diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0c11554..e55c97c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5452,7 +5452,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..e19170b 100644 +index b191055..dab9975 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5712,7 +5712,7 @@ index b191055..e19170b 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -213,68 +267,77 @@ network_port(postgrey, tcp,60000,s0) +@@ -213,68 +267,78 @@ network_port(postgrey, tcp,60000,s0) network_port(pptp, tcp,1723,s0, udp,1723,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) @@ -5770,6 +5770,7 @@ index b191055..e19170b 100644 network_port(svn, tcp,3690,s0, udp,3690,s0) network_port(svrloc, tcp,427,s0, udp,427,s0) network_port(swat, tcp,901,s0) ++network_port(swift, tcp,6200,s0) network_port(sype_transport, tcp,9911,s0, udp,9911,s0) -network_port(syslogd, udp,514,s0) +network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0) @@ -5801,7 +5802,7 @@ index b191055..e19170b 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +351,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +352,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5828,7 +5829,7 @@ index b191055..e19170b 100644 ######################################## # -@@ -333,6 +400,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +401,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5837,7 +5838,7 @@ index b191055..e19170b 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +414,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +415,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -14921,10 +14922,17 @@ index 8416beb..75c7b9d 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..089cc7a 100644 +index e7d1738..c0b17f8 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); +@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); @@ -14936,7 +14944,7 @@ index e7d1738..089cc7a 100644 # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. -@@ -53,6 +56,7 @@ type anon_inodefs_t; +@@ -53,6 +57,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -14944,7 +14952,7 @@ index e7d1738..089cc7a 100644 type bdev_t; fs_type(bdev_t) -@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -14964,7 +14972,7 @@ index e7d1738..089cc7a 100644 fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) -@@ -88,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +99,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -14976,7 +14984,7 @@ index e7d1738..089cc7a 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +111,7 @@ type hugetlbfs_t; +@@ -96,6 +112,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -14984,7 +14992,7 @@ index e7d1738..089cc7a 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -118,13 +134,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +135,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -15000,7 +15008,7 @@ index e7d1738..089cc7a 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,11 +167,6 @@ fs_type(spufs_t) +@@ -150,11 +168,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -15012,7 +15020,7 @@ index e7d1738..089cc7a 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -172,6 +184,8 @@ type vxfs_t; +@@ -172,6 +185,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -15021,7 +15029,7 @@ index e7d1738..089cc7a 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +196,8 @@ fs_type(tmpfs_t) +@@ -182,6 +197,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -15030,7 +15038,7 @@ index e7d1738..089cc7a 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +277,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +278,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -15039,7 +15047,7 @@ index e7d1738..089cc7a 100644 files_mountpoint(removable_t) # -@@ -280,6 +298,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +299,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -18603,7 +18611,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..46aa66e 100644 +index 0fef1fc..45ee29f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.4.0) @@ -18829,7 +18837,7 @@ index 0fef1fc..46aa66e 100644 ') optional_policy(` -@@ -52,11 +231,61 @@ optional_policy(` +@@ -52,11 +231,60 @@ optional_policy(` ') optional_policy(` @@ -18874,6 +18882,7 @@ index 0fef1fc..46aa66e 100644 ') optional_policy(` +- xserver_role(staff_r, staff_t) + vmtools_run_helper(staff_t, staff_r) +') + @@ -18886,12 +18895,11 @@ index 0fef1fc..46aa66e 100644 +') + +optional_policy(` - xserver_role(staff_r, staff_t) + xserver_read_log(staff_t) ') ifndef(`distro_redhat',` -@@ -65,10 +294,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +293,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18902,7 +18910,7 @@ index 0fef1fc..46aa66e 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +303,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +302,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -18913,7 +18921,7 @@ index 0fef1fc..46aa66e 100644 ') optional_policy(` -@@ -101,10 +322,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +321,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18924,7 +18932,7 @@ index 0fef1fc..46aa66e 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +342,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +341,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18935,7 +18943,7 @@ index 0fef1fc..46aa66e 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +354,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +353,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18946,7 +18954,7 @@ index 0fef1fc..46aa66e 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +385,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +384,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -20645,7 +20653,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..c175ba4 100644 +index 6d77e81..79ee03d 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -20761,10 +20769,11 @@ index 6d77e81..c175ba4 100644 ') optional_policy(` -@@ -25,6 +118,18 @@ optional_policy(` +@@ -25,11 +118,19 @@ optional_policy(` ') optional_policy(` +- vlock_run(user_t, user_r) + setroubleshoot_dontaudit_stream_connect(user_t) +') + @@ -20774,13 +20783,15 @@ index 6d77e81..c175ba4 100644 + +optional_policy(` + usbmuxd_stream_connect(user_t) -+') -+ -+optional_policy(` - vlock_run(user_t, user_r) ') -@@ -102,10 +207,6 @@ ifndef(`distro_redhat',` + optional_policy(` +- xserver_role(user_r, user_t) ++ vlock_run(user_t, user_r) + ') + + ifndef(`distro_redhat',` +@@ -102,10 +203,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20791,7 +20802,7 @@ index 6d77e81..c175ba4 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +229,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +225,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -20799,7 +20810,7 @@ index 6d77e81..c175ba4 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +261,19 @@ ifndef(`distro_redhat',` +@@ -161,3 +257,19 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -22959,10 +22970,10 @@ index 8274418..4eee56a 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..2469c27 100644 +index 6bf0ecc..44be5f2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if -@@ -18,100 +18,37 @@ +@@ -18,100 +18,36 @@ # interface(`xserver_restricted_role',` gen_require(` @@ -22970,13 +22981,12 @@ index 6bf0ecc..2469c27 100644 - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; -+ type xserver_t, xauth_t, iceauth_t; ++ type xauth_t, iceauth_t; + attribute dridomain, x_userdomain; ') - role $1 types { xserver_t xauth_t iceauth_t }; -+ typeattribute $2 x_userdomain, dridomain; - +- role $1 types { xserver_t xauth_t iceauth_t }; +- - # Xserver read/write client shm - allow xserver_t $2:fd use; - allow xserver_t $2:shm rw_shm_perms; @@ -23044,30 +23054,31 @@ index 6bf0ecc..2469c27 100644 - dev_rw_usbfs($2) - - miscfiles_read_fonts($2) -+ xserver_common_x_domain_template(user,$2) -+ xserver_stream_connect_xdm($2) -+ xserver_xdm_append_log($2) ++ role $1 types { xauth_t iceauth_t }; ++ typeattribute $2 x_userdomain, dridomain; - xserver_common_x_domain_template(user, $2) - xserver_domtrans($2) - xserver_unconfined($2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) -- xserver_stream_connect_xdm($2) ++ xserver_common_x_domain_template(user,$2) + xserver_stream_connect_xdm($2) - # certain apps want to read xdm.pid file - xserver_read_xdm_pid($2) - # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($2) - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) -+ modutils_run_insmod(xserver_t, $1) -+ xserver_dri_domain($2) -+') ++ xserver_xdm_append_log($2) - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; ++ xserver_dri_domain($2) ++') ++ +######################################## +## +## Domain wants to use direct io devices @@ -23087,7 +23098,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -143,13 +80,15 @@ interface(`xserver_role',` +@@ -143,13 +79,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -23105,7 +23116,7 @@ index 6bf0ecc..2469c27 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +101,6 @@ interface(`xserver_role',` +@@ -162,7 +100,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -23113,7 +23124,7 @@ index 6bf0ecc..2469c27 100644 ') ####################################### -@@ -197,7 +135,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +134,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -23122,7 +23133,7 @@ index 6bf0ecc..2469c27 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +165,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +164,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -23131,7 +23142,7 @@ index 6bf0ecc..2469c27 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +193,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -23140,7 +23151,7 @@ index 6bf0ecc..2469c27 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -282,7 +220,7 @@ interface(`xserver_non_drawing_client',` +@@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',` interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` @@ -23149,7 +23160,7 @@ index 6bf0ecc..2469c27 100644 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') -@@ -291,14 +229,14 @@ interface(`xserver_user_client',` +@@ -291,14 +228,14 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -23169,7 +23180,7 @@ index 6bf0ecc..2469c27 100644 dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -316,7 +254,7 @@ interface(`xserver_user_client',` +@@ -316,7 +253,7 @@ interface(`xserver_user_client',` xserver_read_xdm_tmp_files($1) # Client write xserver shm @@ -23178,7 +23189,7 @@ index 6bf0ecc..2469c27 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -342,19 +280,23 @@ interface(`xserver_user_client',` +@@ -342,19 +279,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -23205,7 +23216,7 @@ index 6bf0ecc..2469c27 100644 ') ############################## -@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',` +@@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',` allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; # can receive default events allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; @@ -23225,7 +23236,7 @@ index 6bf0ecc..2469c27 100644 ') ####################################### -@@ -444,8 +395,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +394,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -23237,7 +23248,7 @@ index 6bf0ecc..2469c27 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +408,13 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -23254,7 +23265,7 @@ index 6bf0ecc..2469c27 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +426,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -23285,7 +23296,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -517,6 +477,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -23293,7 +23304,7 @@ index 6bf0ecc..2469c27 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -547,6 +508,42 @@ interface(`xserver_domtrans_xauth',` +@@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) ') @@ -23336,7 +23347,7 @@ index 6bf0ecc..2469c27 100644 ######################################## ## ## Create a Xauthority file in the user home directory. -@@ -567,6 +564,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` +@@ -567,6 +563,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` ######################################## ## @@ -23361,7 +23372,7 @@ index 6bf0ecc..2469c27 100644 ## Read all users fonts, user font configurations, ## and manage all users font caches. ## -@@ -598,6 +613,25 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -23387,7 +23398,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -615,7 +649,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -23396,7 +23407,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -638,6 +672,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +671,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -23422,7 +23433,7 @@ index 6bf0ecc..2469c27 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +704,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -23431,7 +23442,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -670,7 +723,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -23440,7 +23451,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -688,7 +741,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -23449,7 +23460,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -703,12 +756,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -23463,7 +23474,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +816,92 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -23558,7 +23569,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -793,6 +926,21 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +925,21 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -23580,7 +23591,7 @@ index 6bf0ecc..2469c27 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -802,11 +950,23 @@ interface(`xserver_read_xdm_rw_config',` +@@ -802,11 +949,23 @@ interface(`xserver_read_xdm_rw_config',` ## # interface(`xserver_setattr_xdm_tmp_dirs',` @@ -23608,7 +23619,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -821,13 +981,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -821,13 +980,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',` ## # interface(`xserver_create_xdm_tmp_sockets',` @@ -23624,7 +23635,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -846,7 +1001,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1000,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -23652,7 +23663,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -864,7 +1038,26 @@ interface(`xserver_read_xdm_lib_files',` +@@ -864,7 +1037,26 @@ interface(`xserver_read_xdm_lib_files',` type xdm_var_lib_t; ') @@ -23680,7 +23691,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -938,26 +1131,45 @@ interface(`xserver_getattr_log',` +@@ -938,17 +1130,36 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -23698,13 +23709,11 @@ index 6bf0ecc..2469c27 100644 ## -## -## Domain to not audit. --## +## +## Domain allowed access. +## - ## - # --interface(`xserver_dontaudit_write_log',` ++## ++# +interface(`xserver_read_log',` + gen_require(` + type xserver_log_t; @@ -23722,11 +23731,10 @@ index 6bf0ecc..2469c27 100644 +## +## +## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_write_log',` - gen_require(` + ## + ## + # +@@ -957,7 +1168,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -23735,7 +23743,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1004,7 +1216,7 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,7 +1215,7 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -23744,7 +23752,7 @@ index 6bf0ecc..2469c27 100644 ## ## ## -@@ -1012,51 +1224,117 @@ interface(`xserver_read_xkb_libs',` +@@ -1012,51 +1223,117 @@ interface(`xserver_read_xkb_libs',` ## ## # @@ -23878,7 +23886,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1070,11 +1348,38 @@ interface(`xserver_rw_xdm_tmp_files',` +@@ -1070,11 +1347,38 @@ interface(`xserver_rw_xdm_tmp_files',` ## # interface(`xserver_manage_xdm_tmp_files',` @@ -23921,7 +23929,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1089,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1089,11 +1393,8 @@ interface(`xserver_manage_xdm_tmp_files',` ## # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` @@ -23935,7 +23943,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1412,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -23947,7 +23955,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1210,6 +1514,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1513,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -23973,7 +23981,7 @@ index 6bf0ecc..2469c27 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1549,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1548,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -24000,7 +24008,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1251,7 +1594,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1593,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -24009,7 +24017,7 @@ index 6bf0ecc..2469c27 100644 ## ## ## -@@ -1261,13 +1604,27 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1603,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -24038,7 +24046,7 @@ index 6bf0ecc..2469c27 100644 ') ######################################## -@@ -1284,10 +1641,657 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1640,657 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -24699,7 +24707,7 @@ index 6bf0ecc..2469c27 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..e3f28af 100644 +index 8b40377..0777a7f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -26141,9 +26149,9 @@ index 8b40377..e3f28af 100644 +miscfiles_read_hwdata(x_userdomain) + +#xserver_common_x_domain_template(user, x_userdomain) -+xserver_domtrans(x_userdomain) ++#xserver_domtrans(x_userdomain) +#xserver_unconfined(x_userdomain) -+xserver_xsession_entry_type(x_userdomain) ++#xserver_xsession_entry_type(x_userdomain) +xserver_dontaudit_write_log(x_userdomain) +#xserver_stream_connect_xdm(x_userdomain) +# certain apps want to read xdm.pid file @@ -37748,7 +37756,7 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 40edc18..a072ac2 100644 +index 40edc18..b39e137 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -17,22 +17,24 @@ ifdef(`distro_debian',` @@ -37780,7 +37788,7 @@ index 40edc18..a072ac2 100644 ') # -@@ -55,6 +57,20 @@ ifdef(`distro_redhat',` +@@ -55,6 +57,21 @@ ifdef(`distro_redhat',` # # /usr # @@ -37792,6 +37800,7 @@ index 40edc18..a072ac2 100644 +/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) @@ -37801,7 +37810,7 @@ index 40edc18..a072ac2 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -77,3 +93,6 @@ ifdef(`distro_debian',` +@@ -77,3 +94,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d8f8723..78d8b8e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -29868,10 +29868,10 @@ index 4e95c7e..0000000 - -miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index e39de43..6a6db28 100644 +index e39de43..5edcb83 100644 --- a/gnome.fc +++ b/gnome.fc -@@ -1,15 +1,61 @@ +@@ -1,15 +1,60 @@ -HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) @@ -29889,7 +29889,6 @@ index e39de43..6a6db28 100644 +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) @@ -37198,7 +37197,7 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..2c08717 +index 0000000..879ab65 --- /dev/null +++ b/keepalived.te @@ -0,0 +1,55 @@ @@ -37237,16 +37236,16 @@ index 0000000..2c08717 +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) + ++auth_use_nsswitch(keepalived_t) ++ +corecmd_exec_bin(keepalived_t) +corecmd_exec_shell(keepalived_t) + -+corenet_tcp_connect_snmp_port(keepalived_t) -+ -+auth_use_nsswitch(keepalived_t) -+ +corenet_tcp_connect_connlcli_port(keepalived_t) +corenet_tcp_connect_http_port(keepalived_t) +corenet_tcp_connect_smtp_port(keepalived_t) ++corenet_tcp_connect_snmp_port(keepalived_t) ++corenet_tcp_connect_agentx_port(keepalived_t) + +dev_read_urand(keepalived_t) + @@ -73994,7 +73993,7 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..e815665 100644 +index 8644d8b..ddc4c31 100644 --- a/quantum.te +++ b/quantum.te @@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0) @@ -74049,7 +74048,7 @@ index 8644d8b..e815665 100644 +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; +allow neutron_t self:tcp_socket { accept listen }; -+allow neutron_t self:unix_stream_socket { accept listen }; ++allow neutron_t self:unix_stream_socket { accept listen connectto }; +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; +allow neutron_t self:rawip_socket create_socket_perms; +allow neutron_t self:packet_socket create_socket_perms; @@ -94752,10 +94751,10 @@ index 0000000..6a1f575 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..d3fe02a +index 0000000..3d21c49 --- /dev/null +++ b/swift.te -@@ -0,0 +1,119 @@ +@@ -0,0 +1,126 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -94842,9 +94841,12 @@ index 0000000..d3fe02a + +# bug in swift +corenet_tcp_bind_xserver_port(swift_t) ++ ++corenet_tcp_bind_swift_port(swift_t) +corenet_tcp_bind_http_cache_port(swift_t) + +corenet_tcp_connect_xserver_port(swift_t) ++corenet_tcp_connect_swift_port(swift_t) + +corecmd_exec_shell(swift_t) +corecmd_exec_bin(swift_t) @@ -94872,6 +94874,10 @@ index 0000000..d3fe02a +') + +optional_policy(` ++ apache_search_config(swift_t) ++') ++ ++optional_policy(` + rpm_exec(swift_t) + rpm_dontaudit_manage_db(swift_t) +') @@ -95242,14 +95248,14 @@ index b26d44a..5ab05dc 100644 - -miscfiles_read_localization(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc -index 6c7f8f8..107300a 100644 +index 6c7f8f8..03fc880 100644 --- a/telepathy.fc +++ b/telepathy.fc -@@ -1,35 +1,24 @@ +@@ -1,35 +1,23 @@ -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) - HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) +-HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) -HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) @@ -101923,7 +101929,7 @@ index facdee8..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..f74be5f 100644 +index f03dcf5..d3fb1c1 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,212 @@ @@ -103387,7 +103393,7 @@ index f03dcf5..f74be5f 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1133,303 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1133,307 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -103500,6 +103506,7 @@ index f03dcf5..f74be5f 100644 +fs_list_inotifyfs(svirt_sandbox_domain) +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) +fs_read_fusefs_files(svirt_sandbox_domain) ++fs_read_hugetlbfs_files(svirt_sandbox_domain) + +auth_dontaudit_read_passwd(svirt_sandbox_domain) +auth_dontaudit_read_login_records(svirt_sandbox_domain) @@ -103646,13 +103653,15 @@ index f03dcf5..f74be5f 100644 +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_sandbox_domain) + fs_manage_nfs_files(svirt_sandbox_domain) -+ fs_read_nfs_symlinks(svirt_sandbox_domain) ++ fs_manage_nfs_named_sockets(svirt_sandbox_domain) ++ fs_manage_nfs_symlinks(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_dirs(svirt_sandbox_domain) -+ fs_read_cifs_symlinks(svirt_sandbox_domain) ++ fs_manage_cifs_named_sockets(svirt_sandbox_domain) ++ fs_manage_cifs_symlinks(svirt_sandbox_domain) ') ######################################## @@ -103711,6 +103720,7 @@ index f03dcf5..f74be5f 100644 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) ++kernel_read_messages(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) dev_getattr_mtrr_dev(svirt_lxc_net_t) @@ -103828,7 +103838,7 @@ index f03dcf5..f74be5f 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1442,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1446,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -103843,7 +103853,7 @@ index f03dcf5..f74be5f 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1460,8 @@ optional_policy(` +@@ -1192,9 +1464,8 @@ optional_policy(` ######################################## # @@ -103854,7 +103864,7 @@ index f03dcf5..f74be5f 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1474,216 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1478,216 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5181b44..86a801c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 61%{?dist} +Release: 62%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -600,6 +600,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jun 25 2014 Miroslav Grepl 3.13.1-62 +- Allow swift to use tcp/6200 swift port +- ALlow swift to search apache configs +- Remove duplicate .fc entry for Grilo plugin bookmarks +- Remove duplicate .fc entry for telepathy-gabble +- Additional allow rules for docker sandbox processes +- Allow keepalived connect to agentx port +- Allow neutron-ns-metadata to connectto own unix stream socket +- Add support for tcp/6200 port +- Remove ability for confined users to run xinit +- New tool for managing wireless /usr/sbin/iw + * Fri Jun 20 2014 Miroslav Grepl 3.13.1-61 - Add back MLS policy