diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 81c7d86..906d448 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -1820,7 +1820,7 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..bfc85a0 100644 +index 03ec5ca..025c177 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -89,7 +89,6 @@ template(`su_restricted_domain_template', ` @@ -1843,41 +1843,234 @@ index 03ec5ca..bfc85a0 100644 optional_policy(` cron_read_pipes($1_su_t) ') -@@ -208,7 +202,7 @@ template(`su_role_template',` +@@ -172,14 +166,6 @@ template(`su_role_template',` + role $2 types $1_su_t; - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) + allow $3 $1_su_t:process signal; +- +- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; +- dontaudit $1_su_t self:capability sys_tty_config; +- allow $1_su_t self:process { setexec setsched setrlimit }; +- allow $1_su_t self:fifo_file rw_fifo_file_perms; +- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; +- allow $1_su_t self:key { search write }; +- + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. +@@ -194,125 +180,12 @@ template(`su_role_template',` + allow $3 $1_su_t:process sigchld; + + kernel_read_system_state($1_su_t) +- kernel_read_kernel_sysctls($1_su_t) +- kernel_search_key($1_su_t) +- kernel_link_key($1_su_t) +- +- # for SSP +- dev_read_urand($1_su_t) +- +- fs_search_auto_mountpoints($1_su_t) + +- # needed for pam_rootok +- selinux_compute_access_vector($1_su_t) +- +- auth_domtrans_chk_passwd($1_su_t) +- auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) +- auth_rw_faillog($1_su_t) +- +- corecmd_search_bin($1_su_t) +- +- domain_use_interactive_fds($1_su_t) +- +- files_read_etc_files($1_su_t) +- files_read_etc_runtime_files($1_su_t) +- files_search_var_lib($1_su_t) +- files_dontaudit_getattr_tmp_dirs($1_su_t) +- +- init_dontaudit_use_fds($1_su_t) +- # Write to utmp. +- init_rw_utmp($1_su_t) + auth_use_pam($1_su_t) - auth_rw_faillog($1_su_t) - corecmd_search_bin($1_su_t) -@@ -228,10 +222,10 @@ template(`su_role_template',` + mls_file_write_all_levels($1_su_t) logging_send_syslog_msg($1_su_t) - +- - miscfiles_read_localization($1_su_t) - - userdom_use_user_terminals($1_su_t) - userdom_search_user_home_dirs($1_su_t) -+ userdom_search_admin_dir($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora -@@ -277,12 +271,7 @@ template(`su_role_template',` - ') - ') - +- +- userdom_use_user_terminals($1_su_t) +- userdom_search_user_home_dirs($1_su_t) +- +- ifdef(`distro_redhat',` +- # RHEL5 and possibly newer releases incl. Fedora +- auth_domtrans_upd_passwd($1_su_t) +- +- optional_policy(` +- locallogin_search_keys($1_su_t) +- ') +- ') +- +- ifdef(`distro_rhel4',` +- domain_role_change_exemption($1_su_t) +- domain_subj_id_change_exemption($1_su_t) +- domain_obj_id_change_exemption($1_su_t) +- +- selinux_get_fs_mount($1_su_t) +- selinux_validate_context($1_su_t) +- selinux_compute_create_context($1_su_t) +- selinux_compute_relabel_context($1_su_t) +- selinux_compute_user_contexts($1_su_t) +- +- # Relabel ttys and ptys. +- term_relabel_all_ttys($1_su_t) +- term_relabel_all_ptys($1_su_t) +- # Close and re-open ttys and ptys to get the fd into the correct domain. +- term_use_all_ttys($1_su_t) +- term_use_all_ptys($1_su_t) +- +- seutil_read_config($1_su_t) +- seutil_read_default_contexts($1_su_t) +- +- if(secure_mode) { +- # Only allow transitions to unprivileged user domains. +- userdom_spec_domtrans_unpriv_users($1_su_t) +- } else { +- # Allow transitions to all user domains +- userdom_spec_domtrans_all_users($1_su_t) +- } +- +- optional_policy(` +- unconfined_domtrans($1_su_t) +- unconfined_signal($1_su_t) +- ') +- ') +- - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $3:socket_class_set { read write }; - ') - - tunable_policy(`allow_polyinstantiation',` -+ tunable_policy(`polyinstantiation_enabled',` - fs_mount_xattr_fs($1_su_t) - fs_unmount_xattr_fs($1_su_t) - ') +- fs_mount_xattr_fs($1_su_t) +- fs_unmount_xattr_fs($1_su_t) +- ') +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_search_nfs($1_su_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_search_cifs($1_su_t) +- ') +- +- optional_policy(` +- cron_read_pipes($1_su_t) +- ') +- +- optional_policy(` +- kerberos_use($1_su_t) +- ') +- +- optional_policy(` +- # used when the password has expired +- usermanage_read_crack_db($1_su_t) +- ') +- +- # Modify .Xauthority file (via xauth program). +- optional_policy(` +- xserver_user_home_dir_filetrans_user_xauth($1_su_t) +- xserver_domtrans_xauth($1_su_t) +- ') + ') + + ####################################### +diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te +index 85bb77e..0df3b43 100644 +--- a/policy/modules/admin/su.te ++++ b/policy/modules/admin/su.te +@@ -9,3 +9,81 @@ attribute su_domain_type; + + type su_exec_t; + corecmd_executable_file(su_exec_t) ++ ++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; ++dontaudit su_domain_type self:capability sys_tty_config; ++allow su_domain_type self:process { setexec setsched setrlimit }; ++allow su_domain_type self:fifo_file rw_fifo_file_perms; ++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; ++allow su_domain_type self:key { search write }; ++ ++kernel_read_kernel_sysctls(su_domain_type) ++kernel_search_key(su_domain_type) ++kernel_link_key(su_domain_type) ++ ++# for SSP ++dev_read_urand(su_domain_type) ++dev_dontaudit_getattr_all(su_domain_type) ++ ++fs_search_auto_mountpoints(su_domain_type) ++ ++# needed for pam_rootok ++selinux_compute_access_vector(su_domain_type) ++ ++corecmd_search_bin(su_domain_type) ++ ++domain_use_interactive_fds(su_domain_type) ++ ++files_read_etc_files(su_domain_type) ++files_read_etc_runtime_files(su_domain_type) ++files_search_var_lib(su_domain_type) ++files_dontaudit_getattr_tmp_dirs(su_domain_type) ++ ++init_dontaudit_use_fds(su_domain_type) ++# Write to utmp. ++init_rw_utmp(su_domain_type) ++ ++userdom_use_user_terminals(su_domain_type) ++userdom_search_user_home_dirs(su_domain_type) ++userdom_search_admin_dir(su_domain_type) ++ ++ifdef(`distro_redhat',` ++ # RHEL5 and possibly newer releases incl. Fedora ++ auth_domtrans_upd_passwd(su_domain_type) ++ ++ optional_policy(` ++ locallogin_search_keys(su_domain_type) ++ ') ++') ++ ++tunable_policy(`polyinstantiation_enabled',` ++ fs_mount_xattr_fs(su_domain_type) ++ fs_unmount_xattr_fs(su_domain_type) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs(su_domain_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(su_domain_type) ++') ++ ++optional_policy(` ++ cron_read_pipes(su_domain_type) ++') ++ ++optional_policy(` ++ kerberos_use(su_domain_type) ++') ++ ++optional_policy(` ++ # used when the password has expired ++ usermanage_read_crack_db(su_domain_type) ++') ++ ++# Modify .Xauthority file (via xauth program). ++optional_policy(` ++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type) ++ xserver_domtrans_xauth(su_domain_type) ++') diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc index 7bddc02..2b59ed0 100644 --- a/policy/modules/admin/sudo.fc @@ -3389,7 +3582,7 @@ index 644d4d7..f9bcd44 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..43cdcb9 100644 +index 9e9263a..7f08657 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -3516,7 +3709,35 @@ index 9e9263a..43cdcb9 100644 mmap_files_pattern($1, bin_t, bin_t) ') -@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',` +@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',` + interface(`corecmd_bin_spec_domtrans',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + read_lnk_files_pattern($1, bin_t, bin_t) + domain_transition_pattern($1, bin_t, $2) ++ ++ read_lnk_files_pattern($1, usr_t, usr_t) ++ domain_transition_pattern($1, usr_t, $2) + ') + + ######################################## +@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',` + interface(`corecmd_bin_domtrans',` + gen_require(` + type bin_t; ++ type usr_t; + ') + + corecmd_bin_spec_domtrans($1, $2) + type_transition $1 bin_t:process $2; ++ type_transition $1 usr_t:process $2; + ') + + ######################################## +@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',` interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; @@ -3524,7 +3745,7 @@ index 9e9263a..43cdcb9 100644 ') read_lnk_files_pattern($1, bin_t, bin_t) -@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',` +@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',` ######################################## ## @@ -3549,7 +3770,7 @@ index 9e9263a..43cdcb9 100644 ## Get the attributes of all executable files. ## ## -@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',` +@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -3560,7 +3781,7 @@ index 9e9263a..43cdcb9 100644 ') ######################################## -@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -3568,7 +3789,7 @@ index 9e9263a..43cdcb9 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') @@ -5190,7 +5411,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..17a4eab 100644 +index 4edc40d..cbc0e69 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5326,7 +5547,7 @@ index 4edc40d..17a4eab 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +168,51 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +168,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5337,7 +5558,7 @@ index 4edc40d..17a4eab 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) ++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) network_port(interwise, tcp,7778,s0, udp,7778,s0) network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) @@ -5365,6 +5586,7 @@ index 4edc40d..17a4eab 100644 +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keystone, tcp, 35357,s0, udp, 35357,s0) ++network_port(rlogin, tcp,543,s0, tcp,2105,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) @@ -5392,7 +5614,7 @@ index 4edc40d..17a4eab 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,26 +220,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +221,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5431,7 +5653,7 @@ index 4edc40d..17a4eab 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +258,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5484,7 +5706,7 @@ index 4edc40d..17a4eab 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +307,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +308,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5495,7 +5717,7 @@ index 4edc40d..17a4eab 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +319,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +320,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5508,7 +5730,7 @@ index 4edc40d..17a4eab 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +343,16 @@ network_port(zope, tcp,8021,s0) +@@ -292,12 +344,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -5527,7 +5749,7 @@ index 4edc40d..17a4eab 100644 ######################################## # -@@ -330,6 +385,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +386,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5536,7 +5758,7 @@ index 4edc40d..17a4eab 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +399,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -16756,10 +16978,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..28cfc6a 100644 +index 5da7870..834a511 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) +@@ -8,12 +8,70 @@ policy_module(staff, 2.3.1) role staff_r; userdom_unpriv_user_template(staff) @@ -16799,6 +17021,8 @@ index 5da7870..28cfc6a 100644 + +seutil_read_module_store(staff_t) +seutil_run_newrole(staff_t, staff_r) ++seutil_dbus_chat_semanage(staff_t) ++seutil_read_login_config(staff_t) + +storage_read_scsi_generic(staff_t) +storage_write_scsi_generic(staff_t) @@ -16828,7 +17052,7 @@ index 5da7870..28cfc6a 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +79,106 @@ optional_policy(` +@@ -23,11 +81,106 @@ optional_policy(` ') optional_policy(` @@ -16936,7 +17160,7 @@ index 5da7870..28cfc6a 100644 ') optional_policy(` -@@ -35,15 +186,31 @@ optional_policy(` +@@ -35,15 +188,31 @@ optional_policy(` ') optional_policy(` @@ -16970,7 +17194,7 @@ index 5da7870..28cfc6a 100644 ') optional_policy(` -@@ -52,10 +219,55 @@ optional_policy(` +@@ -52,10 +221,55 @@ optional_policy(` ') optional_policy(` @@ -17026,7 +17250,7 @@ index 5da7870..28cfc6a 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +277,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +279,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17037,7 +17261,7 @@ index 5da7870..28cfc6a 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +286,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +288,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -17048,7 +17272,7 @@ index 5da7870..28cfc6a 100644 ') optional_policy(` -@@ -101,10 +305,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +307,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17059,7 +17283,7 @@ index 5da7870..28cfc6a 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +325,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +327,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17070,7 +17294,7 @@ index 5da7870..28cfc6a 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +337,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +339,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17081,7 +17305,7 @@ index 5da7870..28cfc6a 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +368,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +370,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -19469,11 +19693,12 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..02d4ea6 100644 +index 76d9f66..e3c8586 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,16 +1,36 @@ +@@ -1,16 +1,37 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) -/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) @@ -20211,7 +20436,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..7931fba 100644 +index 5fc0391..007ac2e 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20321,12 +20546,13 @@ index 5fc0391..7931fba 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +120,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) +userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file) ++userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file) +userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh") +userdom_read_all_users_keys(ssh_t) +userdom_stream_connect(ssh_t) @@ -20368,7 +20594,7 @@ index 5fc0391..7931fba 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -154,40 +175,46 @@ files_read_var_files(ssh_t) +@@ -154,40 +176,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -20434,7 +20660,7 @@ index 5fc0391..7931fba 100644 ') optional_policy(` -@@ -195,6 +222,7 @@ optional_policy(` +@@ -195,6 +223,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -20442,7 +20668,7 @@ index 5fc0391..7931fba 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +235,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -20450,7 +20676,7 @@ index 5fc0391..7931fba 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +252,54 @@ optional_policy(` +@@ -223,33 +253,54 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20514,7 +20740,7 @@ index 5fc0391..7931fba 100644 ') optional_policy(` -@@ -257,11 +307,28 @@ optional_policy(` +@@ -257,11 +308,28 @@ optional_policy(` ') optional_policy(` @@ -20544,7 +20770,7 @@ index 5fc0391..7931fba 100644 ') optional_policy(` -@@ -269,6 +336,10 @@ optional_policy(` +@@ -269,6 +337,10 @@ optional_policy(` ') optional_policy(` @@ -20555,7 +20781,7 @@ index 5fc0391..7931fba 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +350,69 @@ optional_policy(` +@@ -279,13 +351,69 @@ optional_policy(` ') optional_policy(` @@ -20625,7 +20851,7 @@ index 5fc0391..7931fba 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +421,26 @@ optional_policy(` +@@ -294,19 +422,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20653,7 +20879,7 @@ index 5fc0391..7931fba 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +458,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20666,7 +20892,7 @@ index 5fc0391..7931fba 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +471,138 @@ optional_policy(` +@@ -331,3 +472,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -24259,7 +24485,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..2f6ba05 100644 +index 3efd5b6..362b3af 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -24316,13 +24542,12 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -95,48 +115,21 @@ interface(`auth_use_pam',` +@@ -95,48 +115,20 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; + attribute polydomain; + attribute login_pgm; -+ type auth_home_t; ') domain_type($1) @@ -24371,7 +24596,7 @@ index 3efd5b6..2f6ba05 100644 mls_file_read_all_levels($1) mls_file_write_all_levels($1) -@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',` +@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',` mls_fd_share_all_levels($1) auth_use_pam($1) @@ -24423,7 +24648,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -24449,7 +24674,7 @@ index 3efd5b6..2f6ba05 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -24458,7 +24683,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -24484,7 +24709,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -24492,7 +24717,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -24503,7 +24728,7 @@ index 3efd5b6..2f6ba05 100644 ') ####################################### -@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -24555,7 +24780,7 @@ index 3efd5b6..2f6ba05 100644 ') ####################################### -@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +927,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -24586,7 +24811,7 @@ index 3efd5b6..2f6ba05 100644 ## ## ## -@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +957,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -24617,7 +24842,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +992,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -24636,7 +24861,7 @@ index 3efd5b6..2f6ba05 100644 ## ## ## -@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1013,33 @@ interface(`auth_signal_pam',` ## ## # @@ -24674,7 +24899,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1117,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -24708,7 +24933,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1219,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -24719,7 +24944,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1359,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -24727,7 +24952,7 @@ index 3efd5b6..2f6ba05 100644 ') ####################################### -@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1760,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -24753,7 +24978,7 @@ index 3efd5b6..2f6ba05 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1929,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -24779,7 +25004,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1953,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -24796,7 +25021,7 @@ index 3efd5b6..2f6ba05 100644 ') ######################################## -@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',` +@@ -1805,3 +1993,241 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -24977,6 +25202,28 @@ index 3efd5b6..2f6ba05 100644 + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") +') + ++ ++######################################## ++## ++## Read the authorization data in the user home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_read_home_content',` ++ ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, auth_home_t, auth_home_t) ++') ++ ++ +######################################## +## +## Create auth directory in the user home directory @@ -28845,7 +29092,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..18ef725 100644 +index 9e54bf9..e324045 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28918,7 +29165,7 @@ index 9e54bf9..18ef725 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,24 +166,33 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -28927,7 +29174,9 @@ index 9e54bf9..18ef725 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t) + auth_use_nsswitch(ipsec_t) ++auth_read_home_content(ipsec_t) + init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -28951,7 +29200,7 @@ index 9e54bf9..18ef725 100644 seutil_sigchld_newrole(ipsec_t) ') -@@ -187,10 +204,10 @@ optional_policy(` +@@ -187,10 +205,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -28966,7 +29215,7 @@ index 9e54bf9..18ef725 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -206,14 +223,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) +@@ -206,14 +224,15 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) @@ -28985,7 +29234,7 @@ index 9e54bf9..18ef725 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -29002,7 +29251,7 @@ index 9e54bf9..18ef725 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -29011,7 +29260,7 @@ index 9e54bf9..18ef725 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -29023,7 +29272,7 @@ index 9e54bf9..18ef725 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -29047,7 +29296,7 @@ index 9e54bf9..18ef725 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +356,10 @@ optional_policy(` +@@ -322,6 +357,10 @@ optional_policy(` ') optional_policy(` @@ -29058,7 +29307,7 @@ index 9e54bf9..18ef725 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +373,7 @@ optional_policy(` +@@ -335,7 +374,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -29067,7 +29316,7 @@ index 9e54bf9..18ef725 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -29087,12 +29336,12 @@ index 9e54bf9..18ef725 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) -miscfiles_read_localization(racoon_t) - +- sysnet_exec_ifconfig(racoon_t) +auth_use_pam(racoon_t) @@ -29817,7 +30066,7 @@ index 808ba93..9d8f729 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 23a645e..f0cbd38 100644 +index 23a645e..52a8540 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -29850,21 +30099,23 @@ index 23a645e..f0cbd38 100644 files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t) +@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) +files_list_var_lib(ldconfig_t) ++files_dontaudit_leaks(ldconfig_t) +files_manage_var_lib_symlinks(ldconfig_t) + corecmd_search_bin(ldconfig_t) domain_use_interactive_fds(ldconfig_t) +-files_search_var_lib(ldconfig_t) +files_search_home(ldconfig_t) - files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) + files_search_tmp(ldconfig_t) @@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) init_read_script_tmp_files(ldconfig_t) @@ -33166,7 +33417,7 @@ index d43f3b1..f958391 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..bddf002 100644 +index 3822072..ae12cfa 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` @@ -33410,8 +33661,8 @@ index 3822072..bddf002 100644 + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + allow $1 selinux_login_config_t:dir list_dir_perms; -+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) -+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) +') + +######################################## @@ -33432,8 +33683,8 @@ index 3822072..bddf002 100644 + + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; -+ allow $1 selinux_login_config_t:dir list_dir_perms; -+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ allow $1 selinux_login_config_t:dir list_dir_perms; ++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) +') + ####################################### @@ -33651,7 +33902,7 @@ index 3822072..bddf002 100644 ') ####################################### -@@ -1137,3 +1488,99 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1488,122 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -33751,6 +34002,29 @@ index 3822072..bddf002 100644 + filetrans_pattern($1, default_context_t, file_context_t, dir, "files") + userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") +') ++ ++####################################### ++## ++## Send and receive messages from ++## semanage dbus server over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dbus_chat_semanage',` ++ gen_require(` ++ type semanage_t; ++ class dbus send_msg; ++ ') ++ ++ ps_process_pattern(semanage_t, $1) ++ ++ allow $1 semanage_t:dbus send_msg; ++ allow semanage_t $1:dbus send_msg; ++') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index ec01d0b..076b0a0 100644 --- a/policy/modules/system/selinuxutil.te @@ -34966,7 +35240,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..7a9577f 100644 +index b7686d5..087fe08 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -35062,7 +35336,7 @@ index b7686d5..7a9577f 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -35085,10 +35359,11 @@ index b7686d5..7a9577f 100644 files_dontaudit_search_locks(dhcpc_t) files_getattr_generic_locks(dhcpc_t) +files_rw_inherited_tmp_file(dhcpc_t) ++files_dontaudit_rw_inherited_locks(dhcpc_t) fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -35105,7 +35380,7 @@ index b7686d5..7a9577f 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',` +@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -35121,7 +35396,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -174,10 +204,6 @@ optional_policy(` +@@ -174,10 +205,6 @@ optional_policy(` ') optional_policy(` @@ -35132,7 +35407,7 @@ index b7686d5..7a9577f 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -190,23 +216,36 @@ optional_policy(` +@@ -190,23 +217,36 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -35169,7 +35444,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -216,7 +255,11 @@ optional_policy(` +@@ -216,7 +256,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -35182,7 +35457,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -228,6 +271,10 @@ optional_policy(` +@@ -228,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -35193,7 +35468,7 @@ index b7686d5..7a9577f 100644 vmware_append_log(dhcpc_t) ') -@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -35217,7 +35492,7 @@ index b7686d5..7a9577f 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -35238,6 +35513,7 @@ index b7686d5..7a9577f 100644 +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + +files_dontaudit_rw_inherited_pipes(ifconfig_t) ++files_dontaudit_rw_inherited_locks(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) + @@ -35247,7 +35523,7 @@ index b7686d5..7a9577f 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -35275,7 +35551,7 @@ index b7686d5..7a9577f 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -35298,7 +35574,7 @@ index b7686d5..7a9577f 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -35312,7 +35588,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -339,7 +430,15 @@ optional_policy(` +@@ -339,7 +432,15 @@ optional_policy(` ') optional_policy(` @@ -35329,7 +35605,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -360,3 +459,13 @@ optional_policy(` +@@ -360,3 +461,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -38735,7 +39011,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..fbcee33 100644 +index 3c5dba7..991cb36 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39297,7 +39573,7 @@ index 3c5dba7..fbcee33 100644 ############################## # -@@ -501,41 +632,52 @@ template(`userdom_common_user_template',` +@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -39320,7 +39596,6 @@ index 3c5dba7..fbcee33 100644 - kernel_read_device_sysctls($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -+ kernel_stream_connect($1_usertype) - corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) @@ -39373,7 +39648,7 @@ index 3c5dba7..fbcee33 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +688,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +687,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -39532,7 +39807,7 @@ index 3c5dba7..fbcee33 100644 ') optional_policy(` -@@ -642,23 +811,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +810,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -39561,7 +39836,7 @@ index 3c5dba7..fbcee33 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +838,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +837,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -39570,7 +39845,7 @@ index 3c5dba7..fbcee33 100644 ') optional_policy(` -@@ -680,9 +847,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +846,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39583,7 +39858,7 @@ index 3c5dba7..fbcee33 100644 ') ') -@@ -693,32 +860,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +859,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39630,7 +39905,7 @@ index 3c5dba7..fbcee33 100644 ') ') -@@ -743,17 +913,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +912,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -39668,7 +39943,7 @@ index 3c5dba7..fbcee33 100644 userdom_change_password_template($1) -@@ -761,82 +947,99 @@ template(`userdom_login_user_template', ` +@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -39804,22 +40079,24 @@ index 3c5dba7..fbcee33 100644 ') ') -@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) + allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; + -+ seutil_read_file_contexts($1_t) -+ seutil_read_default_contexts($1_t) ++ seutil_read_file_contexts($1_t) ++ seutil_read_default_contexts($1_t) + ############################## # # Local policy -@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',` + # # Local policy # ++ kernel_stream_connect($1_usertype) - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) @@ -40049,20 +40326,20 @@ index 3c5dba7..fbcee33 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) + ') + + optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) + ') + + optional_policy(` ++ wine_role_template($1, $1_r, $1_t) + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 19c3de3..c1ad325 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -2023,7 +2023,7 @@ index 7f4dfbc..4d750fa 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..95b56a6 100644 +index ed45974..cd5a4fa 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,13 @@ attribute_role amanda_recover_roles; @@ -2033,7 +2033,7 @@ index ed45974..95b56a6 100644 +type amanda_exec_t; type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) -+init_daemon_domain(amanda_t, amanda_exec_t) ++init_daemon_domain(amanda_t, amanda_inetd_exec_t) +role system_r types amanda_t; -type amanda_exec_t; @@ -4639,7 +4639,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..12b3640 100644 +index 1a82e29..217ba9e 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5828,7 +5828,7 @@ index 1a82e29..12b3640 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +917,42 @@ optional_policy(` +@@ -781,34 +917,46 @@ optional_policy(` ') optional_policy(` @@ -5838,6 +5838,10 @@ index 1a82e29..12b3640 100644 +') + +optional_policy(` ++ gssproxy_stream_connect(httpd_t) ++') ++ ++optional_policy(` + jetty_admin(httpd_t) +') + @@ -5882,7 +5886,7 @@ index 1a82e29..12b3640 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +960,18 @@ optional_policy(` +@@ -816,8 +964,18 @@ optional_policy(` ') optional_policy(` @@ -5901,7 +5905,7 @@ index 1a82e29..12b3640 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +980,7 @@ optional_policy(` +@@ -826,6 +984,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5909,7 +5913,7 @@ index 1a82e29..12b3640 100644 ') optional_policy(` -@@ -836,20 +991,39 @@ optional_policy(` +@@ -836,20 +995,39 @@ optional_policy(` ') optional_policy(` @@ -5955,7 +5959,7 @@ index 1a82e29..12b3640 100644 ') optional_policy(` -@@ -857,19 +1031,35 @@ optional_policy(` +@@ -857,19 +1035,35 @@ optional_policy(` ') optional_policy(` @@ -5991,7 +5995,7 @@ index 1a82e29..12b3640 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1067,170 @@ optional_policy(` +@@ -877,65 +1071,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6061,11 +6065,10 @@ index 1a82e29..12b3640 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache PHP script local policy +# + @@ -6124,10 +6127,11 @@ index 1a82e29..12b3640 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache suexec local policy # @@ -6184,7 +6188,7 @@ index 1a82e29..12b3640 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6339,7 +6343,7 @@ index 1a82e29..12b3640 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1323,104 @@ optional_policy(` +@@ -1077,172 +1327,104 @@ optional_policy(` ') ') @@ -6359,13 +6363,13 @@ index 1a82e29..12b3640 100644 -allow httpd_script_domains self:fifo_file rw_file_perms; -allow httpd_script_domains self:unix_stream_socket connectto; -- ++allow httpd_sys_script_t self:process getsched; + -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -+allow httpd_sys_script_t self:process getsched; - +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6520,8 +6524,7 @@ index 1a82e29..12b3640 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -6537,7 +6540,8 @@ index 1a82e29..12b3640 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6575,7 +6579,7 @@ index 1a82e29..12b3640 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6672,7 +6676,7 @@ index 1a82e29..12b3640 100644 ######################################## # -@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6689,15 +6693,14 @@ index 1a82e29..12b3640 100644 ') ######################################## -@@ -1324,49 +1519,38 @@ optional_policy(` +@@ -1324,49 +1523,38 @@ optional_policy(` # User content local policy # -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') -+auth_use_nsswitch(httpd_user_script_t) - +- -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_cifs_files(httpd_user_script_t) @@ -6707,7 +6710,8 @@ index 1a82e29..12b3640 100644 -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_user_script_t) -') -- ++auth_use_nsswitch(httpd_user_script_t) + -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_nfs_files(httpd_user_script_t) @@ -6754,7 +6758,7 @@ index 1a82e29..12b3640 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -6772,8 +6776,7 @@ index 1a82e29..12b3640 100644 +systemd_manage_passwd_run(httpd_passwd_t) +systemd_manage_passwd_run(httpd_t) +#systemd_passwd_agent_dev_template(httpd) - --allow httpd_gpg_t self:process setrlimit; ++ +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; + @@ -6807,7 +6810,8 @@ index 1a82e29..12b3640 100644 + +miscfiles_read_fonts(httpd_script_type) +miscfiles_read_public_files(httpd_script_type) -+ + +-allow httpd_gpg_t self:process setrlimit; +allow httpd_t httpd_script_type:unix_stream_socket connectto; -allow httpd_gpg_t httpd_t:fd use; @@ -9203,10 +9207,10 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..d4b9ffa 100644 +index 7c92aa1..e27b377 100644 --- a/boinc.te +++ b/boinc.te -@@ -1,11 +1,13 @@ +@@ -1,11 +1,20 @@ -policy_module(boinc, 1.0.3) +policy_module(boinc, 1.0.0) @@ -9216,13 +9220,20 @@ index 7c92aa1..d4b9ffa 100644 # -type boinc_t; ++## ++##

++## Allow boinc_domain execmem/execstack. ++##

++## ++gen_tunable(boinc_execmem, true) ++ +attribute boinc_domain; + +type boinc_t, boinc_domain; type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -9254,7 +9265,6 @@ index 7c92aa1..d4b9ffa 100644 +allow boinc_domain self:fifo_file rw_fifo_file_perms; +allow boinc_domain self:process signal; +allow boinc_domain self:sem create_sem_perms; -+allow boinc_domain self:process execmem; + +manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) @@ -9276,6 +9286,10 @@ index 7c92aa1..d4b9ffa 100644 + +miscfiles_read_fonts(boinc_domain) + ++tunable_policy(`boinc_execmem',` ++ allow boinc_domain self:process { execstack execmem }; ++') ++ +optional_policy(` + sysnet_dns_name_resolve(boinc_domain) +') @@ -9298,7 +9312,7 @@ index 7c92aa1..d4b9ffa 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +91,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -9395,7 +9409,7 @@ index 7c92aa1..d4b9ffa 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +141,69 @@ init_read_utmp(boinc_t) +@@ -130,55 +151,69 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -13907,7 +13921,7 @@ index c086302..4f33119 100644 /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) diff --git a/couchdb.if b/couchdb.if -index 83d6744..b934cb7 100644 +index 83d6744..afa2f78 100644 --- a/couchdb.if +++ b/couchdb.if @@ -2,6 +2,44 @@ @@ -13955,7 +13969,7 @@ index 83d6744..b934cb7 100644 ## All of the rules required to ## administrate an couchdb environment. ## -@@ -10,6 +48,108 @@ +@@ -10,6 +48,127 @@ ## Domain allowed access. ## ## @@ -14026,6 +14040,25 @@ index 83d6744..b934cb7 100644 + allow $1 couchdb_var_run_t:file read_file_perms; +') + ++####################################### ++## ++## Search couchdb PID dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_search_pid_dirs',` ++ gen_require(` ++ type couchdb_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 couchdb_var_run_t:dir search_dir_perms; ++') ++ +######################################## +## +## Execute couchdb server in the couchdb domain. @@ -14064,7 +14097,7 @@ index 83d6744..b934cb7 100644 ## ## ## Role allowed access. -@@ -19,14 +159,19 @@ +@@ -19,14 +178,19 @@ # interface(`couchdb_admin',` gen_require(` @@ -14085,7 +14118,7 @@ index 83d6744..b934cb7 100644 init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; -@@ -46,4 +191,13 @@ interface(`couchdb_admin',` +@@ -46,4 +210,13 @@ interface(`couchdb_admin',` files_search_pids($1) admin_pattern($1, couchdb_var_run_t) @@ -17097,7 +17130,7 @@ index 06da9a0..6d69a2f 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..09ef91c 100644 +index 9f34c2e..d084359 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -17539,7 +17572,7 @@ index 9f34c2e..09ef91c 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -17552,6 +17585,7 @@ index 9f34c2e..09ef91c 100644 corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) ++corenet_tcp_bind_printer_port(cupsd_lpd_t) +corenet_tcp_connect_printer_port(cupsd_lpd_t) corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) @@ -17572,7 +17606,7 @@ index 9f34c2e..09ef91c 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +557,6 @@ optional_policy(` +@@ -546,7 +558,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -17580,7 +17614,7 @@ index 9f34c2e..09ef91c 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -17732,7 +17766,7 @@ index 9f34c2e..09ef91c 100644 ######################################## # -@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -17740,7 +17774,7 @@ index 9f34c2e..09ef91c 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -17754,7 +17788,7 @@ index 9f34c2e..09ef91c 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -17763,7 +17797,7 @@ index 9f34c2e..09ef91c 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +649,4 @@ optional_policy(` +@@ -769,3 +650,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -17813,7 +17847,7 @@ index 9fa7ffb..fd3262c 100644 domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; diff --git a/cvs.te b/cvs.te -index 53fc3af..989aabf 100644 +index 53fc3af..897ad64 100644 --- a/cvs.te +++ b/cvs.te @@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1) @@ -17830,7 +17864,7 @@ index 53fc3af..989aabf 100644 application_executable_file(cvs_exec_t) type cvs_data_t; # customizable -@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t) +@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -17841,11 +17875,12 @@ index 53fc3af..989aabf 100644 +corenet_udp_sendrecv_generic_node(cvs_t) +corenet_tcp_sendrecv_all_ports(cvs_t) +corenet_udp_sendrecv_all_ports(cvs_t) ++corenet_tcp_bind_cvs_port(cvs_t) + dev_read_urand(cvs_t) files_read_etc_runtime_files(cvs_t) -@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t) +@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) @@ -17867,7 +17902,7 @@ index 53fc3af..989aabf 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') -@@ -103,4 +112,5 @@ optional_policy(` +@@ -103,4 +113,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -18180,7 +18215,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..8c49f40 100644 +index afcf3a2..e6ecc4d 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -18198,7 +18233,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -41,59 +41,64 @@ interface(`dbus_stub',` +@@ -41,59 +41,68 @@ interface(`dbus_stub',` template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; @@ -18273,8 +18308,11 @@ index afcf3a2..8c49f40 100644 - ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; -- ') + logging_send_syslog_msg($1_dbusd_t) ++ ++ optional_policy(` ++ mozilla_domtrans_spec($1_dbusd_t, $1_t) + ') ') ####################################### @@ -18285,7 +18323,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -103,65 +108,29 @@ template(`dbus_role_template',` +@@ -103,65 +112,29 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -18360,7 +18398,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -175,19 +144,21 @@ interface(`dbus_connect_all_session_bus',` +@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',` ## ## # @@ -18387,7 +18425,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -196,72 +167,23 @@ interface(`dbus_connect_spec_session_bus',` +@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',` ## # interface(`dbus_session_bus_client',` @@ -18467,7 +18505,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -270,59 +192,17 @@ interface(`dbus_spec_session_bus_client',` +@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',` ## # interface(`dbus_send_session_bus',` @@ -18529,7 +18567,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -380,69 +260,32 @@ interface(`dbus_manage_lib_files',` +@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',` ######################################## ## @@ -18610,7 +18648,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -457,20 +300,21 @@ interface(`dbus_all_session_domain',` +@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',` ## ## # @@ -18636,7 +18674,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -489,7 +333,7 @@ interface(`dbus_connect_system_bus',` +@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',` ######################################## ## @@ -18645,7 +18683,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -508,7 +352,7 @@ interface(`dbus_send_system_bus',` +@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',` ######################################## ## @@ -18654,7 +18692,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -527,8 +371,8 @@ interface(`dbus_system_bus_unconfined',` +@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',` ######################################## ## @@ -18665,7 +18703,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -543,33 +387,24 @@ interface(`dbus_system_bus_unconfined',` +@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',` # interface(`dbus_system_domain',` gen_require(` @@ -18703,7 +18741,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -587,26 +422,25 @@ interface(`dbus_use_system_bus_fds',` +@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -18736,7 +18774,7 @@ index afcf3a2..8c49f40 100644 ## ## ## -@@ -614,10 +448,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -23936,7 +23974,7 @@ index 5cf6ac6..0fc685b 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..2888d51 100644 +index c8014f8..bacc80c 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -24017,7 +24055,7 @@ index c8014f8..2888d51 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -85,6 +102,10 @@ optional_policy(` +@@ -85,9 +102,17 @@ optional_policy(` ') optional_policy(` @@ -24028,6 +24066,13 @@ index c8014f8..2888d51 100644 iptables_domtrans(firewalld_t) ') + optional_policy(` + modutils_domtrans_insmod(firewalld_t) + ') ++ ++optional_policy(` ++ NetworkManager_read_state(firewalld_t) ++') diff --git a/firewallgui.if b/firewallgui.if index e6866d1..941f4ef 100644 --- a/firewallgui.if @@ -24949,7 +24994,7 @@ index 1e29af1..c67e44e 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 93b0301..eafea5b 100644 +index 93b0301..ad8eb38 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -24967,13 +25012,7 @@ index 93b0301..eafea5b 100644 ## Determine whether Git system daemon ## can search home directories. ##

-@@ -87,15 +79,16 @@ apache_content_template(git) - type git_system_t, git_daemon; - type gitd_exec_t; - inetd_service_domain(git_system_t, gitd_exec_t) -+init_domain(git_system_t, gitd_exec_t) - - type git_session_t, git_daemon; +@@ -92,10 +84,10 @@ type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; @@ -24986,7 +25025,7 @@ index 93b0301..eafea5b 100644 userdom_user_home_content(git_user_content_t) ######################################## -@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -24995,7 +25034,7 @@ index 93b0301..eafea5b 100644 corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) -@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` +@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_sendrecv_all_ports(git_session_t) ') @@ -25006,17 +25045,19 @@ index 93b0301..eafea5b 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(git_session_t) -@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',` +@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) +kernel_read_network_state(git_system_t) +kernel_read_system_state(git_system_t) + ++corenet_tcp_bind_git_port(git_system_t) ++ files_search_var_lib(git_system_t) auth_use_nsswitch(git_system_t) -@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -25853,7 +25894,7 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..71aa685 100644 +index d03fd43..237de86 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,155 @@ @@ -26570,7 +26611,7 @@ index d03fd43..71aa685 100644 ## ## ## -@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -26648,6 +26689,7 @@ index d03fd43..71aa685 100644 + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) ++ gnome_read_usr_config($1) ') ######################################## @@ -26676,7 +26718,7 @@ index d03fd43..71aa685 100644 ## ## ## -@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',` +@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',` ## ## # @@ -26774,7 +26816,7 @@ index d03fd43..71aa685 100644 ## ## ## -@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',` +@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -26935,7 +26977,7 @@ index d03fd43..71aa685 100644 ## ## ## -@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -29789,14 +29831,16 @@ index 05387d1..08a489c 100644 userdom_dontaudit_search_user_home_dirs(imazesrv_t) diff --git a/inetd.if b/inetd.if -index fbb54e7..b347964 100644 +index fbb54e7..05c3777 100644 --- a/inetd.if +++ b/inetd.if -@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',` +@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',` domtrans_pattern(inetd_t, $2, $1) allow inetd_t $1:process { siginh sigkill }; + ++ init_domain($1, $2) ++ + optional_policy(` + abrt_stream_connect($1) + ') @@ -33958,7 +34002,7 @@ index 19777b8..63d46d3 100644 + ') +') diff --git a/ktalk.te b/ktalk.te -index 2cf3815..cb979b0 100644 +index 2cf3815..a43a4f6 100644 --- a/ktalk.te +++ b/ktalk.te @@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) @@ -33977,7 +34021,7 @@ index 2cf3815..cb979b0 100644 type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) -@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t) +@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) @@ -33988,6 +34032,7 @@ index 2cf3815..cb979b0 100644 +corenet_udp_sendrecv_generic_node(ktalkd_t) +corenet_tcp_sendrecv_all_ports(ktalkd_t) +corenet_udp_sendrecv_all_ports(ktalkd_t) ++corenet_udp_bind_ktalkd_port(ktalkd_t) + dev_read_urand(ktalkd_t) @@ -35984,7 +36029,7 @@ index b9270f7..15f3748 100644 ') diff --git a/lsm.fc b/lsm.fc new file mode 100644 -index 0000000..711c04b +index 0000000..81cd4e0 --- /dev/null +++ b/lsm.fc @@ -0,0 +1,5 @@ @@ -35992,7 +36037,7 @@ index 0000000..711c04b + +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) + -+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) ++/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if new file mode 100644 index 0000000..52d5956 @@ -38957,7 +39002,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..3209b1c 100644 +index 6194b80..f1a5676 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -39111,7 +39156,8 @@ index 6194b80..3209b1c 100644 - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") -- ++ mozilla_filetrans_home_content($2) + - allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; @@ -39126,8 +39172,7 @@ index 6194b80..3209b1c 100644 - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - - can_exec($2, mozilla_plugin_rw_t) -+ mozilla_filetrans_home_content($2) - +- - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') @@ -39243,42 +39288,69 @@ index 6194b80..3209b1c 100644 ## ## ## -@@ -265,27 +173,11 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,140 +173,152 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` - refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.') - mozilla_execmod_user_plugin_home_files($1) --') -- --######################################## --## ++ gen_require(` ++ type mozilla_home_t; ++ ') ++ ++ allow $1 mozilla_home_t:file execmod; + ') + + ######################################## + ## -## Mozilla plugin home directory file -## text relocation. --## --## --## ++## Run mozilla in the mozilla domain. + ## + ## + ## -## Domain allowed access. --## --## --# ++## Domain allowed to transition. + ## + ## + # -interface(`mozilla_execmod_user_plugin_home_files',` ++interface(`mozilla_domtrans',` gen_require(` - type mozilla_plugin_home_t; -+ type mozilla_home_t; ++ type mozilla_t, mozilla_exec_t; ') - allow $1 mozilla_plugin_home_t:file execmod; -+ allow $1 mozilla_home_t:file execmod; ++ domtrans_pattern($1, mozilla_exec_t, mozilla_t) ') ######################################## -@@ -303,102 +195,107 @@ interface(`mozilla_domtrans',` - type mozilla_t, mozilla_exec_t; + ## +-## Run mozilla in the mozilla domain. ++## Execute a mozilla_exec_t in the specified domain. + ## + ## + ## + ## Domain allowed to transition. + ## + ## ++## ++## ++## The type of the new process. ++## ++## + # +-interface(`mozilla_domtrans',` ++interface(`mozilla_domtrans_spec',` + gen_require(` +- type mozilla_t, mozilla_exec_t; ++ type mozilla_exec_t; ') - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_exec_t, mozilla_t) +- domtrans_pattern($1, mozilla_exec_t, mozilla_t) ++ domtrans_pattern($1, mozilla_exec_t, $2) ') ######################################## @@ -39429,7 +39501,7 @@ index 6194b80..3209b1c 100644 ') ######################################## -@@ -424,8 +321,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +344,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -39439,7 +39511,7 @@ index 6194b80..3209b1c 100644 ## ## ## -@@ -433,76 +329,108 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +352,126 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -39482,6 +39554,24 @@ index 6194b80..3209b1c 100644 - allow $1 mozilla_t:tcp_socket rw_socket_perms; + allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Read/Write mozilla_plugin tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`mozilla_plugin_rw_tmpfs_files',` ++ gen_require(` ++ type mozilla_plugin_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) ') ######################################## @@ -39577,7 +39667,7 @@ index 6194b80..3209b1c 100644 ## ## ## -@@ -510,19 +438,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +479,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -39602,7 +39692,7 @@ index 6194b80..3209b1c 100644 ## ## ## -@@ -530,45 +457,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -45391,7 +45481,7 @@ index a1fb3c3..82f8ae6 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..0b68b86 100644 +index 0e8508c..f8893f8 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -45477,14 +45567,42 @@ index 0e8508c..0b68b86 100644 ## -## Execute networkmanager scripts with -## an automatic domain transition to initrc. -+## Execute NetworkManager scripts with an automatic domain transition to initrc. ++## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc. ## ## ## -@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',` - - ######################################## - ## +@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',` + ## + ## + # ++interface(`networkmanager_NetworkManagerrc_domtrans',` ++ gen_require(` ++ type NetworkManager_NetworkManagerrc_exec_t; ++ ') ++ ++ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t) ++') ++ ++####################################### ++## ++## Execute NetworkManager scripts with an automatic domain transition to initrc. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# + interface(`networkmanager_initrc_domtrans',` ++ gen_require(` ++ type NetworkManager_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ++') ++ ++######################################## ++## +## Execute NetworkManager server in the NetworkManager domain. +## +## @@ -45494,27 +45612,29 @@ index 0e8508c..0b68b86 100644 +## +# +interface(`networkmanager_systemctl',` -+ gen_require(` + gen_require(` +- type NetworkManager_initrc_exec_t; + type NetworkManager_unit_file_t; + type NetworkManager_t; -+ ') -+ + ') + +- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) + systemd_exec_systemctl($1) + allow $1 NetworkManager_unit_file_t:file read_file_perms; + allow $1 NetworkManager_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, NetworkManager_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## ## Send and receive messages from -## networkmanager over dbus. +## NetworkManager over dbus. ## ## ## -@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',` +@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',` ######################################## ## @@ -45545,7 +45665,7 @@ index 0e8508c..0b68b86 100644 ## ## ## -@@ -153,7 +200,7 @@ interface(`networkmanager_signal',` +@@ -153,7 +218,7 @@ interface(`networkmanager_signal',` ######################################## ## @@ -45554,7 +45674,7 @@ index 0e8508c..0b68b86 100644 ## ## ## -@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',` +@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',` read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ') @@ -45584,7 +45704,7 @@ index 0e8508c..0b68b86 100644 ## ## ## -@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',` +@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',` ## ## # @@ -45609,7 +45729,7 @@ index 0e8508c..0b68b86 100644 ## ## ## -@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',` +@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',` ## ## # @@ -45638,7 +45758,7 @@ index 0e8508c..0b68b86 100644 ## ## ## -@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',` +@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -45729,6 +45849,26 @@ index 0e8508c..0b68b86 100644 + stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) +') + ++####################################### ++## ++## Read the process state (/proc/pid) of NetworkManager. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`NetworkManager_read_state',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:dir search_dir_perms; ++ allow $1 NetworkManager_t:file read_file_perms; ++ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; ++') ++ +######################################## +## +## Transition to networkmanager named content @@ -46181,7 +46321,7 @@ index 8aa1bfa..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index 46e55c3..346242e 100644 +index 46e55c3..6e4e061 100644 --- a/nis.if +++ b/nis.if @@ -1,4 +1,4 @@ @@ -46190,13 +46330,14 @@ index 46e55c3..346242e 100644 ######################################## ## -@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',` +@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',` gen_require(` type var_yp_t; ') - - allow $1 self:capability net_bind_service; -- ++ dontaudit $1 self:capability net_bind_service; + allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; @@ -46210,7 +46351,7 @@ index 46e55c3..346242e 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -49,14 +44,11 @@ interface(`nis_use_ypbind_uncond',` +@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) @@ -46226,7 +46367,7 @@ index 46e55c3..346242e 100644 corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) -@@ -88,14 +80,14 @@ interface(`nis_use_ypbind_uncond',` +@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',` ## # interface(`nis_use_ypbind',` @@ -46243,7 +46384,7 @@ index 46e55c3..346242e 100644 ## ## ## -@@ -105,7 +97,7 @@ interface(`nis_use_ypbind',` +@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',` ## # interface(`nis_authenticate',` @@ -46252,7 +46393,7 @@ index 46e55c3..346242e 100644 nis_use_ypbind_uncond($1) corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) -@@ -133,20 +125,19 @@ interface(`nis_domtrans_ypbind',` +@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',` ####################################### ## @@ -46280,7 +46421,7 @@ index 46e55c3..346242e 100644 can_exec($1, ypbind_exec_t) ') -@@ -169,11 +160,11 @@ interface(`nis_exec_ypbind',` +@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',` # interface(`nis_run_ypbind',` gen_require(` @@ -46294,7 +46435,7 @@ index 46e55c3..346242e 100644 ') ######################################## -@@ -196,7 +187,7 @@ interface(`nis_signal_ypbind',` +@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',` ######################################## ## @@ -46303,7 +46444,7 @@ index 46e55c3..346242e 100644 ## ## ## -@@ -272,10 +263,11 @@ interface(`nis_read_ypbind_pid',` +@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',` # interface(`nis_delete_ypbind_pid',` gen_require(` @@ -46317,7 +46458,7 @@ index 46e55c3..346242e 100644 ') ######################################## -@@ -355,8 +347,57 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -46377,7 +46518,7 @@ index 46e55c3..346242e 100644 ## ## ## -@@ -372,32 +413,56 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -56516,7 +56657,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..ad46f29 100644 +index 49694e8..a1497cd 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -56835,14 +56976,14 @@ index 49694e8..ad46f29 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +287,7 @@ optional_policy(` +@@ -266,6 +287,6 @@ optional_policy(` ') optional_policy(` + kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') - +- diff --git a/polipo.fc b/polipo.fc index d35614b..11f77ee 100644 --- a/polipo.fc @@ -66570,7 +66711,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..8c4ba04 100644 +index 3698b51..136b017 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -66592,7 +66733,7 @@ index 3698b51..8c4ba04 100644 allow rabbitmq_beam_t self:process { setsched signal signull }; allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_beam_t self:tcp_socket { accept listen }; -@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) @@ -66613,7 +66754,10 @@ index 3698b51..8c4ba04 100644 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t) + + kernel_read_system_state(rabbitmq_beam_t) ++kernel_read_fs_sysctls(rabbitmq_beam_t) + corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -66628,11 +66772,13 @@ index 3698b51..8c4ba04 100644 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) -dev_read_sysfs(rabbitmq_beam_t) ++corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) ++ +corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t) +corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t) + @@ -66648,20 +66794,24 @@ index 3698b51..8c4ba04 100644 +fs_getattr_all_fs(rabbitmq_beam_t) +fs_getattr_all_dirs(rabbitmq_beam_t) +fs_getattr_cgroup(rabbitmq_beam_t) ++fs_search_cgroup_dirs(rabbitmq_beam_t) + +corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) + +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) ++ ++storage_getattr_fixed_disk_dev(rabbitmq_beam_t) sysnet_dns_name_resolve(rabbitmq_beam_t) +logging_send_syslog_msg(rabbitmq_beam_t) + +optional_policy(` ++ couchdb_manage_lib_files(rabbitmq_beam_t) + couchdb_read_conf_files(rabbitmq_beam_t) + couchdb_read_log_files(rabbitmq_beam_t) -+ couchdb_manage_lib_files(rabbitmq_beam_t) ++ couchdb_search_pid_dirs(rabbitmq_beam_t) +') + +optional_policy(` @@ -66677,7 +66827,7 @@ index 3698b51..8c4ba04 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -67066,7 +67216,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..0bf7d02 100644 +index 2c1730b..8e46216 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -67118,7 +67268,7 @@ index 2c1730b..0bf7d02 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +63,27 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -67139,6 +67289,7 @@ index 2c1730b..0bf7d02 100644 -files_dontaudit_getattr_all_files(mdadm_t) +files_dontaudit_getattr_tmpfs_files(mdadm_t) ++fs_getattr_all_fs(mdadm_t) fs_list_auto_mountpoints(mdadm_t) fs_list_hugetlbfs(mdadm_t) fs_rw_cgroup_files(mdadm_t) @@ -67147,7 +67298,7 @@ index 2c1730b..0bf7d02 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +92,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -67169,7 +67320,7 @@ index 2c1730b..0bf7d02 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +123,17 @@ optional_policy(` +@@ -97,9 +124,17 @@ optional_policy(` ') optional_policy(` @@ -71359,18 +71510,10 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d34cdec..eeeee9b 100644 +index d34cdec..33f56c0 100644 --- a/rlogin.te +++ b/rlogin.te -@@ -9,6 +9,7 @@ type rlogind_t; - type rlogind_exec_t; - auth_login_pgm_domain(rlogind_t) - inetd_service_domain(rlogind_t, rlogind_exec_t) -+init_daemon_domain(rlogind_t, rlogind_exec_t) - - type rlogind_devpts_t; - term_login_pty(rlogind_devpts_t) -@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t) +@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; @@ -71381,7 +71524,7 @@ index d34cdec..eeeee9b 100644 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) -@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; +@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) @@ -71389,7 +71532,7 @@ index d34cdec..eeeee9b 100644 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t) +@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) @@ -71397,6 +71540,14 @@ index d34cdec..eeeee9b 100644 corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) corenet_udp_sendrecv_generic_if(rlogind_t) +@@ -58,6 +58,7 @@ corenet_tcp_sendrecv_generic_node(rlogind_t) + corenet_udp_sendrecv_generic_node(rlogind_t) + corenet_tcp_sendrecv_all_ports(rlogind_t) + corenet_udp_sendrecv_all_ports(rlogind_t) ++corenet_tcp_bind_rlogin_port(rlogind_t) + + dev_read_urand(rlogind_t) + @@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) @@ -74277,7 +74428,7 @@ index f1140ef..ebc2190 100644 + files_etc_filetrans($1, rsync_etc_t, $2, $3) ') diff --git a/rsync.te b/rsync.te -index e3e7c96..0820cb2 100644 +index e3e7c96..ec50426 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -74286,7 +74437,7 @@ index e3e7c96..0820cb2 100644 ######################################## # -@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2) +@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2) # ## @@ -74362,7 +74513,6 @@ index e3e7c96..0820cb2 100644 -init_daemon_domain(rsync_t, rsync_exec_t) -application_domain(rsync_t, rsync_exec_t) -role rsync_roles types rsync_t; -+init_domain(rsync_t, rsync_exec_t) +application_executable_file(rsync_exec_t) +role system_r types rsync_t; @@ -74374,7 +74524,7 @@ index e3e7c96..0820cb2 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -74405,7 +74555,7 @@ index e3e7c96..0820cb2 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -77354,10 +77504,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..ce3ac47 +index 0000000..23af146 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,481 @@ +@@ -0,0 +1,482 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -77832,10 +77982,11 @@ index 0000000..ce3ac47 +logging_send_syslog_msg(sandbox_net_client_t) + +optional_policy(` ++ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain) + mozilla_dontaudit_rw_user_home_files(sandbox_x_t) + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) -+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) ++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') +userdom_dontaudit_open_user_ptys(sandbox_x_domain) @@ -81733,10 +81884,25 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..e3580b2 100644 +index 703efa3..f9d6ed6 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull }; +@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) + type sosreport_tmpfs_t; + files_tmpfs_file(sosreport_tmpfs_t) + ++type sosreport_var_run_t; ++files_pid_file(sosreport_var_run_t) ++ + optional_policy(` + pulseaudio_tmpfs_content(sosreport_tmpfs_t) + ') +@@ -29,10 +32,13 @@ optional_policy(` + # + + allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; ++dontaudit sosreport_t self:capability { sys_ptrace }; + allow sosreport_t self:process { setsched signull }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket { accept listen }; allow sosreport_t self:unix_stream_socket { accept listen }; @@ -81745,16 +81911,37 @@ index 703efa3..e3580b2 100644 manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t) +@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) + files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") + files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) + ++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) ++ + manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) + fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) + +@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t) dev_read_urand(sosreport_t) dev_read_raw_memory(sosreport_t) dev_read_sysfs(sosreport_t) ++dev_rw_generic_usb_dev(sosreport_t) +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) domain_getattr_all_domains(sosreport_t) domain_read_all_domains_state(sosreport_t) -@@ -70,7 +74,6 @@ files_list_all(sosreport_t) +@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t) + domain_getattr_all_pipes(sosreport_t) + + files_getattr_all_sockets(sosreport_t) ++files_getattr_all_files(sosreport_t) ++files_getattr_all_pipes(sosreport_t) + files_exec_etc_files(sosreport_t) + files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -81762,7 +81949,7 @@ index 703efa3..e3580b2 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -81774,6 +81961,7 @@ index 703efa3..e3580b2 100644 +term_getattr_pty_fs(sosreport_t) +term_getattr_all_ptys(sosreport_t) ++term_use_generic_ptys(sosreport_t) + +# some config files do not have configfile attribute +# sosreport needs to read various files on system @@ -81796,18 +81984,16 @@ index 703efa3..e3580b2 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -103,6 +114,10 @@ optional_policy(` - ') - - optional_policy(` -+ brctl_domtrans(sosreport_t) + abrt_manage_cache(sosreport_t) ++ abrt_stream_connect(sosreport_t) +') + +optional_policy(` - cups_stream_connect(sosreport_t) ++ brctl_domtrans(sosreport_t) ') -@@ -111,6 +126,11 @@ optional_policy(` + optional_policy(` +@@ -111,6 +141,11 @@ optional_policy(` ') optional_policy(` @@ -86052,7 +86238,7 @@ index e9c0964..ff77783 100644 xserver_rw_xdm_pipes(telepathy_domain) ') diff --git a/telnet.te b/telnet.te -index 9f89916..5f4c85e 100644 +index 9f89916..1bdef51 100644 --- a/telnet.te +++ b/telnet.te @@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t) @@ -86082,7 +86268,15 @@ index 9f89916..5f4c85e 100644 corenet_all_recvfrom_netlabel(telnetd_t) corenet_tcp_sendrecv_generic_if(telnetd_t) corenet_udp_sendrecv_generic_if(telnetd_t) -@@ -56,7 +59,6 @@ dev_read_urand(telnetd_t) +@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t) + corenet_udp_sendrecv_generic_node(telnetd_t) + corenet_tcp_sendrecv_all_ports(telnetd_t) + corenet_udp_sendrecv_all_ports(telnetd_t) ++corenet_tcp_bind_telnetd_port(telnetd_t) + + corecmd_search_bin(telnetd_t) + +@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t) domain_interactive_fd(telnetd_t) @@ -86090,7 +86284,7 @@ index 9f89916..5f4c85e 100644 files_read_etc_runtime_files(telnetd_t) files_search_home(telnetd_t) -@@ -69,12 +71,12 @@ init_rw_utmp(telnetd_t) +@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t) logging_send_syslog_msg(telnetd_t) @@ -86105,7 +86299,7 @@ index 9f89916..5f4c85e 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -86,7 +88,7 @@ tunable_policy(`use_samba_home_dirs',` +@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) @@ -86571,7 +86765,7 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index c93c973..b04d201 100644 +index c93c973..4ec1eb0 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) @@ -86583,7 +86777,7 @@ index c93c973..b04d201 100644 allow tgtd_t self:capability2 block_suspend; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t) +@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) @@ -86591,7 +86785,11 @@ index c93c973..b04d201 100644 corenet_tcp_sendrecv_generic_if(tgtd_t) corenet_tcp_sendrecv_generic_node(tgtd_t) corenet_tcp_bind_generic_node(tgtd_t) -@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t) + + corenet_sendrecv_iscsi_server_packets(tgtd_t) + corenet_tcp_bind_iscsi_port(tgtd_t) ++corenet_tcp_connect_isns_port(tgtd_t) + corenet_tcp_sendrecv_iscsi_port(tgtd_t) dev_read_sysfs(tgtd_t) @@ -91470,7 +91668,7 @@ index 9dec06c..4e31afe 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..2361150 100644 +index 1f22fba..6eecffc 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -92328,7 +92526,7 @@ index 1f22fba..2361150 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +592,261 @@ optional_policy(` +@@ -737,44 +592,262 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -92349,6 +92547,7 @@ index 1f22fba..2361150 100644 +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:udp_socket create_socket_perms; ++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; @@ -92613,7 +92812,7 @@ index 1f22fba..2361150 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -92640,7 +92839,7 @@ index 1f22fba..2361150 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -92672,7 +92871,7 @@ index 1f22fba..2361150 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +910,20 @@ optional_policy(` +@@ -847,14 +911,20 @@ optional_policy(` ') optional_policy(` @@ -92694,7 +92893,7 @@ index 1f22fba..2361150 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +948,65 @@ optional_policy(` +@@ -879,49 +949,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -92778,7 +92977,7 @@ index 1f22fba..2361150 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -92798,7 +92997,7 @@ index 1f22fba..2361150 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -92822,7 +93021,7 @@ index 1f22fba..2361150 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -93200,7 +93399,7 @@ index 1f22fba..2361150 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -93215,7 +93414,7 @@ index 1f22fba..2361150 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1335,8 @@ optional_policy(` +@@ -1183,9 +1336,8 @@ optional_policy(` ######################################## # @@ -93226,7 +93425,7 @@ index 1f22fba..2361150 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index dd481a5..8e60b16 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.1%{?dist} +Release: 74.2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,45 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Sep 06 2013 Lukas Vrabec 3.12.1-74.2 +- Fix lsm.fc for pid files +- Allow init_t to transition to all inetd domains +- Allow tgtd_t to connect to isns ports +- Lots of new access required for sosreport +- svirt domains neeed to create kobject_uevint_sockets +- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain +- Cleanup related to init_domain()+inetd_domain fixes +- Allow cvs to bind to the cvs_port +- Allow ktalkd to bind to the ktalkd_port +- Allow telnetd to bind to the telnetd_port +- Allow rlogind to bind to the rlogin_port +- Allow apache domain to connect to gssproxy socket +- Dontaudit attempts to bind to ports < 1024 when nis is turned on +- Allow cupsd_lpd_t to bind to the printer port +- Allow a confined domain to executes mozilla_exec_t via dbus +- Allow mdadm to getattr any file system +- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work +- Allow all domains that can read gnome_config to read kde config +- Call the correct interface - corenet_udp_bind_ktalkd_port() +- Fix mozilla_plugin_rw_tmpfs_files() +- Allow systemd running as git_systemd to bind git port +- Allow firewalld to read NM state +- Add interface couchdb_search_pid_dirs +- Add support for couchdb in rabbitmq policy +- Add boolean boinc_execmem +- Add interface netowrkmanager_initrc_domtrans +- Dontaudit leaks into ldconfig_t +- Dontaudit inherited lock files in ifconfig o dhcpc_t +- Move kernel_stream_connect into all Xwindow using users +- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls +- Add interface to read authorization data in the users homedir +- Allow ipsec_t to read .google authenticator data +- Allow staff_t to read login config +- Treat files labeld as usr_t like bin_t when it comes to transitions +- Split out rlogin ports from inetd +- Add interface seutil_dbus_chat_semanage +- Fix selinuxutil.if + * Tue Sep 03 2013 Lukas Vrabec 3.12.1-74.1 - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Fix polipo.te