diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 3e34ed5..e982721 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -15743,10 +15743,18 @@ index 522ab32..cb9c3a2 100644 ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 54f1827..cc2de1a 100644 +index 54f1827..39faa3f 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc -@@ -23,12 +23,15 @@ +@@ -7,6 +7,7 @@ + /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) + /dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) ++/dev/bcache[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) + /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) +@@ -23,12 +24,15 @@ /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -15763,7 +15771,7 @@ index 54f1827..cc2de1a 100644 /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -51,7 +54,8 @@ ifdef(`distro_redhat', ` +@@ -51,7 +55,8 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) @@ -15773,7 +15781,7 @@ index 54f1827..cc2de1a 100644 /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -81,3 +85,6 @@ ifdef(`distro_redhat', ` +@@ -81,3 +86,6 @@ ifdef(`distro_redhat', ` /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) @@ -29446,15 +29454,16 @@ index dd3be8d..0996734 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..a199ffd 100644 +index 662e79b..32fad12 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,22 @@ +@@ -1,14 +1,23 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) + +/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) @@ -29473,7 +29482,7 @@ index 662e79b..a199ffd 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +34,23 @@ +@@ -26,16 +35,23 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -29687,7 +29696,7 @@ index 0d4c8d3..e6ffda3 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..ceb7f99 100644 +index 9e54bf9..1de81e9 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -29882,14 +29891,18 @@ index 9e54bf9..ceb7f99 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t) + init_use_fds(ipsec_mgmt_t) + init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) - logging_send_syslog_msg(ipsec_mgmt_t) +-logging_send_syslog_msg(ipsec_mgmt_t) ++ipsec_mgmt_systemctl(ipsec_mgmt_t) -miscfiles_read_localization(ipsec_mgmt_t) - -seutil_dontaudit_search_config(ipsec_mgmt_t) -- ++logging_send_syslog_msg(ipsec_mgmt_t) + sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -29906,7 +29919,7 @@ index 9e54bf9..ceb7f99 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +361,10 @@ optional_policy(` +@@ -322,6 +363,10 @@ optional_policy(` ') optional_policy(` @@ -29917,7 +29930,7 @@ index 9e54bf9..ceb7f99 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +378,7 @@ optional_policy(` +@@ -335,7 +380,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -29926,7 +29939,7 @@ index 9e54bf9..ceb7f99 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -29946,7 +29959,7 @@ index 9e54bf9..ceb7f99 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -29959,7 +29972,7 @@ index 9e54bf9..ceb7f99 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index ab6be86..b63cc7f 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -68,7 +68,7 @@ index e4f84de..2ed712d 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..702b716 100644 +index 058d908..ff0f9c2 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -99,16 +99,34 @@ index 058d908..702b716 100644 ###################################### ## -@@ -40,7 +62,7 @@ interface(`abrt_exec',` +@@ -40,7 +62,25 @@ interface(`abrt_exec',` ######################################## ## -## Send null signals to abrt. ++## Send a signal to abrt. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_signal',` ++ gen_require(` ++ type abrt_t; ++ ') ++ ++ allow $1 abrt_t:process signal; ++') ++ ++######################################## ++## +## Send a null signal to abrt. ## ## ## -@@ -58,7 +80,7 @@ interface(`abrt_signull',` +@@ -58,7 +98,7 @@ interface(`abrt_signull',` ######################################## ## @@ -117,7 +135,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -71,12 +93,13 @@ interface(`abrt_read_state',` +@@ -71,12 +111,13 @@ interface(`abrt_read_state',` type abrt_t; ') @@ -132,7 +150,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',` +@@ -116,8 +157,7 @@ interface(`abrt_dbus_chat',` ##################################### ## @@ -142,7 +160,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',` +@@ -130,15 +170,13 @@ interface(`abrt_domtrans_helper',` type abrt_helper_t, abrt_helper_exec_t; ') @@ -160,7 +178,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',` +@@ -154,17 +192,54 @@ interface(`abrt_domtrans_helper',` # interface(`abrt_run_helper',` gen_require(` @@ -190,60 +208,60 @@ index 058d908..702b716 100644 + + read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++') ++ ++######################################## ++## ++## Append abrt cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_append_cache',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ ++ allow $1 abrt_var_cache_t:file append_inherited_file_perms; ') ######################################## ## -## Create, read, write, and delete -## abrt cache files. -+## Append abrt cache ++## Read/Write inherited abrt cache ## ## ## -@@ -172,15 +210,37 @@ interface(`abrt_run_helper',` +@@ -172,15 +247,18 @@ interface(`abrt_run_helper',` ## ## # -interface(`abrt_cache_manage',` - refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') - abrt_manage_cache($1) -+interface(`abrt_append_cache',` ++interface(`abrt_rw_inherited_cache',` + gen_require(` + type abrt_var_cache_t; + ') + + -+ allow $1 abrt_var_cache_t:file append_inherited_file_perms; ++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; ') ######################################## ## -## Create, read, write, and delete -## abrt cache content. -+## Read/Write inherited abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_rw_inherited_cache',` -+ gen_require(` -+ type abrt_var_cache_t; -+ ') -+ -+ -+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## +## Manage abrt cache ## ## ## -@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',` +@@ -193,7 +271,6 @@ interface(`abrt_manage_cache',` type abrt_var_cache_t; ') @@ -251,7 +269,7 @@ index 058d908..702b716 100644 manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',` +@@ -201,7 +278,7 @@ interface(`abrt_manage_cache',` #################################### ## @@ -260,7 +278,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -220,7 +279,7 @@ interface(`abrt_read_config',` +@@ -220,7 +297,7 @@ interface(`abrt_read_config',` ###################################### ## @@ -269,7 +287,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',` +@@ -258,8 +335,7 @@ interface(`abrt_read_pid_files',` ###################################### ## @@ -279,7 +297,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',` +@@ -276,10 +352,51 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -333,7 +351,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +405,172 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -453,7 +471,7 @@ index 058d908..702b716 100644 + list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+') + ') + + +##################################### @@ -474,7 +492,7 @@ index 058d908..702b716 100644 + list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) - ') ++') + +######################################## +## @@ -2356,7 +2374,7 @@ index 6f1384c..9f23456 100644 rpm_domtrans(anaconda_t) diff --git a/antivirus.fc b/antivirus.fc new file mode 100644 -index 0000000..e44bff0 +index 0000000..9d5214b --- /dev/null +++ b/antivirus.fc @@ -0,0 +1,43 @@ @@ -2381,10 +2399,10 @@ index 0000000..e44bff0 + +/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) + -+ +/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0) +/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) @@ -3012,10 +3030,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..117a400 100644 +index 550a69e..a7b579a 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,204 @@ +@@ -1,161 +1,205 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3126,6 +3144,7 @@ index 550a69e..117a400 100644 - -ifdef(`distro_suse',` -/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -36716,7 +36735,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..b88bbf3 100644 +index 7bab8e5..efdfd9d 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -36920,7 +36939,18 @@ index 7bab8e5..b88bbf3 100644 ') optional_policy(` -@@ -178,7 +198,7 @@ optional_policy(` +@@ -170,6 +190,10 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(logrotate_t) ++') ++ ++optional_policy(` + fail2ban_stream_connect(logrotate_t) + ') + +@@ -178,7 +202,7 @@ optional_policy(` ') optional_policy(` @@ -36929,7 +36959,7 @@ index 7bab8e5..b88bbf3 100644 ') optional_policy(` -@@ -198,21 +218,26 @@ optional_policy(` +@@ -198,21 +222,26 @@ optional_policy(` ') optional_policy(` @@ -36943,24 +36973,24 @@ index 7bab8e5..b88bbf3 100644 - openvswitch_read_pid_files(logrotate_t) - openvswitch_domtrans(logrotate_t) + polipo_named_filetrans_log_files(logrotate_t) -+') -+ -+optional_policy(` -+ psad_domtrans(logrotate_t) ') optional_policy(` - polipo_log_filetrans_log(logrotate_t, file, "polipo") -+ rabbitmq_domtrans_beam(logrotate_t) ++ psad_domtrans(logrotate_t) ') optional_policy(` - psad_domtrans(logrotate_t) ++ rabbitmq_domtrans_beam(logrotate_t) ++') ++ ++optional_policy(` + raid_domtrans_mdadm(logrotate_t) ') optional_policy(` -@@ -228,10 +253,20 @@ optional_policy(` +@@ -228,10 +257,20 @@ optional_policy(` ') optional_policy(` @@ -36981,7 +37011,7 @@ index 7bab8e5..b88bbf3 100644 su_exec(logrotate_t) ') -@@ -241,13 +276,11 @@ optional_policy(` +@@ -241,13 +280,11 @@ optional_policy(` ####################################### # @@ -37561,10 +37591,10 @@ index 0000000..da30c5d +') diff --git a/lsm.te b/lsm.te new file mode 100644 -index 0000000..9e92442 +index 0000000..a174f4b --- /dev/null +++ b/lsm.te -@@ -0,0 +1,63 @@ +@@ -0,0 +1,65 @@ +policy_module(lsm, 1.0.0) + +######################################## @@ -37627,6 +37657,8 @@ index 0000000..9e92442 + +corecmd_exec_bin(lsmd_plugin_t) + ++logging_send_syslog_msg(lsmd_plugin_t) ++ +sysnet_read_config(lsmd_plugin_t) diff --git a/mailman.fc b/mailman.fc index 7fa381b..bbe6b01 100644 @@ -47864,7 +47896,7 @@ index 0e8508c..ee2e3de 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..b5c140b 100644 +index 0b48a30..e61d367 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -47920,7 +47952,7 @@ index 0b48a30..b5c140b 100644 -allow NetworkManager_t self:unix_dgram_socket sendto; -allow NetworkManager_t self:unix_stream_socket { accept listen }; +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; -+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; ++allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto }; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; +allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_socket create_socket_perms; @@ -56010,7 +56042,7 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..87bda41 100644 +index dfd46e4..6b5b74b 100644 --- a/pegasus.fc +++ b/pegasus.fc @@ -1,15 +1,25 @@ @@ -56042,7 +56074,7 @@ index dfd46e4..87bda41 100644 +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + + @@ -56148,7 +56180,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..801965a 100644 +index 7bcf327..252377d 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -56172,13 +56204,14 @@ index 7bcf327..801965a 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,277 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,278 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers +pegasus_openlmi_domain_template(admin) +typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; ++typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t; + +pegasus_openlmi_domain_template(account) +domain_obj_id_change_exemption(pegasus_openlmi_account_t) @@ -56455,7 +56488,7 @@ index 7bcf327..801965a 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +310,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +311,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -56486,7 +56519,7 @@ index 7bcf327..801965a 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +336,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +337,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -56519,7 +56552,7 @@ index 7bcf327..801965a 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +364,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +365,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -56531,7 +56564,7 @@ index 7bcf327..801965a 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +380,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +381,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -56567,7 +56600,7 @@ index 7bcf327..801965a 100644 ') optional_policy(` -@@ -151,16 +414,24 @@ optional_policy(` +@@ -151,16 +415,24 @@ optional_policy(` ') optional_policy(` @@ -56596,7 +56629,7 @@ index 7bcf327..801965a 100644 ') optional_policy(` -@@ -168,7 +439,7 @@ optional_policy(` +@@ -168,7 +440,7 @@ optional_policy(` ') optional_policy(` @@ -70775,11 +70808,30 @@ index 5ddedbc..4e15f29 100644 + milter_manage_spamass_state(razor_t) + ') ') +diff --git a/rdisc.fc b/rdisc.fc +index e9765c0..ea21331 100644 +--- a/rdisc.fc ++++ b/rdisc.fc +@@ -1,3 +1,3 @@ +-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) ++/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0) + + /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/rdisc.te b/rdisc.te -index 9196c1d..3dac4d9 100644 +index 9196c1d..b775931 100644 --- a/rdisc.te +++ b/rdisc.te -@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t) +@@ -9,6 +9,9 @@ type rdisc_t; + type rdisc_exec_t; + init_daemon_domain(rdisc_t, rdisc_exec_t) + ++type rdisc_unit_file_t; ++systemd_unit_file(rdisc_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t) kernel_read_proc_symlinks(rdisc_t) kernel_read_kernel_sysctls(rdisc_t) @@ -70787,7 +70839,7 @@ index 9196c1d..3dac4d9 100644 corenet_all_recvfrom_netlabel(rdisc_t) corenet_udp_sendrecv_generic_if(rdisc_t) corenet_raw_sendrecv_generic_if(rdisc_t) -@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t) +@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t) domain_use_interactive_fds(rdisc_t) @@ -76180,10 +76232,10 @@ index c49828c..56cb0c2 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..6392cad 100644 +index ebe91fc..576ca21 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,72 @@ +@@ -1,61 +1,74 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -76213,6 +76265,8 @@ index ebe91fc..6392cad 100644 /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) ++ ++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -76231,25 +76285,14 @@ index ebe91fc..6392cad 100644 -/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --') -+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) --/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) --/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++ +/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - --/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++ +ifdef(`distro_redhat', ` +/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -76263,31 +76306,41 @@ index ebe91fc..6392cad 100644 +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) -+') -+ + ') + +-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) --/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) +-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) ++/var/log/up2date.* -- gen_context(system_u:object_r:rpm_log_t,s0) + +-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) + -/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) -+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) ++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -+ +# SuSE +ifdef(`distro_suse', ` +/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -85653,7 +85706,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..0cce7d0 100644 +index 703efa3..fee904f 100644 --- a/sosreport.te +++ b/sosreport.te @@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) @@ -85740,7 +85793,7 @@ index 703efa3..0cce7d0 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -79,27 +107,43 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -79,27 +107,44 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -85780,6 +85833,7 @@ index 703efa3..0cce7d0 100644 abrt_manage_pid_files(sosreport_t) abrt_manage_cache(sosreport_t) + abrt_stream_connect(sosreport_t) ++ abrt_signal(sosreport_t) +') + +optional_policy(` @@ -85787,7 +85841,7 @@ index 703efa3..0cce7d0 100644 ') optional_policy(` -@@ -111,6 +155,15 @@ optional_policy(` +@@ -111,6 +156,15 @@ optional_policy(` ') optional_policy(` @@ -85803,7 +85857,7 @@ index 703efa3..0cce7d0 100644 fstools_domtrans(sosreport_t) ') -@@ -120,6 +173,10 @@ optional_policy(` +@@ -120,6 +174,10 @@ optional_policy(` optional_policy(` hal_dbus_chat(sosreport_t) ') @@ -85814,16 +85868,26 @@ index 703efa3..0cce7d0 100644 ') optional_policy(` -@@ -141,5 +198,9 @@ optional_policy(` +@@ -135,9 +193,16 @@ optional_policy(` ') optional_policy(` -+ setroubleshoot_signull(sosreport_t) +- rpm_exec(sosreport_t) +- rpm_dontaudit_manage_db(sosreport_t) +- rpm_read_db(sosreport_t) ++ rpm_dontaudit_manage_db(sosreport_t) ++ rpm_manage_cache(sosreport_t) ++ rpm_manage_log(sosreport_t) ++ rpm_manage_pid_files(sosreport_t) ++ rpm_read_db(sosreport_t) ++ rpm_signull(sosreport_t) +') + +optional_policy(` - xserver_stream_connect(sosreport_t) ++ setroubleshoot_signull(sosreport_t) ') + + optional_policy(` diff --git a/soundserver.if b/soundserver.if index a5abc5a..b9eff74 100644 --- a/soundserver.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 4e5069b..9979122 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 107%{?dist} +Release: 108%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -573,6 +573,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Dec 4 2013 Miroslav Grepl 3.12.1-108 +- Allow sosreport to send a signal to ABRT +- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t +- Label /usr/sbin/htcacheclean as httpd_exec_t +- Added support for rdisc unit file +- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs +- Allow runuser running as logrotate connections to system DBUS +- Label bcache devices as fixed_disk_device_t +- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service +- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t + * Mon Dec 2 2013 Miroslav Grepl 3.12.1-107 - Add back setpgid/setsched for sosreport_t