From fcf0156ca32bf2f04756732c31164c9fa7587f29 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 12 2013 09:30:06 +0000 Subject: - Allow ldconfig to write to kdumpctl fifo files - allow neutron to connect to amqp ports - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow glance-api to connect to amqp port - Allow virt_qemu_ga_t to read meminfo - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow mpd setcap which is needed by pulseaudio - Allow smbcontrol to create content in /var/lib/samba - Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - amanda_exec_t needs to be executable file - Allow block_suspend cap for samba-net - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Treat usr_t just like bin_t for transitions and executions - Add port definition of pka_ca to port 829 for openshift - Allow selinux_store to use symlinks --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index da6f779..32c7dd4 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3582,7 +3582,7 @@ index 644d4d7..f9bcd44 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..7f08657 100644 +index 9e9263a..77e6c8c 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -3608,7 +3608,19 @@ index 9e9263a..7f08657 100644 ######################################## ## ## Make the specified type usable for files -@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',` +@@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',` + interface(`corecmd_bin_entry_type',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + domain_entry_file($1, bin_t) ++ domain_entry_file($1, usr_t) + ') + + ######################################## +@@ -122,6 +140,7 @@ interface(`corecmd_search_bin',` type bin_t; ') @@ -3616,7 +3628,7 @@ index 9e9263a..7f08657 100644 search_dirs_pattern($1, bin_t, bin_t) ') -@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',` +@@ -158,6 +177,7 @@ interface(`corecmd_list_bin',` type bin_t; ') @@ -3624,7 +3636,7 @@ index 9e9263a..7f08657 100644 list_dirs_pattern($1, bin_t, bin_t) ') -@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',` +@@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',` ## ## ## @@ -3633,7 +3645,7 @@ index 9e9263a..7f08657 100644 ## ## # -@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',` +@@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',` type bin_t; ') @@ -3641,7 +3653,7 @@ index 9e9263a..7f08657 100644 read_files_pattern($1, bin_t, bin_t) ') -@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',` +@@ -254,6 +275,24 @@ interface(`corecmd_dontaudit_write_bin_files',` ######################################## ## @@ -3666,7 +3678,7 @@ index 9e9263a..7f08657 100644 ## Read symbolic links in bin directories. ## ## -@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',` +@@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',` type bin_t; ') @@ -3674,7 +3686,7 @@ index 9e9263a..7f08657 100644 read_fifo_files_pattern($1, bin_t, bin_t) ') -@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',` +@@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',` type bin_t; ') @@ -3682,7 +3694,7 @@ index 9e9263a..7f08657 100644 read_sock_files_pattern($1, bin_t, bin_t) ') -@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',` +@@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',` read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) @@ -3693,7 +3705,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',` +@@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',` type bin_t; ') @@ -3701,7 +3713,7 @@ index 9e9263a..7f08657 100644 manage_files_pattern($1, bin_t, bin_t) ') -@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',` +@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') @@ -3709,7 +3721,7 @@ index 9e9263a..7f08657 100644 mmap_files_pattern($1, bin_t, bin_t) ') -@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',` +@@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; @@ -3724,7 +3736,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',` +@@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',` interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; @@ -3737,7 +3749,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',` +@@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',` interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; @@ -3745,7 +3757,7 @@ index 9e9263a..7f08657 100644 ') read_lnk_files_pattern($1, bin_t, bin_t) -@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',` +@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',` ######################################## ## @@ -3770,7 +3782,7 @@ index 9e9263a..7f08657 100644 ## Get the attributes of all executable files. ## ## -@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',` +@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -3781,7 +3793,7 @@ index 9e9263a..7f08657 100644 ') ######################################## -@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -3789,7 +3801,7 @@ index 9e9263a..7f08657 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') @@ -5411,7 +5423,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..cbc0e69 100644 +index 4edc40d..836d056 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5641,7 +5653,7 @@ index 4edc40d..cbc0e69 100644 network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) -+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) ++network_port(pki_ca, tcp, 829, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0) @@ -27634,7 +27646,7 @@ index 24e7804..c4155c7 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..b717a9e 100644 +index dd3be8d..729cc4f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27875,7 +27887,7 @@ index dd3be8d..b717a9e 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +274,182 @@ ifdef(`distro_gentoo',` +@@ -186,29 +274,186 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27902,20 +27914,24 @@ index dd3be8d..b717a9e 100644 +storage_raw_rw_fixed_disk(init_t) + +optional_policy(` ++ kdump_read_crash(init_t) ++') ++ ++optional_policy(` + gnome_filetrans_home_content(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) - ') - - optional_policy(` -+ modutils_domtrans_insmod(init_t) -+ modutils_list_module_config(init_t) +') + +optional_policy(` ++ modutils_domtrans_insmod(init_t) ++ modutils_list_module_config(init_t) + ') + + optional_policy(` +- auth_rw_login_records(init_t) + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_aliases(init_t) @@ -28039,9 +28055,9 @@ index dd3be8d..b717a9e 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + consolekit_manage_log(init_t) +') + @@ -28049,24 +28065,24 @@ index dd3be8d..b717a9e 100644 + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') optional_policy(` -@@ -216,7 +457,29 @@ optional_policy(` +@@ -216,7 +461,29 @@ optional_policy(` ') optional_policy(` @@ -28096,7 +28112,7 @@ index dd3be8d..b717a9e 100644 ') ######################################## -@@ -225,8 +488,9 @@ optional_policy(` +@@ -225,8 +492,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28108,7 +28124,7 @@ index dd3be8d..b717a9e 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +521,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28125,7 +28141,7 @@ index dd3be8d..b717a9e 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28168,7 +28184,7 @@ index dd3be8d..b717a9e 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +583,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28180,7 +28196,7 @@ index dd3be8d..b717a9e 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +595,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28191,7 +28207,7 @@ index dd3be8d..b717a9e 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +606,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28201,7 +28217,7 @@ index dd3be8d..b717a9e 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +615,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28209,7 +28225,7 @@ index dd3be8d..b717a9e 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28217,7 +28233,7 @@ index dd3be8d..b717a9e 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +630,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28235,7 +28251,7 @@ index dd3be8d..b717a9e 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +648,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28249,7 +28265,7 @@ index dd3be8d..b717a9e 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +663,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28263,7 +28279,7 @@ index dd3be8d..b717a9e 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +676,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28271,7 +28287,7 @@ index dd3be8d..b717a9e 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +688,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28279,7 +28295,7 @@ index dd3be8d..b717a9e 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +707,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28303,7 +28319,7 @@ index dd3be8d..b717a9e 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +740,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28311,7 +28327,7 @@ index dd3be8d..b717a9e 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +774,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28322,7 +28338,7 @@ index dd3be8d..b717a9e 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +798,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +802,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28331,7 +28347,7 @@ index dd3be8d..b717a9e 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +813,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +817,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28339,7 +28355,7 @@ index dd3be8d..b717a9e 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +834,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +838,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28347,7 +28363,7 @@ index dd3be8d..b717a9e 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +844,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +848,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28392,7 +28408,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -558,14 +889,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +893,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28424,7 +28440,7 @@ index dd3be8d..b717a9e 100644 ') ') -@@ -576,6 +924,39 @@ ifdef(`distro_suse',` +@@ -576,6 +928,39 @@ ifdef(`distro_suse',` ') ') @@ -28464,7 +28480,7 @@ index dd3be8d..b717a9e 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +969,8 @@ optional_policy(` +@@ -588,6 +973,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28473,7 +28489,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -609,6 +992,7 @@ optional_policy(` +@@ -609,6 +996,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28481,7 +28497,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -625,6 +1009,17 @@ optional_policy(` +@@ -625,6 +1013,17 @@ optional_policy(` ') optional_policy(` @@ -28499,7 +28515,7 @@ index dd3be8d..b717a9e 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1036,13 @@ optional_policy(` +@@ -641,9 +1040,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28513,7 +28529,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -656,15 +1055,11 @@ optional_policy(` +@@ -656,15 +1059,11 @@ optional_policy(` ') optional_policy(` @@ -28531,7 +28547,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -685,6 +1080,15 @@ optional_policy(` +@@ -685,6 +1084,15 @@ optional_policy(` ') optional_policy(` @@ -28547,7 +28563,7 @@ index dd3be8d..b717a9e 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1129,7 @@ optional_policy(` +@@ -725,6 +1133,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28555,7 +28571,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -742,7 +1147,13 @@ optional_policy(` +@@ -742,7 +1151,13 @@ optional_policy(` ') optional_policy(` @@ -28570,7 +28586,7 @@ index dd3be8d..b717a9e 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1176,10 @@ optional_policy(` +@@ -765,6 +1180,10 @@ optional_policy(` ') optional_policy(` @@ -28581,7 +28597,7 @@ index dd3be8d..b717a9e 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1189,20 @@ optional_policy(` +@@ -774,10 +1193,20 @@ optional_policy(` ') optional_policy(` @@ -28602,7 +28618,7 @@ index dd3be8d..b717a9e 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1211,10 @@ optional_policy(` +@@ -786,6 +1215,10 @@ optional_policy(` ') optional_policy(` @@ -28613,7 +28629,7 @@ index dd3be8d..b717a9e 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1236,6 @@ optional_policy(` +@@ -807,8 +1240,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28622,7 +28638,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -817,6 +1244,10 @@ optional_policy(` +@@ -817,6 +1248,10 @@ optional_policy(` ') optional_policy(` @@ -28633,7 +28649,7 @@ index dd3be8d..b717a9e 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1257,12 @@ optional_policy(` +@@ -826,10 +1261,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28646,7 +28662,7 @@ index dd3be8d..b717a9e 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1289,28 @@ optional_policy(` +@@ -856,12 +1293,28 @@ optional_policy(` ') optional_policy(` @@ -28676,7 +28692,7 @@ index dd3be8d..b717a9e 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1320,18 @@ optional_policy(` +@@ -871,6 +1324,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -28695,7 +28711,7 @@ index dd3be8d..b717a9e 100644 ') optional_policy(` -@@ -886,6 +1347,10 @@ optional_policy(` +@@ -886,6 +1351,10 @@ optional_policy(` ') optional_policy(` @@ -28706,7 +28722,7 @@ index dd3be8d..b717a9e 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1361,196 @@ optional_policy(` +@@ -896,3 +1365,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28953,10 +28969,10 @@ index 662e79b..ef9370d 100644 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..a89c4a2 100644 +index 0d4c8d3..f133407 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if -@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',` +@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',` domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) ') @@ -29008,18 +29024,19 @@ index 0d4c8d3..a89c4a2 100644 +# +interface(`ipsec_mgmt_read_pid',` + gen_require(` ++ type ipsec_var_run_t; + type ipsec_mgmt_var_run_t; + ') + + files_search_pids($1) -+ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t) ++ read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t) +') + + ######################################## ## ## Connect to racoon using a unix domain stream socket. -@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',` +@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',` ## ## # @@ -29027,7 +29044,7 @@ index 0d4c8d3..a89c4a2 100644 interface(`ipsec_signal_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',` +@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',` ## ## # @@ -29035,7 +29052,7 @@ index 0d4c8d3..a89c4a2 100644 interface(`ipsec_signull_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',` +@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',` ## ## # @@ -29043,7 +29060,7 @@ index 0d4c8d3..a89c4a2 100644 interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',` +@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',` allow $1 ipsec_mgmt_t:process sigkill; ') @@ -29104,7 +29121,7 @@ index 0d4c8d3..a89c4a2 100644 ###################################### ## ## Send and receive messages from -@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',` +@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; @@ -29112,7 +29129,7 @@ index 0d4c8d3..a89c4a2 100644 ') ######################################## -@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',` +@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -29140,7 +29157,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..788c774 100644 +index 9e54bf9..5975418 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -29263,8 +29280,11 @@ index 9e54bf9..788c774 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -210,10 +228,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +@@ -208,12 +226,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) ++filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -29276,7 +29296,7 @@ index 9e54bf9..788c774 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +266,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -29293,7 +29313,7 @@ index 9e54bf9..788c774 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +285,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -29302,7 +29322,7 @@ index 9e54bf9..788c774 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +310,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -29314,7 +29334,7 @@ index 9e54bf9..788c774 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +323,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -29338,7 +29358,7 @@ index 9e54bf9..788c774 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +357,10 @@ optional_policy(` +@@ -322,6 +358,10 @@ optional_policy(` ') optional_policy(` @@ -29349,7 +29369,7 @@ index 9e54bf9..788c774 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +374,7 @@ optional_policy(` +@@ -335,7 +375,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -29358,7 +29378,7 @@ index 9e54bf9..788c774 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +410,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -29378,7 +29398,7 @@ index 9e54bf9..788c774 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +440,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -29391,7 +29411,7 @@ index 9e54bf9..788c774 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 4595712..bcccef1 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2023,16 +2023,17 @@ index 7f4dfbc..4d750fa 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..cd5a4fa 100644 +index ed45974..d4df671 100644 --- a/amanda.te +++ b/amanda.te -@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles; +@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; roleattribute system_r amanda_recover_roles; type amanda_t; +type amanda_exec_t; type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++application_executable_file(amanda_exec_t) +init_daemon_domain(amanda_t, amanda_inetd_exec_t) +role system_r types amanda_t; @@ -2043,7 +2044,7 @@ index ed45974..cd5a4fa 100644 type amanda_log_t; logging_log_file(amanda_log_t) -@@ -60,7 +62,7 @@ optional_policy(` +@@ -60,7 +63,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -2052,7 +2053,7 @@ index ed45974..cd5a4fa 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -2060,7 +2061,7 @@ index ed45974..cd5a4fa 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2076,7 +2077,7 @@ index ed45974..cd5a4fa 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +175,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2084,7 +2085,7 @@ index ed45974..cd5a4fa 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +199,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -2682,10 +2683,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..e10fe0d +index 0000000..fd48ed9 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,261 @@ +@@ -0,0 +1,269 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2740,6 +2741,9 @@ index 0000000..e10fe0d +typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t }; +files_type(antivirus_db_t) + ++type antivirus_home_t; ++userdom_user_home_content(antivirus_home_t) ++ +type antivirus_tmp_t; +typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t }; +files_tmp_file(antivirus_tmp_t) @@ -2766,6 +2770,11 @@ index 0000000..e10fe0d +manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) + ++manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) ++ +manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) @@ -25155,7 +25164,7 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..95cf77c 100644 +index e0a4f46..16dcb5b 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) @@ -25236,7 +25245,7 @@ index e0a4f46..95cf77c 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -25249,6 +25258,7 @@ index e0a4f46..95cf77c 100644 +corenet_tcp_bind_glance_port(glance_api_t) corenet_sendrecv_glance_registry_client_packets(glance_api_t) ++corenet_tcp_connect_amqp_port(glance_api_t) corenet_tcp_connect_glance_registry_port(glance_api_t) +corenet_tcp_connect_mysqld_port(glance_api_t) +corenet_tcp_connect_http_port(glance_api_t) @@ -31888,7 +31898,7 @@ index a49ae4e..913a0e3 100644 -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..7cc27b6 100644 +index 3a00b3a..dd70d05 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -31959,7 +31969,7 @@ index 3a00b3a..7cc27b6 100644 ## ## ## -@@ -56,10 +100,67 @@ interface(`kdump_read_config',` +@@ -56,10 +100,68 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -31980,7 +31990,7 @@ index 3a00b3a..7cc27b6 100644 + + files_search_var($1) + read_files_pattern($1, kdump_crash_t, kdump_crash_t) -+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) ++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) +') + + @@ -32001,6 +32011,7 @@ index 3a00b3a..7cc27b6 100644 + + files_search_var($1) + manage_files_pattern($1, kdump_crash_t, kdump_crash_t) ++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) +') + +##################################### @@ -32029,7 +32040,7 @@ index 3a00b3a..7cc27b6 100644 ## ## ## -@@ -76,10 +177,31 @@ interface(`kdump_manage_config',` +@@ -76,10 +178,32 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -32051,6 +32062,7 @@ index 3a00b3a..7cc27b6 100644 + files_search_tmp($1) + manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) + manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) + manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) +') + @@ -32063,7 +32075,7 @@ index 3a00b3a..7cc27b6 100644 ## ## ## -@@ -88,19 +210,24 @@ interface(`kdump_manage_config',` +@@ -88,19 +212,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -32093,7 +32105,7 @@ index 3a00b3a..7cc27b6 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +237,10 @@ interface(`kdump_admin',` +@@ -110,6 +239,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -39189,7 +39201,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..f1a5676 100644 +index 6194b80..bb32d40 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -39475,7 +39487,7 @@ index 6194b80..f1a5676 100644 ## ## ## -@@ -265,140 +173,152 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` @@ -39537,6 +39549,7 @@ index 6194b80..f1a5676 100644 - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_exec_t, mozilla_t) ++ domain_entry_file($2, mozilla_exec_t) + domtrans_pattern($1, mozilla_exec_t, $2) ') @@ -39688,7 +39701,7 @@ index 6194b80..f1a5676 100644 ') ######################################## -@@ -424,8 +344,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -39698,7 +39711,7 @@ index 6194b80..f1a5676 100644 ## ## ## -@@ -433,76 +352,126 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -39854,7 +39867,7 @@ index 6194b80..f1a5676 100644 ## ## ## -@@ -510,19 +479,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -39879,7 +39892,7 @@ index 6194b80..f1a5676 100644 ## ## ## -@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +499,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -41035,10 +41048,10 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..2f41af9 100644 +index 7c8afcc..29d8881 100644 --- a/mpd.te +++ b/mpd.te -@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t) +@@ -62,18 +62,22 @@ files_type(mpd_var_lib_t) type mpd_user_data_t; userdom_user_home_content(mpd_user_data_t) # customizable @@ -41048,7 +41061,13 @@ index 7c8afcc..2f41af9 100644 ######################################## # # Local policy -@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; + # + + allow mpd_t self:capability { dac_override kill setgid setuid }; +-allow mpd_t self:process { getsched setsched setrlimit signal signull }; ++allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; + allow mpd_t self:fifo_file rw_fifo_file_perms; + allow mpd_t self:unix_stream_socket { accept connectto listen }; allow mpd_t self:unix_dgram_socket sendto; allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -66565,10 +66584,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..80a4b99 100644 +index 769d1fd..801835e 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,108 @@ +@@ -1,96 +1,109 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -66678,6 +66697,7 @@ index 769d1fd..80a4b99 100644 -dev_read_urand(quantum_t) +corenet_tcp_bind_quantum_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) ++corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) -files_read_usr_files(quantum_t) @@ -76527,7 +76547,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..d48911d 100644 +index 57c034b..b1c78f8 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -77214,7 +77234,7 @@ index 57c034b..d48911d 100644 ') optional_policy(` -@@ -600,17 +600,24 @@ optional_policy(` +@@ -600,19 +600,26 @@ optional_policy(` ######################################## # @@ -77241,8 +77261,11 @@ index 57c034b..d48911d 100644 +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) - samba_rw_var_files(smbcontrol_t) +-samba_rw_var_files(smbcontrol_t) ++manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) samba_search_var(smbcontrol_t) + samba_read_winbind_pid(smbcontrol_t) + @@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -90698,10 +90721,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..b81eaa0 100644 +index c30da4c..459fbcf 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,86 @@ +@@ -1,52 +1,91 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -90765,18 +90788,18 @@ index c30da4c..b81eaa0 100644 -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) -- --/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -- --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +- +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +- -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -90816,16 +90839,21 @@ index c30da4c..b81eaa0 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + -+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) ++ ++/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) + +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++ +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) ++ +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if index 9dec06c..4e31afe 100644 @@ -92515,7 +92543,7 @@ index 9dec06c..4e31afe 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..76ccef3 100644 +index 1f22fba..348df8f 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -93991,11 +94019,6 @@ index 1f22fba..76ccef3 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -94080,6 +94103,11 @@ index 1f22fba..76ccef3 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') ++ ++optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -94199,11 +94227,11 @@ index 1f22fba..76ccef3 100644 +allow svirt_qemu_net_t self:rawip_socket create_socket_perms; +allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +kernel_read_network_state(svirt_qemu_net_t) +kernel_read_irq_sysctls(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) @@ -94274,7 +94302,7 @@ index 1f22fba..76ccef3 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1352,120 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1352,122 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -94309,6 +94337,8 @@ index 1f22fba..76ccef3 100644 +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file ) + ++kernel_read_system_state(virt_qemu_ga_t) ++ +corecmd_exec_shell(virt_qemu_ga_t) +corecmd_exec_bin(virt_qemu_ga_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 0ba97a3..b4b14da 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 79%{?dist} +Release: 80%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -570,6 +570,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 12 2013 Miroslav Grepl 3.12.1-80 +- Allow ldconfig to write to kdumpctl fifo files +- allow neutron to connect to amqp ports +- Allow kdump_manage_crash to list the kdump_crash_t directory +- Allow glance-api to connect to amqp port +- Allow virt_qemu_ga_t to read meminfo +- Add antivirus_home_t type for antivirus date in HOMEDIRS +- Allow mpd setcap which is needed by pulseaudio +- Allow smbcontrol to create content in /var/lib/samba +- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec +- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts +- amanda_exec_t needs to be executable file +- Allow block_suspend cap for samba-net +- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t +- Allow init_t to run crash utility +- Treat usr_t just like bin_t for transitions and executions +- Add port definition of pka_ca to port 829 for openshift +- Allow selinux_store to use symlinks + * Mon Sep 9 2013 Miroslav Grepl 3.12.1-79 - Allow block_suspend cap for samba-net - Allow t-mission-control to manage gabble cache files