeled(mount_t) + corenet_all_recvfrom_netlabel(mount_t) +- corenet_tcp_sendrecv_all_if(mount_t) +- corenet_raw_sendrecv_all_if(mount_t) +- corenet_udp_sendrecv_all_if(mount_t) +- corenet_tcp_sendrecv_all_nodes(mount_t) +- corenet_raw_sendrecv_all_nodes(mount_t) +- corenet_udp_sendrecv_all_nodes(mount_t) ++ corenet_tcp_sendrecv_generic_if(mount_t) ++ corenet_raw_sendrecv_generic_if(mount_t) ++ corenet_udp_sendrecv_generic_if(mount_t) ++ corenet_tcp_sendrecv_generic_node(mount_t) ++ corenet_raw_sendrecv_generic_node(mount_t) ++ corenet_udp_sendrecv_generic_node(mount_t) + corenet_tcp_sendrecv_all_ports(mount_t) + corenet_udp_sendrecv_all_ports(mount_t) +- corenet_tcp_bind_all_nodes(mount_t) +- corenet_udp_bind_all_nodes(mount_t) ++ corenet_tcp_bind_generic_node(mount_t) ++ corenet_udp_bind_generic_node(mount_t) + corenet_tcp_bind_generic_port(mount_t) + corenet_udp_bind_generic_port(mount_t) + corenet_tcp_bind_reserved_port(mount_t) @@ -174,6 +248,8 @@ optional_policy(` fs_search_rpc(mount_t) @@ -51134,7 +51389,7 @@ index 170e2c7..540a936 100644 +') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..c3dc5ba 100644 +index 7ed9819..293555e 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -51403,7 +51658,7 @@ index 7ed9819..c3dc5ba 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +487,64 @@ ifdef(`distro_debian',` +@@ -487,118 +487,69 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') @@ -51481,44 +51736,49 @@ index 7ed9819..c3dc5ba 100644 - -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -init_use_fds(setfiles_t) -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - --logging_send_syslog_msg(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) --miscfiles_read_localization(setfiles_t) +-logging_send_syslog_msg(setfiles_t) - --seutil_libselinux_linked(setfiles_t) +-miscfiles_read_localization(setfiles_t) +######################################## +# +# Setfiles local policy +# --userdom_use_all_users_fds(setfiles_t) --# for config files in a home directory --userdom_read_user_home_content_files(setfiles_t) +-seutil_libselinux_linked(setfiles_t) +seutil_setfiles(setfiles_t) +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) +-userdom_use_all_users_fds(setfiles_t) +-# for config files in a home directory +-userdom_read_user_home_content_files(setfiles_t) ++seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) + -ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) --') -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) ++optional_policy(` ++ files_dontaudit_write_isid_chr_files(setfiles_mac_t) ++ livecd_dontaudit_leaks(setfiles_mac_t) ++ livecd_rw_tmp_files(setfiles_mac_t) ++ dev_dontaudit_write_all_chr_files(setfiles_mac_t) + ') -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) @@ -51526,10 +51786,8 @@ index 7ed9819..c3dc5ba 100644 - fs_relabel_tmpfs_blk_file(setfiles_t) - fs_relabel_tmpfs_chr_file(setfiles_t) +optional_policy(` -+ files_dontaudit_write_isid_chr_files(setfiles_mac_t) -+ livecd_dontaudit_leaks(setfiles_mac_t) -+ livecd_rw_tmp_files(setfiles_mac_t) -+ dev_dontaudit_write_all_chr_files(setfiles_mac_t) ++ devicekit_dontaudit_read_pid_files(setfiles_t) ++ devicekit_dontaudit_rw_log(setfiles_t) ') -ifdef(`distro_ubuntu',` @@ -51834,7 +52092,7 @@ index ff80d0a..7f1a21c 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index df32316..6de83ef 100644 +index df32316..e8d03fb 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1) @@ -51891,7 +52149,29 @@ index df32316..6de83ef 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -105,11 +120,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t) + + corenet_all_recvfrom_unlabeled(dhcpc_t) + corenet_all_recvfrom_netlabel(dhcpc_t) +-corenet_tcp_sendrecv_all_if(dhcpc_t) +-corenet_raw_sendrecv_all_if(dhcpc_t) +-corenet_udp_sendrecv_all_if(dhcpc_t) +-corenet_tcp_sendrecv_all_nodes(dhcpc_t) +-corenet_raw_sendrecv_all_nodes(dhcpc_t) +-corenet_udp_sendrecv_all_nodes(dhcpc_t) ++corenet_tcp_sendrecv_generic_if(dhcpc_t) ++corenet_raw_sendrecv_generic_if(dhcpc_t) ++corenet_udp_sendrecv_generic_if(dhcpc_t) ++corenet_tcp_sendrecv_generic_node(dhcpc_t) ++corenet_raw_sendrecv_generic_node(dhcpc_t) ++corenet_udp_sendrecv_generic_node(dhcpc_t) + corenet_tcp_sendrecv_all_ports(dhcpc_t) + corenet_udp_sendrecv_all_ports(dhcpc_t) +-corenet_tcp_bind_all_nodes(dhcpc_t) +-corenet_udp_bind_all_nodes(dhcpc_t) ++corenet_tcp_bind_generic_node(dhcpc_t) ++corenet_udp_bind_generic_node(dhcpc_t) + corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -53407,7 +53687,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..cbc864f 100644 +index 28b88de..3e329c7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -54466,7 +54746,7 @@ index 28b88de..cbc864f 100644 +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) -+ corenet_tcp_bind_all_nodes($1_usertype) ++ corenet_tcp_bind_generic_node($1_usertype) - files_exec_usr_files($1_t) - # cjp: why? diff --git a/selinux-policy.spec b/selinux-policy.spec index 25ae8fb..7f00daf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,22 @@ exit 0 %endif %changelog +* Thu Mar 17 2011 Miroslav Grepl 3.9.16-5 +- devicekit leaks file descriptors to setfiles_t +- Change all all_nodes to generic_node and all_if to generic_if +- Should not use deprecated interface +- Switch from using all_nodes to generic_node and from all_if to generic_if +- Add support for xfce4-notifyd +- Fix file context to show several labels as SystemHigh +- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs +- Add etc_runtime_t label for /etc/securetty +- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly +- login.krb needs to be able to write user_tmp_t +- dirsrv needs to bind to port 7390 for dogtag +- Fix a bug in gpg policy +- gpg sends audit messages +- Allow qpid to manage matahari files + * Tue Mar 15 2011 Miroslav Grepl 3.9.16-4 - Initial policy for matahari - Add dev_read_watchdog