diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index aa1b964..4c7f533 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2457,3 +2457,17 @@ ipa = module # mirrormanager policy # mirrormanager = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5a49e8c..0a4d2b3 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..9647c14 100644 +index 1d732f1..e0fc276 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -2921,7 +2921,7 @@ index 1d732f1..9647c14 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +509,27 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +509,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -2937,6 +2937,7 @@ index 1d732f1..9647c14 100644 files_relabel_etc_files(useradd_t) files_read_etc_runtime_files(useradd_t) +files_manage_etc_files(useradd_t) ++files_create_var_lib_dirs(useradd_t) +files_rw_var_lib_dirs(useradd_t) fs_search_auto_mountpoints(useradd_t) @@ -2960,7 +2961,7 @@ index 1d732f1..9647c14 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +537,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +538,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -2968,7 +2969,7 @@ index 1d732f1..9647c14 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +548,32 @@ init_rw_utmp(useradd_t) +@@ -508,33 +549,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3013,7 +3014,7 @@ index 1d732f1..9647c14 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -549,10 +588,19 @@ optional_policy(` +@@ -549,10 +589,19 @@ optional_policy(` ') optional_policy(` @@ -3033,7 +3034,7 @@ index 1d732f1..9647c14 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +610,12 @@ optional_policy(` +@@ -562,3 +611,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -5920,7 +5921,7 @@ index b31c054..53df7ae 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..9f56be1 100644 +index 76f285e..fb27ae5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7448,7 +7449,7 @@ index 76f285e..9f56be1 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',` +@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7790,6 +7791,7 @@ index 76f285e..9f56be1 100644 + filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event21") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") @@ -8395,7 +8397,7 @@ index 76f285e..9f56be1 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..a3a5f7f 100644 +index 0b1a871..2844021 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -8485,13 +8487,15 @@ index 0b1a871..a3a5f7f 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +338,5 @@ files_associate_tmp(device_node) +@@ -319,5 +338,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; -+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; - allow devices_unconfined_type mtrr_device_t:file *; +-allow devices_unconfined_type mtrr_device_t:file *; ++allow devices_unconfined_type device_node:{ blk_file lnk_file } *; ++allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint }; ++allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint }; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6a1e4d1..84e8030 100644 --- a/policy/modules/kernel/domain.if @@ -14884,15 +14888,16 @@ index e7d1738..79f6c51 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc -index 7be4ddf..f7021a0 100644 +index 7be4ddf..d5ef507 100644 --- a/policy/modules/kernel/kernel.fc +++ b/policy/modules/kernel/kernel.fc -@@ -1 +1,2 @@ +@@ -1 +1,3 @@ -# This module currently does not have any file contexts. + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) ++/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..2b0a5b3 100644 +index e100d88..3910ec4 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -15031,7 +15036,79 @@ index e100d88..2b0a5b3 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -1750,16 +1820,9 @@ interface(`kernel_rw_unix_sysctls',` + ## Domain allowed access. + ## + ## +-## + # + interface(`kernel_read_hotplug_sysctls',` +- gen_require(` +- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; +- ') +- +- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) +- +- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ++ refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## +@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',` + ## Domain allowed access. + ## + ## +-## + # + interface(`kernel_rw_hotplug_sysctls',` +- gen_require(` +- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; +- ') +- +- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) +- +- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ++ refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## +@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',` + ## Domain allowed access. + ## + ## +-## + # + interface(`kernel_read_modprobe_sysctls',` +- gen_require(` +- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; +- ') +- +- read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) +- +- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ++ refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## +@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',` + ## Domain allowed access. + ## + ## +-## + # + interface(`kernel_rw_modprobe_sysctls',` +- gen_require(` +- type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; +- ') +- +- rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) +- +- list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ++ refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## +@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -15040,7 +15117,7 @@ index e100d88..2b0a5b3 100644 ') ######################################## -@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -15066,7 +15143,7 @@ index e100d88..2b0a5b3 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -15075,7 +15152,7 @@ index e100d88..2b0a5b3 100644 ## ## # -@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -15100,7 +15177,7 @@ index e100d88..2b0a5b3 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -15125,7 +15202,7 @@ index e100d88..2b0a5b3 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2792,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -15150,7 +15227,7 @@ index e100d88..2b0a5b3 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2837,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -15176,7 +15253,7 @@ index e100d88..2b0a5b3 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +2965,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -15210,7 +15287,7 @@ index e100d88..2b0a5b3 100644 ######################################## ## -@@ -2958,6 +3147,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -15235,7 +15312,7 @@ index e100d88..2b0a5b3 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3179,300 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3151,525 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -15536,9 +15613,234 @@ index e100d88..2b0a5b3 100644 + kernel_search_vm_sysctl($1) + rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the security ++## state directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_search_security_state',` ++ gen_require(` ++ type proc_security_t; ++ ') ++ ++ dontaudit $1 proc_security_t:dir search; ++') ++ ++######################################## ++## ++## Allow searching of security state directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_search_security_state',` ++ gen_require(` ++ type proc_security_t; ++ ') ++ ++ search_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Read the security state information. ++## ++## ++##

++## Allow the specified domain to read the securitying ++## state information. This includes several pieces ++## of securitying information, such as security interface ++## names, securityfilter (iptables) statistics, protocol ++## information, routes, and remote procedure call (RPC) ++## information. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`kernel_read_security_state',` ++ gen_require(` ++ type proc_t, proc_security_t; ++ ') ++ ++ read_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ ++ list_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Allow caller to read the security state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_security_state_symlinks',` ++ gen_require(` ++ type proc_t, proc_security_t; ++ ') ++ ++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ ++ list_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Allow caller to read the security state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_security_state',` ++ gen_require(` ++ type proc_t, proc_security_t; ++ ') ++ ++ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ ++ list_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Read and write usermodehelper state ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_usermodehelper_state',` ++ gen_require(` ++ type proc_t, usermodehelper_t; ++ ') ++ ++ dev_search_sysfs($1) ++ rw_files_pattern($1, proc_t, usermodehelper_t) ++ list_dirs_pattern($1, proc_t, usermodehelper_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the usermodehelper ++## state directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_search_usermodehelper_state',` ++ gen_require(` ++ type usermodehelper_t; ++ ') ++ ++ dontaudit $1 usermodehelper_t:dir search; ++') ++ ++######################################## ++## ++## Allow searching of usermodehelper state directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_search_usermodehelper_state',` ++ gen_require(` ++ type usermodehelper_t; ++ ') ++ ++ search_dirs_pattern($1, proc_t, usermodehelper_t) ++') ++ ++######################################## ++## ++## Read the usermodehelper state information. ++## ++## ++##

++## Allow the specified domain to read the usermodehelpering ++## state information. This includes several pieces ++## of usermodehelpering information, such as usermodehelper interface ++## names, usermodehelperfilter (iptables) statistics, protocol ++## information, routes, and remote procedure call (RPC) ++## information. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`kernel_read_usermodehelper_state',` ++ gen_require(` ++ type proc_t, usermodehelper_t; ++ ') ++ ++ read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) ++ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) ++ ++ list_dirs_pattern($1, proc_t, usermodehelper_t) ++') ++ ++######################################## ++## ++## Allow caller to read the usermodehelper state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_usermodehelper_state_symlinks',` ++ gen_require(` ++ type proc_t, usermodehelper_t; ++ ') ++ ++ read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) ++ ++ list_dirs_pattern($1, proc_t, usermodehelper_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..b33d885 100644 +index 8dbab4c..4b6c9ad 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -15567,7 +15869,7 @@ index 8dbab4c..b33d885 100644 allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) -@@ -95,6 +100,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +@@ -95,9 +100,31 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -15578,7 +15880,43 @@ index 8dbab4c..b33d885 100644 type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) -@@ -153,6 +162,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) ++type proc_security_t, proc_type; ++genfscon proc /sys/fs/protected_hardlinks gen_context(system_u:object_r:proc_security_t,s0) ++genfscon proc /sys/fs/protected_symlinks gen_context(system_u:object_r:proc_security_t,s0) ++genfscon proc /sys/fs/suid_dumpable gen_context(system_u:object_r:proc_security_t,s0) ++genfscon proc /sys/kernel/dmesg_restrict gen_context(system_u:object_r:proc_security_t,s0) ++genfscon proc /sys/kernel/kptr_restrict gen_context(system_u:object_r:proc_security_t,s0) ++genfscon proc /sys/kernel/modules_disabled gen_context(system_u:object_r:proc_security_t,s0) ++genfscon proc /sys/kernel/randomize_va_space gen_context(system_u:object_r:proc_security_t,s0) ++ ++type usermodehelper_t, proc_type; ++typealias usermodehelper_t alias sysctl_hotplug_t; ++typealias usermodehelper_t alias sysctl_modprobe_t; ++genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0) ++genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0) ++genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0) ++genfscon proc /sys/kernel/poweroff_cmd gen_context(system_u:object_r:usermodehelper_t,s0) ++genfscon proc /sys/kernel/usermodehelper gen_context(system_u:object_r:usermodehelper_t,s0) ++ + type proc_xen_t, proc_type; + files_mountpoint(proc_xen_t) + genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) +@@ -133,14 +160,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) + type sysctl_kernel_t, sysctl_type; + genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) + +-# /proc/sys/kernel/modprobe file +-type sysctl_modprobe_t, sysctl_type; +-genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0) +- +-# /proc/sys/kernel/hotplug file +-type sysctl_hotplug_t, sysctl_type; +-genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0) +- + # /proc/sys/net directory and files + type sysctl_net_t, sysctl_type; + genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) +@@ -153,6 +172,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -15589,7 +15927,7 @@ index 8dbab4c..b33d885 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +178,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +188,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -15604,7 +15942,7 @@ index 8dbab4c..b33d885 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +210,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +220,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -15612,7 +15950,7 @@ index 8dbab4c..b33d885 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +255,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +265,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -15620,7 +15958,7 @@ index 8dbab4c..b33d885 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +265,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +275,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -15646,7 +15984,7 @@ index 8dbab4c..b33d885 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +288,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +298,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -15656,7 +15994,7 @@ index 8dbab4c..b33d885 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +303,49 @@ files_list_root(kernel_t) +@@ -277,25 +313,49 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -15706,7 +16044,7 @@ index 8dbab4c..b33d885 100644 ') optional_policy(` -@@ -305,6 +355,19 @@ optional_policy(` +@@ -305,6 +365,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -15726,18 +16064,19 @@ index 8dbab4c..b33d885 100644 ') optional_policy(` -@@ -312,6 +375,10 @@ optional_policy(` +@@ -312,6 +385,11 @@ optional_policy(` ') optional_policy(` + plymouthd_create_log(kernel_t) ++ plymouthd_filetrans_named_content(kernel_t) +') + +optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +399,6 @@ optional_policy(` +@@ -332,9 +410,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -15747,7 +16086,7 @@ index 8dbab4c..b33d885 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +407,7 @@ optional_policy(` +@@ -343,9 +418,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -15758,7 +16097,7 @@ index 8dbab4c..b33d885 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +416,7 @@ optional_policy(` +@@ -354,7 +427,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -15767,7 +16106,7 @@ index 8dbab4c..b33d885 100644 ') ') -@@ -367,6 +429,15 @@ optional_policy(` +@@ -367,6 +440,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -15783,7 +16122,7 @@ index 8dbab4c..b33d885 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +480,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +491,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -16342,7 +16681,7 @@ index 54f1827..39faa3f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 64c4cd0..bb2156a 100644 +index 64c4cd0..69be610 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -16471,7 +16810,7 @@ index 64c4cd0..bb2156a 100644 ######################################## ## ## Allow the caller to directly read -@@ -813,3 +897,401 @@ interface(`storage_unconfined',` +@@ -813,3 +897,411 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -16572,6 +16911,16 @@ index 64c4cd0..bb2156a 100644 + dev_filetrans($1, removable_device_t, blk_file, "cm207") + dev_filetrans($1, removable_device_t, blk_file, "cm208") + dev_filetrans($1, removable_device_t, blk_file, "cm209") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") @@ -19505,10 +19854,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..bba3177 +index 0000000..ca62aef --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,327 @@ +@@ -0,0 +1,339 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19688,6 +20037,10 @@ index 0000000..bba3177 +') + +optional_policy(` ++ cron_unconfined_role(unconfined_r, unconfined_t) ++') ++ ++optional_policy(` + chrome_role_notrans(unconfined_r, unconfined_t) + + tunable_policy(`unconfined_chrome_sandbox_transition',` @@ -19800,9 +20153,9 @@ index 0000000..bba3177 +') + +optional_policy(` -+ rpm_run(unconfined_t, unconfined_r) ++# rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution -+ rpm_transition_script(unconfined_t) ++ rpm_transition_script(unconfined_t, unconfined_r) + rpm_dbus_chat(unconfined_t) +') + @@ -19835,7 +20188,15 @@ index 0000000..bba3177 + xserver_manage_home_fonts(unconfined_t) +') + ++ ++gen_require(` ++ attribute_role rpm_script_roles; ++') ++ ++roleattribute unconfined_r rpm_script_roles; ++ +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if index 3835596..fbca2be 100644 --- a/policy/modules/roles/unprivuser.if @@ -23736,7 +24097,7 @@ index 6bf0ecc..115c533 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..326b206 100644 +index 8b40377..ef809dd 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -24757,7 +25118,7 @@ index 8b40377..326b206 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,12 +1100,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1100,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24779,7 +25140,8 @@ index 8b40377..326b206 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -651,12 +1120,12 @@ kernel_read_modprobe_sysctls(xserver_t) +-kernel_read_modprobe_sysctls(xserver_t) ++kernel_read_usermodehelper_state(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -27392,7 +27754,7 @@ index bc0ffc8..8de430d 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..edf52ea 100644 +index 79a45f6..e1589ac 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28030,69 +28392,113 @@ index 79a45f6..edf52ea 100644 ') ######################################## -@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',` +@@ -1314,7 +1593,7 @@ interface(`init_signal_script',` + ######################################## ## - ## Send and receive messages from --## init scripts over dbus. -+## init over dbus. +-## Send null signals to init scripts. ++## Send kill signals to init scripts. ## ## ## -@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',` +@@ -1322,17 +1601,17 @@ interface(`init_signal_script',` ## ## # --interface(`init_dbus_chat_script',` -+interface(`init_dbus_chat',` +-interface(`init_signull_script',` ++interface(`init_sigkill_script',` gen_require(` -- type initrc_t; -+ type init_t; - class dbus send_msg; + type initrc_t; ') -- allow $1 initrc_t:dbus send_msg; -- allow initrc_t $1:dbus send_msg; -+ allow $1 init_t:dbus send_msg; -+ allow init_t $1:dbus send_msg; +- allow $1 initrc_t:process signull; ++ allow $1 initrc_t:process sigkill; ') ######################################## ## --## Read and write the init script pty. -+## Send and receive messages from -+## init scripts over dbus. +-## Read and write init script unnamed pipes. ++## Send null signals to init scripts. ## --## --##

--## Read and write the init script pty. This + ## + ##

+@@ -1340,17 +1619,17 @@ interface(`init_signull_script',` + ## + ## + # +-interface(`init_rw_script_pipes',` ++interface(`init_signull_script',` + gen_require(` + type initrc_t; + ') + +- allow $1 initrc_t:fifo_file { read write }; ++ allow $1 initrc_t:process signull; + ') + + ######################################## + ## +-## Send UDP network traffic to init scripts. (Deprecated) ++## Read and write init script unnamed pipes. + ## + ## + ## +@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',` + ## + ## + # +-interface(`init_udp_send_script',` ++interface(`init_rw_script_pipes',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ allow $1 initrc_t:fifo_file { read write }; ++') ++ ++######################################## ++## ++## Send UDP network traffic to init scripts. (Deprecated) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_udp_send_script',` + refpolicywarn(`$0($*) has been deprecated.') + ') + +@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',` + ######################################## + ## + ## Send and receive messages from ++## init over dbus. ++## +## +## +## Domain allowed access. +## +## +# -+interface(`init_dbus_chat_script',` ++interface(`init_dbus_chat',` + gen_require(` -+ type initrc_t; ++ type init_t; + class dbus send_msg; + ') + -+ allow $1 initrc_t:dbus send_msg; -+ allow initrc_t $1:dbus send_msg; ++ allow $1 init_t:dbus send_msg; ++ allow init_t $1:dbus send_msg; +') + +######################################## +## -+## Read and write the init script pty. -+## -+## -+##

-+## Read and write the init script pty. This - ## pty is generally opened by the open_init_pty - ## portion of the run_init program so that the - ## daemon does not require direct access to -@@ -1547,6 +1847,25 @@ interface(`init_getattr_script_status_files',` ++## Send and receive messages from + ## init scripts over dbus. + ##

+ ## +@@ -1547,6 +1865,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -28118,7 +28524,7 @@ index 79a45f6..edf52ea 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +1924,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -28143,7 +28549,7 @@ index 79a45f6..edf52ea 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2014,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -28187,7 +28593,7 @@ index 79a45f6..edf52ea 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2139,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -28196,7 +28602,7 @@ index 79a45f6..edf52ea 100644 ') ######################################## -@@ -1806,6 +2180,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -28330,7 +28736,7 @@ index 79a45f6..edf52ea 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2341,360 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2359,360 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -28692,7 +29098,7 @@ index 79a45f6..edf52ea 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..7acba2b 100644 +index 17eda24..a627baf 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28799,8 +29205,12 @@ index 17eda24..7acba2b 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module; + + allow init_t self:fifo_file rw_fifo_file_perms; ++allow init_t self:service manage_service_perms; ++ # Re-exec itself can_exec(init_t, init_exec_t) - @@ -28839,7 +29249,7 @@ index 17eda24..7acba2b 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -28859,7 +29269,7 @@ index 17eda24..7acba2b 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -28880,7 +29290,7 @@ index 17eda24..7acba2b 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -28926,17 +29336,17 @@ index 17eda24..7acba2b 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) -+ + +-miscfiles_read_localization(init_t) +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +284,210 @@ ifdef(`distro_gentoo',` +@@ -186,29 +286,212 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28967,19 +29377,19 @@ index 17eda24..7acba2b 100644 + +optional_policy(` + chronyd_read_keys(init_t) -+') -+ -+optional_policy(` -+ kdump_read_crash(init_t) ') optional_policy(` - auth_rw_login_records(init_t) -+ gnome_filetrans_home_content(init_t) -+ gnome_manage_data(init_t) ++ kdump_read_crash(init_t) ') optional_policy(` ++ gnome_filetrans_home_content(init_t) ++ gnome_manage_data(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) +') + @@ -29012,6 +29422,8 @@ index 17eda24..7acba2b 100644 +kernel_list_unlabeled(init_t) +kernel_read_network_state(init_t) +kernel_rw_all_sysctls(init_t) ++kernel_rw_security_state(init_t) ++kernel_rw_usermodehelper_state(init_t) +kernel_read_software_raid_state(init_t) +kernel_unmount_debugfs(init_t) +kernel_setsched(init_t) @@ -29141,21 +29553,21 @@ index 17eda24..7acba2b 100644 + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` -+ networkmanager_stream_connect(init_t) ') optional_policy(` - nscd_use(init_t) ++ networkmanager_stream_connect(init_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) ') optional_policy(` -@@ -216,7 +495,30 @@ optional_policy(` +@@ -216,7 +499,30 @@ optional_policy(` ') optional_policy(` @@ -29186,7 +29598,7 @@ index 17eda24..7acba2b 100644 ') ######################################## -@@ -225,9 +527,9 @@ optional_policy(` +@@ -225,9 +531,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29198,7 +29610,7 @@ index 17eda24..7acba2b 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +564,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29215,7 +29627,7 @@ index 17eda24..7acba2b 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +589,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29258,7 +29670,7 @@ index 17eda24..7acba2b 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +626,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29270,7 +29682,7 @@ index 17eda24..7acba2b 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +634,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +638,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29281,7 +29693,7 @@ index 17eda24..7acba2b 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +645,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +649,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29291,7 +29703,7 @@ index 17eda24..7acba2b 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +654,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +658,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29299,7 +29711,7 @@ index 17eda24..7acba2b 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +665,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29307,7 +29719,7 @@ index 17eda24..7acba2b 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +669,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +673,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29325,7 +29737,7 @@ index 17eda24..7acba2b 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +687,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +691,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29339,7 +29751,7 @@ index 17eda24..7acba2b 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +702,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +706,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29353,7 +29765,7 @@ index 17eda24..7acba2b 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,6 +715,7 @@ mls_process_read_up(initrc_t) +@@ -387,6 +719,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29361,7 +29773,7 @@ index 17eda24..7acba2b 100644 selinux_get_enforce_mode(initrc_t) -@@ -398,6 +727,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +731,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29369,7 +29781,7 @@ index 17eda24..7acba2b 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +746,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +750,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29393,7 +29805,7 @@ index 17eda24..7acba2b 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +779,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +783,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29401,7 +29813,7 @@ index 17eda24..7acba2b 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +813,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +817,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29412,7 +29824,7 @@ index 17eda24..7acba2b 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +837,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +841,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29421,7 +29833,7 @@ index 17eda24..7acba2b 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +852,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +856,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29429,7 +29841,7 @@ index 17eda24..7acba2b 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +873,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +877,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29437,7 +29849,7 @@ index 17eda24..7acba2b 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +883,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +887,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29482,7 +29894,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -559,14 +928,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +932,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29514,7 +29926,7 @@ index 17eda24..7acba2b 100644 ') ') -@@ -577,6 +963,39 @@ ifdef(`distro_suse',` +@@ -577,6 +967,39 @@ ifdef(`distro_suse',` ') ') @@ -29554,7 +29966,7 @@ index 17eda24..7acba2b 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1008,8 @@ optional_policy(` +@@ -589,6 +1012,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29563,7 +29975,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -610,6 +1031,7 @@ optional_policy(` +@@ -610,6 +1035,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29571,7 +29983,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -626,6 +1048,17 @@ optional_policy(` +@@ -626,6 +1052,17 @@ optional_policy(` ') optional_policy(` @@ -29589,7 +30001,7 @@ index 17eda24..7acba2b 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1075,13 @@ optional_policy(` +@@ -642,9 +1079,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29603,7 +30015,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -657,15 +1094,11 @@ optional_policy(` +@@ -657,15 +1098,11 @@ optional_policy(` ') optional_policy(` @@ -29621,7 +30033,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -686,6 +1119,15 @@ optional_policy(` +@@ -686,6 +1123,15 @@ optional_policy(` ') optional_policy(` @@ -29637,7 +30049,7 @@ index 17eda24..7acba2b 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1168,7 @@ optional_policy(` +@@ -726,6 +1172,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29645,7 +30057,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -743,7 +1186,13 @@ optional_policy(` +@@ -743,7 +1190,13 @@ optional_policy(` ') optional_policy(` @@ -29660,7 +30072,7 @@ index 17eda24..7acba2b 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1215,10 @@ optional_policy(` +@@ -766,6 +1219,10 @@ optional_policy(` ') optional_policy(` @@ -29671,7 +30083,7 @@ index 17eda24..7acba2b 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1228,20 @@ optional_policy(` +@@ -775,10 +1232,20 @@ optional_policy(` ') optional_policy(` @@ -29692,7 +30104,7 @@ index 17eda24..7acba2b 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1250,10 @@ optional_policy(` +@@ -787,6 +1254,10 @@ optional_policy(` ') optional_policy(` @@ -29703,7 +30115,7 @@ index 17eda24..7acba2b 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1275,6 @@ optional_policy(` +@@ -808,8 +1279,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29712,7 +30124,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -818,6 +1283,10 @@ optional_policy(` +@@ -818,6 +1287,10 @@ optional_policy(` ') optional_policy(` @@ -29723,7 +30135,7 @@ index 17eda24..7acba2b 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1296,12 @@ optional_policy(` +@@ -827,10 +1300,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29736,7 +30148,7 @@ index 17eda24..7acba2b 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1328,35 @@ optional_policy(` +@@ -857,12 +1332,35 @@ optional_policy(` ') optional_policy(` @@ -29773,13 +30185,13 @@ index 17eda24..7acba2b 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1366,18 @@ optional_policy(` +@@ -872,6 +1370,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) ++ rpm_transition_script(initrc_t, system_r) + + optional_policy(` + rtkit_scheduled(initrc_t) @@ -29792,7 +30204,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -887,6 +1393,10 @@ optional_policy(` +@@ -887,6 +1397,10 @@ optional_policy(` ') optional_policy(` @@ -29803,7 +30215,7 @@ index 17eda24..7acba2b 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1407,218 @@ optional_policy(` +@@ -897,3 +1411,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -30266,7 +30678,7 @@ index 0d4c8d3..e6ffda3 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..43369e6 100644 +index 312cd04..a97e8da 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -30288,7 +30700,7 @@ index 312cd04..43369e6 100644 -allow ipsec_t self:process { getcap setcap getsched signal setsched }; +allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; +dontaudit ipsec_t self:capability sys_tty_config; -+allow ipsec_t self:process { getcap setcap getsched signal signull setsched }; ++allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; +allow ipsec_t self:packet_socket create_socket_perms; @@ -30649,7 +31061,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..121cda3 100644 +index be8ed1e..5e28da7 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -30682,7 +31094,7 @@ index be8ed1e..121cda3 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; +@@ -49,11 +49,12 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) @@ -30690,15 +31102,22 @@ index be8ed1e..121cda3 100644 kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) -@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t) + kernel_read_kernel_sysctls(iptables_t) +-kernel_read_modprobe_sysctls(iptables_t) ++kernel_read_usermodehelper_state(iptables_t) + kernel_use_fds(iptables_t) + + # needed by ipvsadm +@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) +dev_read_urand(iptables_t) ++dev_read_rand(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t) +@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -30713,7 +31132,7 @@ index be8ed1e..121cda3 100644 auth_use_nsswitch(iptables_t) -@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -30731,7 +31150,7 @@ index be8ed1e..121cda3 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -30740,7 +31159,7 @@ index be8ed1e..121cda3 100644 ') optional_policy(` -@@ -110,6 +114,11 @@ optional_policy(` +@@ -110,6 +115,11 @@ optional_policy(` ') optional_policy(` @@ -30752,7 +31171,7 @@ index be8ed1e..121cda3 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +133,12 @@ optional_policy(` +@@ -124,6 +134,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -30765,7 +31184,7 @@ index be8ed1e..121cda3 100644 ') optional_policy(` -@@ -135,9 +150,9 @@ optional_policy(` +@@ -135,9 +151,9 @@ optional_policy(` ') optional_policy(` @@ -31754,7 +32173,7 @@ index b50c5fe..e55a556 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..ae63d78 100644 +index 4e94884..6118015 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -31961,7 +32380,33 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -722,6 +866,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',` + + ######################################## + ## ++## Manage syslog configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_manage_syslog_config',` ++ gen_require(` ++ type syslog_conf_t; ++ ') ++ ++ manage_files_pattern($1, syslog_conf_t, syslog_conf_t) ++') ++ ++######################################## ++## + ## Allows the domain to open a file in the + ## log directory, but does not allow the listing + ## of the contents of the log directory. +@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -31987,7 +32432,7 @@ index 4e94884..ae63d78 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +939,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -32014,7 +32459,7 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -859,7 +1040,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -32023,7 +32468,7 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -885,6 +1066,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -32068,7 +32513,7 @@ index 4e94884..ae63d78 100644 ## Write generic log files. ## ## -@@ -905,6 +1124,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -32093,7 +32538,7 @@ index 4e94884..ae63d78 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1221,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -32111,7 +32556,7 @@ index 4e94884..ae63d78 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1246,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -32145,7 +32590,7 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -1032,10 +1301,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -32163,7 +32608,7 @@ index 4e94884..ae63d78 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1331,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -32172,7 +32617,7 @@ index 4e94884..ae63d78 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1361,35 @@ interface(`logging_admin',` +@@ -1085,3 +1380,35 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -33576,7 +34021,7 @@ index 7449974..28cb8a3 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8..6f9d5d5 100644 +index 7a363b8..ba534ac 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -33691,7 +34136,7 @@ index 7a363b8..6f9d5d5 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -115,16 +124,24 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) +@@ -115,20 +124,28 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) @@ -33717,6 +34162,11 @@ index 7a363b8..6f9d5d5 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) +-kernel_read_hotplug_sysctls(insmod_t) ++kernel_read_usermodehelper_state(insmod_t) + kernel_setsched(insmod_t) + + corecmd_exec_bin(insmod_t) @@ -142,6 +159,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) @@ -36286,7 +36736,7 @@ index 40edc18..7cc0c8a 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..b324c5c 100644 +index 2cea692..f1e2130 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -36534,8 +36984,11 @@ index 2cea692..b324c5c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -722,6 +872,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,8 +870,11 @@ interface(`sysnet_dns_name_resolve',` + corenet_tcp_sendrecv_dns_port($1) + corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) ++ corenet_tcp_connect_dnssec_port($1) corenet_sendrecv_dns_client_packets($1) + miscfiles_read_generic_certs($1) @@ -36543,7 +36996,7 @@ index 2cea692..b324c5c 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +902,6 @@ interface(`sysnet_use_ldap',` +@@ -750,8 +903,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -36552,7 +37005,7 @@ index 2cea692..b324c5c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -763,6 +913,9 @@ interface(`sysnet_use_ldap',` +@@ -763,6 +914,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -36562,7 +37015,7 @@ index 2cea692..b324c5c 100644 ') ######################################## -@@ -784,7 +937,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +938,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -36570,7 +37023,7 @@ index 2cea692..b324c5c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +948,76 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +949,76 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -39464,7 +39917,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..d3c9fcc 100644 +index 39f185f..f5aa25f 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -39510,7 +39963,7 @@ index 39f185f..d3c9fcc 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -64,31 +66,40 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -64,31 +66,38 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -39540,11 +39993,12 @@ index 39f185f..d3c9fcc 100644 kernel_getattr_core_if(udev_t) kernel_use_fds(udev_t) kernel_read_device_sysctls(udev_t) +-kernel_read_hotplug_sysctls(udev_t) +-kernel_read_modprobe_sysctls(udev_t) +kernel_read_fs_sysctls(udev_t) - kernel_read_hotplug_sysctls(udev_t) - kernel_read_modprobe_sysctls(udev_t) kernel_read_kernel_sysctls(udev_t) - kernel_rw_hotplug_sysctls(udev_t) +-kernel_rw_hotplug_sysctls(udev_t) ++kernel_rw_usermodehelper_state(udev_t) kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) -kernel_signal(udev_t) @@ -39555,7 +40009,7 @@ index 39f185f..d3c9fcc 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t) +@@ -99,6 +108,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -39563,7 +40017,7 @@ index 39f185f..d3c9fcc 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -107,23 +117,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -39599,7 +40053,7 @@ index 39f185f..d3c9fcc 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t) +@@ -145,17 +163,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -39621,7 +40075,7 @@ index 39f185f..d3c9fcc 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,7 +192,11 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -169,7 +190,11 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) @@ -39634,7 +40088,7 @@ index 39f185f..d3c9fcc 100644 userdom_dontaudit_search_user_home_content(udev_t) -@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',` +@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -39653,7 +40107,7 @@ index 39f185f..d3c9fcc 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -242,6 +262,7 @@ optional_policy(` +@@ -242,6 +260,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -39661,7 +40115,7 @@ index 39f185f..d3c9fcc 100644 ') optional_policy(` -@@ -249,17 +270,31 @@ optional_policy(` +@@ -249,17 +268,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` @@ -39695,7 +40149,7 @@ index 39f185f..d3c9fcc 100644 ') optional_policy(` -@@ -289,6 +324,10 @@ optional_policy(` +@@ -289,6 +322,10 @@ optional_policy(` ') optional_policy(` @@ -39706,7 +40160,7 @@ index 39f185f..d3c9fcc 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -303,6 +342,15 @@ optional_policy(` +@@ -303,6 +340,15 @@ optional_policy(` ') optional_policy(` @@ -39722,7 +40176,7 @@ index 39f185f..d3c9fcc 100644 unconfined_signal(udev_t) ') -@@ -315,6 +363,7 @@ optional_policy(` +@@ -315,6 +361,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 107f50a..4487f6f 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -68,7 +68,7 @@ index 1a93dc5..40dda9e 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..9d57403 100644 +index 058d908..70eb89d 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -249,8 +249,30 @@ index 058d908..9d57403 100644 ## ## ## -@@ -220,7 +279,7 @@ interface(`abrt_read_config',` +@@ -218,9 +277,29 @@ interface(`abrt_read_config',` + read_files_pattern($1, abrt_etc_t, abrt_etc_t) + ') ++#################################### ++## ++## Dontaudit read abrt configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_dontaudit_read_config',` ++ gen_require(` ++ type abrt_etc_t; ++ ') ++ ++ files_search_etc($1) ++ dontaudit $1 abrt_etc_t:dir list_dir_perms; ++ dontaudit $1 abrt_etc_t:file read_file_perms; ++') ++ ###################################### ## -## Read abrt log files. @@ -258,7 +280,7 @@ index 058d908..9d57403 100644 ## ## ## -@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',` +@@ -258,8 +337,7 @@ interface(`abrt_read_pid_files',` ###################################### ## @@ -268,7 +290,7 @@ index 058d908..9d57403 100644 ## ## ## -@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',` +@@ -276,10 +354,51 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -322,7 +344,7 @@ index 058d908..9d57403 100644 ## ## ## -@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +407,172 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -442,7 +464,7 @@ index 058d908..9d57403 100644 + list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+') + ') + + +##################################### @@ -463,7 +485,7 @@ index 058d908..9d57403 100644 + list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) - ') ++') + +######################################## +## @@ -509,7 +531,7 @@ index 058d908..9d57403 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..021ddae 100644 +index eb50f07..84c5ad6 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -701,7 +723,7 @@ index eb50f07..021ddae 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +187,39 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +187,40 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -738,13 +760,14 @@ index eb50f07..021ddae 100644 +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) ++miscfiles_dontaudit_access_check_cert(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +227,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +228,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -761,7 +784,7 @@ index eb50f07..021ddae 100644 ') optional_policy(` -@@ -222,6 +239,20 @@ optional_policy(` +@@ -222,6 +240,20 @@ optional_policy(` ') optional_policy(` @@ -782,7 +805,7 @@ index eb50f07..021ddae 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -233,6 +264,7 @@ optional_policy(` +@@ -233,6 +265,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -790,7 +813,7 @@ index eb50f07..021ddae 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -243,6 +275,7 @@ optional_policy(` +@@ -243,6 +276,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -798,7 +821,7 @@ index eb50f07..021ddae 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +286,17 @@ optional_policy(` +@@ -253,9 +287,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -817,7 +840,7 @@ index eb50f07..021ddae 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +307,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +308,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -832,7 +855,7 @@ index eb50f07..021ddae 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +327,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -840,7 +863,7 @@ index eb50f07..021ddae 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +336,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -861,7 +884,7 @@ index eb50f07..021ddae 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +356,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +357,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -888,7 +911,7 @@ index eb50f07..021ddae 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +393,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -902,7 +925,7 @@ index eb50f07..021ddae 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +410,11 @@ optional_policy(` +@@ -343,10 +411,11 @@ optional_policy(` ####################################### # @@ -916,7 +939,7 @@ index eb50f07..021ddae 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +433,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +434,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -968,7 +991,7 @@ index eb50f07..021ddae 100644 ####################################### # -@@ -404,7 +482,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +483,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -977,7 +1000,7 @@ index eb50f07..021ddae 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +491,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +492,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -992,7 +1015,7 @@ index eb50f07..021ddae 100644 # Upload watch local policy # -+allow abrt_upload_watch_t self:capability dac_override; ++allow abrt_upload_watch_t self:capability { dac_override chown }; + +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -1021,7 +1044,7 @@ index eb50f07..021ddae 100644 ') ####################################### -@@ -430,10 +534,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +535,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -1932,7 +1955,7 @@ index ca8d8cf..2cc5ce6 100644 ######################################### diff --git a/alsa.te b/alsa.te -index 4b153f1..2403849 100644 +index 4b153f1..9b67ee0 100644 --- a/alsa.te +++ b/alsa.te @@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t) @@ -1961,7 +1984,7 @@ index 4b153f1..2403849 100644 allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; -@@ -57,6 +64,11 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) +@@ -57,7 +64,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) @@ -1971,9 +1994,11 @@ index 4b153f1..2403849 100644 +files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir }) + kernel_read_system_state(alsa_t) ++kernel_signal(alsa_t) corecmd_exec_bin(alsa_t) -@@ -67,7 +79,6 @@ dev_read_sysfs(alsa_t) + +@@ -67,7 +80,6 @@ dev_read_sysfs(alsa_t) dev_read_urand(alsa_t) dev_write_sound(alsa_t) @@ -1981,7 +2006,7 @@ index 4b153f1..2403849 100644 files_search_var_lib(alsa_t) term_dontaudit_use_console(alsa_t) -@@ -80,8 +91,6 @@ init_use_fds(alsa_t) +@@ -80,8 +92,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -2959,10 +2984,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..ad4ec67 100644 +index 7caefc3..3d2065e 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,195 @@ +@@ -1,162 +1,196 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3216,6 +3241,7 @@ index 7caefc3..ad4ec67 100644 /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -4756,7 +4782,7 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..8d471e8 100644 +index 6649962..7954b3b 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) @@ -5437,7 +5463,7 @@ index 6649962..8d471e8 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +544,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +544,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5503,7 +5529,7 @@ index 6649962..8d471e8 100644 -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t) -+ + +auth_use_nsswitch(httpd_t) + +application_exec_all(httpd_t) @@ -5514,7 +5540,8 @@ index 6649962..8d471e8 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) - ++ ++files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) +files_exec_usr_files(httpd_t) @@ -5670,7 +5697,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +715,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +716,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5730,7 +5757,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +767,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +768,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5821,7 +5848,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,66 +814,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,66 +815,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5919,7 +5946,7 @@ index 6649962..8d471e8 100644 ') optional_policy(` -@@ -770,6 +879,23 @@ optional_policy(` +@@ -770,6 +880,23 @@ optional_policy(` ') optional_policy(` @@ -5943,7 +5970,7 @@ index 6649962..8d471e8 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +912,54 @@ optional_policy(` +@@ -786,35 +913,55 @@ optional_policy(` ') optional_policy(` @@ -5966,6 +5993,7 @@ index 6649962..8d471e8 100644 - ldap_tcp_connect(httpd_t) - ') +optional_policy(` ++ mirrormanager_manage_pid_files(httpd_t) + mirrormanager_read_lib_files(httpd_t) + mirrormanager_read_log(httpd_t) +') @@ -6011,7 +6039,7 @@ index 6649962..8d471e8 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +967,18 @@ optional_policy(` +@@ -822,8 +969,18 @@ optional_policy(` ') optional_policy(` @@ -6030,7 +6058,7 @@ index 6649962..8d471e8 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +987,7 @@ optional_policy(` +@@ -832,6 +989,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6038,7 +6066,7 @@ index 6649962..8d471e8 100644 ') optional_policy(` -@@ -842,20 +998,39 @@ optional_policy(` +@@ -842,20 +1000,39 @@ optional_policy(` ') optional_policy(` @@ -6084,7 +6112,7 @@ index 6649962..8d471e8 100644 ') optional_policy(` -@@ -863,19 +1038,35 @@ optional_policy(` +@@ -863,19 +1040,35 @@ optional_policy(` ') optional_policy(` @@ -6120,7 +6148,7 @@ index 6649962..8d471e8 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1074,173 @@ optional_policy(` +@@ -883,65 +1076,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6316,7 +6344,7 @@ index 6649962..8d471e8 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1251,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6471,7 +6499,7 @@ index 6649962..8d471e8 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1333,106 @@ optional_policy(` +@@ -1083,172 +1335,106 @@ optional_policy(` ') ') @@ -6708,7 +6736,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1442,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6805,7 +6833,7 @@ index 6649962..8d471e8 100644 ######################################## # -@@ -1321,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1517,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6822,7 +6850,7 @@ index 6649962..8d471e8 100644 ') ######################################## -@@ -1330,49 +1531,38 @@ optional_policy(` +@@ -1330,49 +1533,38 @@ optional_policy(` # User content local policy # @@ -6887,7 +6915,7 @@ index 6649962..8d471e8 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1572,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1574,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7835,10 +7863,10 @@ index 0000000..316c324 +') diff --git a/authconfig.te b/authconfig.te new file mode 100644 -index 0000000..f2aa4e6 +index 0000000..362a049 --- /dev/null +++ b/authconfig.te -@@ -0,0 +1,32 @@ +@@ -0,0 +1,33 @@ +policy_module(authconfig, 1.0.0) + +######################################## @@ -7867,6 +7895,7 @@ index 0000000..f2aa4e6 +files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file }) + +domain_use_interactive_fds(authconfig_t) ++domain_named_filetrans(authconfig_t) + +init_domtrans_script(authconfig_t) + @@ -7981,7 +8010,7 @@ index f24e369..9bce868 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f40..1268d7d 100644 +index 27d2f40..5eec4ff 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -8020,7 +8049,15 @@ index 27d2f40..1268d7d 100644 files_search_boot(automount_t) files_search_all(automount_t) files_unmount_all_file_type_fs(automount_t) -@@ -135,15 +137,18 @@ auth_use_nsswitch(automount_t) +@@ -113,6 +115,7 @@ fs_manage_autofs_symlinks(automount_t) + fs_mount_all_fs(automount_t) + fs_mount_autofs(automount_t) + fs_read_nfs_files(automount_t) ++fs_read_nfs_symlinks(automount_t) + fs_search_all(automount_t) + fs_search_auto_mountpoints(automount_t) + fs_unmount_all_fs(automount_t) +@@ -135,15 +138,18 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -8043,7 +8080,7 @@ index 27d2f40..1268d7d 100644 fstools_domtrans(automount_t) ') -@@ -166,3 +171,8 @@ optional_policy(` +@@ -166,3 +172,8 @@ optional_policy(` optional_policy(` udev_read_db(automount_t) ') @@ -8389,13 +8426,14 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..1742ebf 100644 +index 2b9a3a1..ab80059 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,71 @@ +@@ -1,54 +1,74 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -8418,12 +8456,14 @@ index 2b9a3a1..1742ebf 100644 + +/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0) +/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) ++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0) /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) @@ -10014,10 +10054,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..b3aa772 +index 0000000..00e1ff2 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,54 @@ +@@ -0,0 +1,58 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10055,6 +10095,7 @@ index 0000000..b3aa772 +kernel_dontaudit_access_check_proc(bumblebee_t) + +corecmd_exec_shell(bumblebee_t) ++corecmd_exec_bin(bumblebee_t) + +dev_read_sysfs(bumblebee_t) + @@ -10067,7 +10108,10 @@ index 0000000..b3aa772 +sysnet_dns_name_resolve(bumblebee_t) + +xserver_domtrans(bumblebee_t) ++xserver_signal(bumblebee_t) ++xserver_stream_connect(bumblebee_t) +xserver_manage_xkb_libs(bumblebee_t) ++corenet_tcp_connect_xserver_port(bumblebee_t) + +optional_policy(` + apm_stream_connect(bumblebee_t) @@ -10925,7 +10969,7 @@ index a731122..5279d4e 100644 ') + diff --git a/cfengine.te b/cfengine.te -index fbe3ad9..ffde263 100644 +index fbe3ad9..21ab8e1 100644 --- a/cfengine.te +++ b/cfengine.te @@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) @@ -10948,6 +10992,15 @@ index fbe3ad9..ffde263 100644 sysnet_domtrans_ifconfig(cfengine_domain) ######################################## +@@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t) + # Monitord local policy + # + +-kernel_read_hotplug_sysctls(cfengine_monitord_t) ++kernel_read_usermodehelper_state(cfengine_monitord_t) + kernel_read_network_state(cfengine_monitord_t) + + domain_read_all_domains_state(cfengine_monitord_t) diff --git a/cgroup.if b/cgroup.if index 85ca63f..1d1c99c 100644 --- a/cgroup.if @@ -12273,10 +12326,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..786d623 +index 0000000..0e17a32 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,298 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -12439,8 +12492,7 @@ index 0000000..786d623 +') + +optional_policy(` -+ rpm_domtrans(cloud_init_t) -+ rpm_transition_script(cloud_init_t) ++ rpm_run(cloud_init_t, system_r) + unconfined_domain(cloud_init_t) +') + @@ -14611,7 +14663,7 @@ index c086302..4f33119 100644 /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) diff --git a/couchdb.if b/couchdb.if -index 715a826..afa2f78 100644 +index 715a826..36d5a7d 100644 --- a/couchdb.if +++ b/couchdb.if @@ -2,7 +2,7 @@ @@ -14712,7 +14764,7 @@ index 715a826..afa2f78 100644 ## ## ## -@@ -73,19 +112,63 @@ interface(`couchdb_read_pid_files',` +@@ -73,19 +112,85 @@ interface(`couchdb_read_pid_files',` ') files_search_pids($1) @@ -14737,6 +14789,28 @@ index 715a826..afa2f78 100644 + + files_search_pids($1) + allow $1 couchdb_var_run_t:dir search_dir_perms; ++') ++ ++####################################### ++## ++## Allow domain to manage couchdb content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_manage_files',` ++ gen_require(` ++ type couchdb_var_run_t; ++ type couchdb_log_t; ++ type couchdb_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, couchdb_log_t, couchdb_log_t) ++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) ') ######################################## @@ -14780,7 +14854,7 @@ index 715a826..afa2f78 100644 ## ## ## Role allowed access. -@@ -95,14 +178,19 @@ interface(`couchdb_read_pid_files',` +@@ -95,14 +200,19 @@ interface(`couchdb_read_pid_files',` # interface(`couchdb_admin',` gen_require(` @@ -14801,7 +14875,7 @@ index 715a826..afa2f78 100644 init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; -@@ -122,4 +210,13 @@ interface(`couchdb_admin',` +@@ -122,4 +232,13 @@ interface(`couchdb_admin',` files_search_pids($1) admin_pattern($1, couchdb_var_run_t) @@ -17293,18 +17367,26 @@ index 7de3859..d8264c4 100644 type unconfined_cronjob_t; diff --git a/ctdb.fc b/ctdb.fc -index 8401fe6..507804b 100644 +index 8401fe6..9131995 100644 --- a/ctdb.fc +++ b/ctdb.fc -@@ -2,6 +2,8 @@ +@@ -2,11 +2,16 @@ /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) +/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) + ++/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) + /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) + ++ ++/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + + /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if index b25b01d..e99c5c6 100644 --- a/ctdb.if @@ -17596,7 +17678,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..f3809a2 100644 +index 001b502..83fb1f9 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -17624,19 +17706,26 @@ index 001b502..f3809a2 100644 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) + exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) + manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) - files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) - +-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) ++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb") ++ +manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) +manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) +manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) ++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd") +files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb") -+ + manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) ++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) -@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) + + kernel_read_network_state(ctdbd_t) +@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -17648,7 +17737,7 @@ index 001b502..f3809a2 100644 corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t) +@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -17665,7 +17754,7 @@ index 001b502..f3809a2 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +123,7 @@ optional_policy(` +@@ -109,6 +125,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -20900,7 +20989,7 @@ index 8ce99ff..0819898 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..2728ee6 100644 +index 77a5003..73f2867 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -21051,6 +21140,15 @@ index 77a5003..2728ee6 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +@@ -224,7 +236,7 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) + kernel_read_fs_sysctls(devicekit_power_t) + kernel_read_network_state(devicekit_power_t) + kernel_read_system_state(devicekit_power_t) +-kernel_rw_hotplug_sysctls(devicekit_power_t) ++kernel_rw_usermodehelper_state(devicekit_power_t) + kernel_rw_kernel_sysctl(devicekit_power_t) + kernel_rw_vm_sysctls(devicekit_power_t) + kernel_search_debugfs(devicekit_power_t) @@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) @@ -22729,10 +22827,10 @@ index c7bb4e7..e6fe2f40 100644 sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/docker.fc b/docker.fc new file mode 100644 -index 0000000..484dd44 +index 0000000..b24266e --- /dev/null +++ b/docker.fc -@@ -0,0 +1,12 @@ +@@ -0,0 +1,14 @@ +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) + +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) @@ -22742,16 +22840,17 @@ index 0000000..484dd44 +/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) +/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) + ++/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0) ++ +/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) + -+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0) -\ No newline at end of file ++ diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..543baf1 +index 0000000..c77a25f --- /dev/null +++ b/docker.if -@@ -0,0 +1,250 @@ +@@ -0,0 +1,257 @@ + +## The open-source application container engine. + @@ -22947,6 +23046,23 @@ index 0000000..543baf1 + ps_process_pattern($1, docker_t) +') + ++######################################## ++## ++## Read and write docker shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_rw_sem',` ++ gen_require(` ++ type docker_t; ++ ') ++ ++ allow $1 docker_t:sem rw_sem_perms; ++') + +######################################## +## @@ -22963,7 +23079,9 @@ index 0000000..543baf1 + gen_require(` + type docker_t; + type docker_var_lib_t, docker_var_run_t; -+ type docker_unit_file_t; ++ type docker_unit_file_t; ++ type docker_lock_t; ++ type docker_log_t; + ') + + allow $1 docker_t:process { ptrace signal_perms }; @@ -22975,6 +23093,12 @@ index 0000000..543baf1 + files_search_pids($1) + admin_pattern($1, docker_var_run_t) + ++ files_search_locks($1) ++ admin_pattern($1, docker_lock_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, docker_log_t) ++ + docker_systemctl($1) + admin_pattern($1, docker_unit_file_t) + allow $1 docker_unit_file_t:service all_service_perms; @@ -22984,30 +23108,12 @@ index 0000000..543baf1 + systemd_read_fifo_file_passwd_run($1) + ') +') -+ -+######################################## -+## -+## Read and write docker shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`docker_rw_sem',` -+ gen_require(` -+ type docker_t; -+ ') -+ -+ allow $1 docker_t:sem rw_sem_perms; -+') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..5c6eaab +index 0000000..68c225c --- /dev/null +++ b/docker.te -@@ -0,0 +1,157 @@ +@@ -0,0 +1,172 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23022,6 +23128,9 @@ index 0000000..5c6eaab +type docker_var_lib_t; +files_type(docker_var_lib_t) + ++type docker_lock_t; ++files_lock_file(docker_lock_t) ++ +type docker_log_t; +logging_log_file(docker_log_t) + @@ -23044,6 +23153,10 @@ index 0000000..5c6eaab +allow docker_t self:unix_stream_socket create_stream_socket_perms; +allow docker_t self:capability2 block_suspend; + ++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) ++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) ++files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc") ++ +manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) +manage_files_pattern(docker_t, docker_log_t, docker_log_t) +manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) @@ -23087,6 +23200,8 @@ index 0000000..5c6eaab + +auth_use_nsswitch(docker_t) + ++init_read_state(docker_t) ++ +logging_send_audit_msgs(docker_t) +logging_send_syslog_msg(docker_t) + @@ -23110,7 +23225,8 @@ index 0000000..5c6eaab +# + +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; -+allow docker_t self:process { getcap setcap setpgid setsched signal_perms }; ++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; ++ +allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; +allow docker_t self:netlink_audit_socket create_netlink_socket_perms; +allow docker_t self:unix_dgram_socket create_socket_perms; @@ -23146,10 +23262,12 @@ index 0000000..5c6eaab +fs_manage_cgroup_dirs(docker_t) +fs_manage_cgroup_files(docker_t) +fs_relabelfrom_xattr_fs(docker_t) ++fs_relabelfrom_tmpfs(docker_t) + +term_use_generic_ptys(docker_t) +term_use_ptmx(docker_t) +term_getattr_pty_fs(docker_t) ++term_relabel_pty_fs(docker_t) + +modutils_domtrans_insmod(docker_t) + @@ -23164,6 +23282,9 @@ index 0000000..5c6eaab + virt_stream_connect_sandbox(docker_t) + virt_manage_sandbox_files(docker_t) + virt_relabel_sandbox_filesystem(docker_t) ++ # for lxc ++ virt_transition_svirt_sandbox(docker_t, system_r) ++ virt_mounton_sandbox_file(docker_t) +') diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 @@ -27300,7 +27421,7 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..4b88195 +index 0000000..c63f92f --- /dev/null +++ b/glusterd.te @@ -0,0 +1,200 @@ @@ -27458,7 +27579,7 @@ index 0000000..4b88195 +fs_unmount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) + -+files_mounton_mnt(glusterd_t) ++files_mounton_non_security(glusterd_t) + +storage_rw_fuse(glusterd_t) + @@ -27715,10 +27836,10 @@ index 4e95c7e..0000000 - -miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index e39de43..4c8113b 100644 +index e39de43..6a6db28 100644 --- a/gnome.fc +++ b/gnome.fc -@@ -1,15 +1,59 @@ +@@ -1,15 +1,61 @@ -HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) @@ -27732,6 +27853,7 @@ index e39de43..4c8113b 100644 +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) @@ -27740,6 +27862,7 @@ index e39de43..4c8113b 100644 +HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) @@ -27788,7 +27911,7 @@ index e39de43..4c8113b 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..d36aa1e 100644 +index ab09d61..edd1c94 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,78 @@ @@ -28835,7 +28958,7 @@ index ab09d61..d36aa1e 100644 ## ## ## -@@ -706,12 +820,912 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -29247,6 +29370,24 @@ index ab09d61..d36aa1e 100644 + delete_files_pattern($1, config_home_t, config_home_t) +') + ++######################################## ++## ++## Create gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_create_home_config_dirs',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ allow $1 config_home_t:dir create_dir_perms; ++') ++ +####################################### +## +## setattr gnome homedir content (.config) @@ -29384,6 +29525,7 @@ index ab09d61..d36aa1e 100644 + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") + userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") @@ -29754,7 +29896,7 @@ index ab09d61..d36aa1e 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..76cc0d8 100644 +index 63893eb..e9adc23 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -29793,7 +29935,7 @@ index 63893eb..76cc0d8 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -31,105 +50,224 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; @@ -30052,6 +30194,7 @@ index 63893eb..76cc0d8 100644 optional_policy(` - telepathy_mission_control_read_state(gkeyringd_domain) ++ gnome_create_home_config_dirs(gkeyringd_domain) + gnome_read_home_config(gkeyringd_domain) + gnome_manage_generic_cache_files(gkeyringd_domain) + gnome_manage_cache_home_dir(gkeyringd_domain) @@ -31721,10 +31864,10 @@ index 6517fad..b7ca833 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..3543847 100644 +index 4eb7041..b2d134d 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,61 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,70 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -31759,7 +31902,7 @@ index 4eb7041..3543847 100644 # -# Local policy +# hyperv domain local policy - # ++# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -31768,24 +31911,33 @@ index 4eb7041..3543847 100644 +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_shell(hyperv_domain) ++corecmd_exec_bin(hyperv_domain) + +dev_read_sysfs(hyperv_domain) + +######################################## # +# hypervkvp local policy -+# -+ -+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) + # -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) ++ ++files_dontaudit_search_home(hypervkvp_t) ++ +logging_send_syslog_msg(hypervkvp_t) ++ ++sysnet_dns_name_resolve(hypervkvp_t) -logging_send_syslog_msg(hypervkvpd_t) -+sysnet_dns_name_resolve(hypervkvp_t) ++userdom_dontaudit_search_admin_dir(hypervkvp_t) ++ ++optional_policy(` ++ sysnet_exec_ifconfig(hypervkvp_t) ++') + +######################################## +# @@ -36441,9 +36593,18 @@ index 5297064..6ba8108 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 1664036..d10ed5a 100644 +index 1664036..51dd14f 100644 --- a/kudzu.te +++ b/kudzu.te +@@ -47,7 +47,7 @@ kernel_read_device_sysctls(kudzu_t) + kernel_read_kernel_sysctls(kudzu_t) + kernel_read_network_state(kudzu_t) + kernel_read_system_state(kudzu_t) +-kernel_rw_hotplug_sysctls(kudzu_t) ++kernel_rw_usermodehelper_state(kudzu_t) + kernel_rw_kernel_sysctl(kudzu_t) + + corecmd_exec_all_executables(kudzu_t) @@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) domain_use_interactive_fds(kudzu_t) @@ -37459,10 +37620,10 @@ index 483c87b..af0698b 100644 - sysnet_dns_name_resolve(lircd_t) diff --git a/livecd.if b/livecd.if -index e354181..c6b2383 100644 +index e354181..fc614ba 100644 --- a/livecd.if +++ b/livecd.if -@@ -38,11 +38,32 @@ interface(`livecd_domtrans',` +@@ -38,11 +38,36 @@ interface(`livecd_domtrans',` # interface(`livecd_run',` gen_require(` @@ -37474,6 +37635,10 @@ index e354181..c6b2383 100644 livecd_domtrans($1) roleattribute $2 livecd_roles; + role_transition $2 livecd_exec_t system_r; ++ ++ optional_policy(` ++ rpm_transition_script(livecd_t, $2) ++ ') +') + +######################################## @@ -37496,7 +37661,7 @@ index e354181..c6b2383 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 2f974bf..54f10e4 100644 +index 2f974bf..f6e97fa 100644 --- a/livecd.te +++ b/livecd.te @@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) @@ -37513,18 +37678,14 @@ index 2f974bf..54f10e4 100644 manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t) +@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t) optional_policy(` hal_dbus_chat(livecd_t) ') + -+optional_policy(` -+ mount_run(livecd_t, livecd_roles) -+') -+ optional_policy(` - mount_run(livecd_t, livecd_roles) -+ rpm_transition_script(livecd_t) ++ mount_run(livecd_t, livecd_roles) ') optional_policy(` @@ -37745,7 +37906,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..8c532a6 100644 +index be0ab84..e4d6e6f 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0) @@ -37973,7 +38134,7 @@ index be0ab84..8c532a6 100644 ') optional_policy(` -@@ -228,10 +268,20 @@ optional_policy(` +@@ -228,10 +268,21 @@ optional_policy(` ') optional_policy(` @@ -37987,6 +38148,7 @@ index be0ab84..8c532a6 100644 + +optional_policy(` squid_domtrans(logrotate_t) ++ squid_read_config(logrotate_t) ') optional_policy(` @@ -37994,7 +38156,7 @@ index be0ab84..8c532a6 100644 su_exec(logrotate_t) ') -@@ -241,13 +291,11 @@ optional_policy(` +@@ -241,13 +292,11 @@ optional_policy(` ####################################### # @@ -38590,7 +38752,7 @@ index d314333..da30c5d 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..c7e1da8 100644 +index 4ec0eea..5bf5627 100644 --- a/lsm.te +++ b/lsm.te @@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) @@ -38611,7 +38773,7 @@ index 4ec0eea..c7e1da8 100644 ######################################## # # Local policy -@@ -26,4 +37,34 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +37,36 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -38627,6 +38789,7 @@ index 4ec0eea..c7e1da8 100644 +allow lsmd_plugin_t self:udp_socket create_socket_perms; + +domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t) ++allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write }; + +allow lsmd_t lsmd_plugin_exec_t:file read_file_perms; +stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t) @@ -38642,6 +38805,7 @@ index 4ec0eea..c7e1da8 100644 +corecmd_exec_bin(lsmd_plugin_t) + +init_stream_connect(lsmd_plugin_t) ++init_dontaudit_rw_stream_socket(lsmd_plugin_t) + +logging_send_syslog_msg(lsmd_plugin_t) + @@ -40371,10 +40535,10 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 4dc99f4..22dbcb9 100644 +index 4dc99f4..c11bec2 100644 --- a/milter.te +++ b/milter.te -@@ -5,73 +5,113 @@ policy_module(milter, 1.5.0) +@@ -5,73 +5,117 @@ policy_module(milter, 1.5.0) # Declarations # @@ -40416,6 +40580,8 @@ index 4dc99f4..22dbcb9 100644 allow milter_domains self:fifo_file rw_fifo_file_perms; -allow milter_domains self:tcp_socket { accept listen }; + ++allow milter_domains self:process signull; ++ +# Allow communication with MTA over a TCP socket +allow milter_domains self:tcp_socket create_stream_socket_perms; @@ -40457,6 +40623,8 @@ index 4dc99f4..22dbcb9 100644 + +kernel_read_kernel_sysctls(dkim_milter_t) + ++corenet_udp_bind_all_ports(dkim_milter_t) ++ +auth_use_nsswitch(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) @@ -40515,7 +40683,7 @@ index 4dc99f4..22dbcb9 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +119,45 @@ optional_policy(` +@@ -79,30 +123,45 @@ optional_policy(` ######################################## # @@ -40730,10 +40898,10 @@ index 0000000..c713b27 +/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0) diff --git a/mirrormanager.if b/mirrormanager.if new file mode 100644 -index 0000000..dd049c7 +index 0000000..fbb831d --- /dev/null +++ b/mirrormanager.if -@@ -0,0 +1,224 @@ +@@ -0,0 +1,237 @@ + +## policy for mirrormanager + @@ -40851,6 +41019,7 @@ index 0000000..dd049c7 + ') + + files_search_var_lib($1) ++ list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) + read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) +') + @@ -40911,23 +41080,35 @@ index 0000000..dd049c7 + read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) +') + -+ +######################################## +## -+## All of the rules required to administrate -+## an mirrormanager environment ++## Manage mirrormanager PID files. +## +## +## +## Domain allowed access. +## +## -+## ++# ++interface(`mirrormanager_manage_pid_files',` ++ gen_require(` ++ type mirrormanager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mirrormanager environment ++## ++## +## -+## Role allowed access. ++## Domain allowed access. +## +## -+## +# +interface(`mirrormanager_admin',` + gen_require(` @@ -41336,10 +41517,10 @@ index 0000000..6568bfe +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..92c3b35 +index 0000000..fc64201 --- /dev/null +++ b/mock.te -@@ -0,0 +1,275 @@ +@@ -0,0 +1,276 @@ +policy_module(mock,1.0.0) + +## @@ -41387,6 +41568,7 @@ index 0000000..92c3b35 +# + +allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; ++allow mock_t self:capability2 block_suspend; +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; +# Needed because mock can run java and mono withing build environment +allow mock_t self:process { execmem execstack }; @@ -42270,7 +42452,7 @@ index 6ffaba2..cb1e8b0 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..b8952a1 100644 +index 6194b80..03c6414 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -42556,7 +42738,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` @@ -42656,6 +42838,8 @@ index 6194b80..b8952a1 100644 + allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms }; + allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; + allow mozilla_plugin_t $1:sem create_sem_perms; ++ allow $1 mozilla_plugin_t:sem rw_sem_perms; ++ allow $1 mozilla_plugin_t:shm rw_shm_perms; + + ps_process_pattern($1, mozilla_plugin_t) + allow $1 mozilla_plugin_t:process signal_perms; @@ -42770,7 +42954,7 @@ index 6194b80..b8952a1 100644 ') ######################################## -@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -42780,7 +42964,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -42954,7 +43138,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -42979,7 +43163,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -44394,6 +44578,36 @@ index 0f03cd9..e3ed393 100644 allow mplayer_t mplayer_tmpfs_t:file execute; ') +diff --git a/mrtg.if b/mrtg.if +index c595094..2346458 100644 +--- a/mrtg.if ++++ b/mrtg.if +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Read mrtg lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mrtg_read_lib_files',` ++ gen_require(` ++ type mrtg_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t) ++') ++ ++######################################## ++## + ## Create and append mrtg log files. + ## + ## diff --git a/mrtg.te b/mrtg.te index 65a246a..fa86320 100644 --- a/mrtg.te @@ -48101,7 +48315,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..1726e88 100644 +index 7b3e682..6d966d5 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -48363,7 +48577,7 @@ index 7b3e682..1726e88 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +436,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,14 +436,18 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -48376,7 +48590,15 @@ index 7b3e682..1726e88 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,11 +458,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) + ++optional_policy(` ++ mrtg_read_lib_files(nagios_system_plugin_t) ++') ++ + ####################################### + # + # Event local policy +@@ -442,11 +462,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -48487,10 +48709,10 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..c674894 +index 0000000..e289f2d --- /dev/null +++ b/namespace.te -@@ -0,0 +1,39 @@ +@@ -0,0 +1,41 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -48522,6 +48744,8 @@ index 0000000..c674894 + +files_polyinstantiate_all(namespace_init_t) + ++fs_getattr_xattr_fs(namespace_init_t) ++ +auth_use_nsswitch(namespace_init_t) + +term_use_console(namespace_init_t) @@ -48547,10 +48771,10 @@ index db9578f..4309e3d 100644 ') + diff --git a/ncftool.te b/ncftool.te -index 71f30ba..d20f048 100644 +index 71f30ba..d616860 100644 --- a/ncftool.te +++ b/ncftool.te -@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t; +@@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t; allow ncftool_t self:capability net_admin; allow ncftool_t self:process signal; @@ -48558,6 +48782,14 @@ index 71f30ba..d20f048 100644 allow ncftool_t self:fifo_file manage_fifo_file_perms; allow ncftool_t self:unix_stream_socket create_stream_socket_perms; allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; + allow ncftool_t self:tcp_socket create_stream_socket_perms; + + kernel_read_kernel_sysctls(ncftool_t) +-kernel_read_modprobe_sysctls(ncftool_t) ++kernel_read_usermodehelper_state(ncftool_t) + kernel_read_network_state(ncftool_t) + kernel_read_system_state(ncftool_t) + kernel_request_load_module(ncftool_t) @@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t) dev_read_sysfs(ncftool_t) @@ -49105,7 +49337,7 @@ index 86dc29d..5b73942 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..fae4607 100644 +index 55f2009..c8ed2bd 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -49139,7 +49371,7 @@ index 55f2009..fae4607 100644 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +# networkmanager will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) -+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; +dontaudit NetworkManager_t self:capability sys_tty_config; + +ifdef(`hide_broken_symptoms',` @@ -49257,7 +49489,7 @@ index 55f2009..fae4607 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +152,31 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +152,33 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -49278,6 +49510,8 @@ index 55f2009..fae4607 100644 init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +init_signull_script(NetworkManager_t) ++init_signal_script(NetworkManager_t) ++init_sigkill_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -49290,7 +49524,7 @@ index 55f2009..fae4607 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +191,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +193,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -49327,7 +49561,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -196,10 +232,6 @@ optional_policy(` +@@ -196,10 +234,6 @@ optional_policy(` ') optional_policy(` @@ -49338,7 +49572,7 @@ index 55f2009..fae4607 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +242,11 @@ optional_policy(` +@@ -210,16 +244,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -49357,7 +49591,7 @@ index 55f2009..fae4607 100644 ') ') -@@ -231,18 +258,23 @@ optional_policy(` +@@ -231,18 +260,23 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -49384,7 +49618,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -250,6 +282,10 @@ optional_policy(` +@@ -250,6 +284,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49395,7 +49629,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -257,11 +293,14 @@ optional_policy(` +@@ -257,11 +295,14 @@ optional_policy(` ') optional_policy(` @@ -49412,7 +49646,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -274,10 +313,17 @@ optional_policy(` +@@ -274,10 +315,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -49430,7 +49664,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -289,6 +335,7 @@ optional_policy(` +@@ -289,6 +337,7 @@ optional_policy(` ') optional_policy(` @@ -49438,7 +49672,7 @@ index 55f2009..fae4607 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +343,7 @@ optional_policy(` +@@ -296,7 +345,7 @@ optional_policy(` ') optional_policy(` @@ -49447,7 +49681,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -307,6 +354,7 @@ optional_policy(` +@@ -307,6 +356,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -49455,7 +49689,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -320,14 +368,20 @@ optional_policy(` +@@ -320,14 +370,20 @@ optional_policy(` ') optional_policy(` @@ -49481,7 +49715,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -357,6 +411,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -57394,6 +57628,259 @@ index 8176e4a..2df1789 100644 seutil_sigchld_newrole(cardmgr_t) ') +diff --git a/pcp.fc b/pcp.fc +new file mode 100644 +index 0000000..59d23a4 +--- /dev/null ++++ b/pcp.fc +@@ -0,0 +1,20 @@ ++/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmwie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0) ++ ++/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) ++/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) ++/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) ++/usr/libexec/pcp/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0) ++/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) ++ ++/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0) ++ ++/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) ++ ++/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0) ++ +diff --git a/pcp.if b/pcp.if +new file mode 100644 +index 0000000..9ca6d26 +--- /dev/null ++++ b/pcp.if +@@ -0,0 +1,80 @@ ++## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation ++ ++###################################### ++## ++## Creates types and rules for a basic ++## pcp daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`pcp_domain_template',` ++ gen_require(` ++ attribute pcp_domain; ++ ') ++ ++ type pcp_$1_t, pcp_domain; ++ type pcp_$1_exec_t; ++ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t) ++ ++ type pcp_$1_initrc_exec_t; ++ init_script_file(pcp_$1_initrc_exec_t) ++ ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pcp environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`pcp_admin',` ++ gen_require(` ++ type pcp_pmcd_t; ++ type pcp_pmlogger_t; ++ type pcp_pmproxy_t; ++ type pcp_pmwebd_t; ++ type pcp_pmie_t; ++ type pcp_pmmgr_t; ++ type pcp_var_run_t; ++ ') ++ ++ allow $1 pcp_pmcd_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmcd_t) ++ ++ allow $1 pcp_pmlogger_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmlogger_t) ++ ++ allow $1 pcp_pmproxy_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmproxy_t) ++ ++ allow $1 pcp_pmwebd_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmwebd_t) ++ ++ allow $1 pcp_pmie_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmie_t) ++ ++ allow $1 pcp_pmmgr_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmmgr_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pcp_pmcd_t:process ptrace; ++ allow $1 pcp_pmlogger_t:process ptrace; ++ allow $1 pcp_pmproxy_t:process ptrace; ++ allow $1 pcp_pmwebd_t:process ptrace; ++ allow $1 pcp_pmie_t:process ptrace; ++ allow $1 pcp_pmmgr_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, pcp_var_run_t) ++') +diff --git a/pcp.te b/pcp.te +new file mode 100644 +index 0000000..51d765d +--- /dev/null ++++ b/pcp.te +@@ -0,0 +1,135 @@ ++policy_module(pcp, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute pcp_domain; ++ ++pcp_domain_template(pmcd) ++pcp_domain_template(pmlogger) ++pcp_domain_template(pmproxy) ++pcp_domain_template(pmwebd) ++pcp_domain_template(pmie) ++pcp_domain_template(pmmgr) ++ ++type pcp_log_t; ++logging_log_file(pcp_log_t) ++ ++type pcp_var_lib_t; ++files_type(pcp_var_lib_t) ++ ++type pcp_var_run_t; ++files_pid_file(pcp_var_run_t) ++ ++type pcp_tmp_t; ++files_tmp_file(pcp_tmp_t) ++ ++type pcp_tmpfs_t; ++files_tmpfs_file(pcp_tmpfs_t) ++ ++######################################## ++# ++# pcp domain local policy ++# ++ ++allow pcp_domain self:capability { setuid setgid dac_override }; ++ ++manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t) ++manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t) ++logging_log_filetrans(pcp_domain, pcp_log_t, { dir }) ++ ++manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir}) ++ ++manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++files_pid_filetrans(pcp_domain, pcp_var_run_t, { file }) ++ ++manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) ++manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) ++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file }) ++ ++manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) ++manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) ++fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file }) ++ ++dev_read_urand(pcp_domain) ++ ++auth_read_passwd(pcp_domain) ++ ++miscfiles_read_generic_certs(pcp_domain) ++ ++sysnet_read_config(pcp_domain) ++ ++######################################## ++# ++# pcp_pmcd local policy ++# ++ ++allow pcp_pmcd_t self:process { setsched signal }; ++allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmcd_t self:tcp_socket create_socket_perms; ++allow pcp_pmcd_t self:tcp_socket listen; ++allow pcp_pmcd_t self:udp_socket create_socket_perms; ++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; ++ ++kernel_read_system_state(pcp_pmcd_t) ++kernel_read_network_state(pcp_pmcd_t) ++kernel_read_state(pcp_pmcd_t) ++ ++corecmd_exec_bin(pcp_pmcd_t) ++ ++dev_read_sysfs(pcp_pmcd_t) ++ ++domain_read_all_domains_state(pcp_pmcd_t) ++ ++auth_use_nsswitch(pcp_pmcd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pcp_pmcd_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(pcp_pmcd_t) ++ ') ++') ++ ++######################################## ++# ++# pcp_pmproxy local policy ++# ++ ++allow pcp_pmproxy_t self:process setsched; ++allow pcp_pmproxy_t self:tcp_socket listen; ++allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmproxy_t self:tcp_socket create_socket_perms; ++allow pcp_pmproxy_t self:udp_socket create_socket_perms; ++ ++auth_use_nsswitch(pcp_pmproxy_t) ++ ++######################################## ++# ++# pcp_pmwebd local policy ++# ++ ++allow pcp_pmwebd_t self:tcp_socket listen; ++allow pcp_pmwebd_t self:tcp_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(pcp_pmwebd_t) ++ ++######################################## ++# ++# pcp_pmmgr local policy ++# ++ ++allow pcp_pmmgr_t self:process { setpgid signal signull }; ++ ++kernel_read_system_state(pcp_pmmgr_t) ++ ++corecmd_exec_bin(pcp_pmmgr_t) ++ ++auth_use_nsswitch(pcp_pmmgr_t) diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -57603,7 +58090,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..b4c36a9 100644 +index 608f454..a5787c2 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -57622,7 +58109,7 @@ index 608f454..b4c36a9 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,290 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,293 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -57779,6 +58266,7 @@ index 608f454..b4c36a9 100644 +dev_read_urand(pegasus_openlmi_system_t) + +systemd_config_power_services(pegasus_openlmi_system_t) ++systemd_dbus_chat_logind(pegasus_openlmi_system_t) + +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_system_t) @@ -57860,6 +58348,8 @@ index 608f454..b4c36a9 100644 +udev_domtrans(pegasus_openlmi_storage_t) +udev_read_pid_files(pegasus_openlmi_storage_t) + ++miscfiles_read_hwdata(pegasus_openlmi_storage_t) ++ +optional_policy(` + dmidecode_domtrans(pegasus_openlmi_storage_t) +') @@ -57918,7 +58408,7 @@ index 608f454..b4c36a9 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +323,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -57949,7 +58439,7 @@ index 608f454..b4c36a9 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +349,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -57982,7 +58472,7 @@ index 608f454..b4c36a9 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +377,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -57994,7 +58484,7 @@ index 608f454..b4c36a9 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +393,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -58030,7 +58520,7 @@ index 608f454..b4c36a9 100644 ') optional_policy(` -@@ -151,16 +427,24 @@ optional_policy(` +@@ -151,16 +430,24 @@ optional_policy(` ') optional_policy(` @@ -58059,7 +58549,7 @@ index 608f454..b4c36a9 100644 ') optional_policy(` -@@ -168,7 +452,7 @@ optional_policy(` +@@ -168,7 +455,7 @@ optional_policy(` ') optional_policy(` @@ -59818,7 +60308,7 @@ index 30e751f..78fb7c6 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..d0cdb5d 100644 +index 3078ce9..d2f68fa 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -59858,13 +60348,13 @@ index 3078ce9..d0cdb5d 100644 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t) +@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t) fs_getattr_all_fs(plymouthd_t) -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - +- term_getattr_pty_fs(plymouthd_t) term_use_all_terms(plymouthd_t) term_use_ptmx(plymouthd_t) @@ -59890,12 +60380,16 @@ index 3078ce9..d0cdb5d 100644 ') optional_policy(` -@@ -90,35 +97,33 @@ optional_policy(` +@@ -90,35 +96,37 @@ optional_policy(` ') optional_policy(` - xserver_manage_xdm_spool_files(plymouthd_t) - xserver_read_xdm_state(plymouthd_t) ++ udev_read_pid_files(plymouthd_t) ++') ++ ++optional_policy(` + xserver_xdm_manage_spool(plymouthd_t) + xserver_read_state_xdm(plymouthd_t) ') @@ -70477,7 +70971,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..750df0e 100644 +index dc3b0ed..d760e9e 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -70535,7 +71029,7 @@ index dc3b0ed..750df0e 100644 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -69,37 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -69,37 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -70580,10 +71074,9 @@ index dc3b0ed..750df0e 100644 +logging_send_syslog_msg(rabbitmq_beam_t) + +optional_policy(` ++ couchdb_manage_files(rabbitmq_beam_t) + couchdb_manage_lib_files(rabbitmq_beam_t) + couchdb_read_conf_files(rabbitmq_beam_t) -+ couchdb_read_log_files(rabbitmq_beam_t) -+ couchdb_search_pid_dirs(rabbitmq_beam_t) +') + +optional_policy(` @@ -70599,7 +71092,7 @@ index dc3b0ed..750df0e 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -73545,7 +74038,7 @@ index 47de2d6..a7e8263 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..f1ee87e 100644 +index c8bdea2..1337d42 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -73916,7 +74409,7 @@ index c8bdea2..f1ee87e 100644 ') ###################################### -@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -74169,6 +74662,7 @@ index c8bdea2..f1ee87e 100644 + ') + + rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) ++ delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) +') + +##################################### @@ -74306,7 +74800,7 @@ index c8bdea2..f1ee87e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..65c88c9 100644 +index 6cf79c4..8ee9185 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -74645,7 +75139,7 @@ index 6cf79c4..65c88c9 100644 +logging_send_syslog_msg(dlm_controld_t) + +optional_policy(` -+ corosync_rw_tmpfs(dlm_controld_t) ++ rhcs_rw_cluster_tmpfs(dlm_controld_t) +') + +optional_policy(` @@ -74682,7 +75176,16 @@ index 6cf79c4..65c88c9 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) + + corenet_sendrecv_zented_server_packets(fenced_t) + corenet_tcp_bind_zented_port(fenced_t) ++corenet_udp_bind_zented_port(fenced_t) ++corenet_tcp_connect_zented_port(fenced_t) + corenet_tcp_sendrecv_zented_port(fenced_t) + + corenet_sendrecv_http_client_packets(fenced_t) +@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -74693,7 +75196,7 @@ index 6cf79c4..65c88c9 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -74702,7 +75205,7 @@ index 6cf79c4..65c88c9 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +465,8 @@ optional_policy(` +@@ -182,7 +467,8 @@ optional_policy(` ') optional_policy(` @@ -74712,7 +75215,7 @@ index 6cf79c4..65c88c9 100644 ') optional_policy(` -@@ -190,12 +474,12 @@ optional_policy(` +@@ -190,12 +476,12 @@ optional_policy(` ') optional_policy(` @@ -74728,7 +75231,7 @@ index 6cf79c4..65c88c9 100644 ') optional_policy(` -@@ -203,6 +487,13 @@ optional_policy(` +@@ -203,6 +489,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -74742,7 +75245,7 @@ index 6cf79c4..65c88c9 100644 ####################################### # # foghorn local policy -@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -74763,7 +75266,7 @@ index 6cf79c4..65c88c9 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -74772,7 +75275,7 @@ index 6cf79c4..65c88c9 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -74814,7 +75317,7 @@ index 6cf79c4..65c88c9 100644 ###################################### # # qdiskd local policy -@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -75320,7 +75823,7 @@ index 0000000..0e965c3 + rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905..78746ef 100644 +index 6dbc905..4b17c93 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -75425,14 +75928,33 @@ index 6dbc905..78746ef 100644 ## -## Connect to rhsmcertd with a -## unix domain stream socket. -+## Read/wirte inherited lock files. ++## Read rhsmcertd PID files. ## ## ## -@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',` +@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',` ## ## # ++interface(`rhsmcertd_manage_pid_files',` ++ gen_require(` ++ type rhsmcertd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t) ++') ++ ++######################################## ++## ++## Read/wirte inherited lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`rhsmcertd_rw_inherited_lock_files',` + gen_require(` + type rhsmcertd_lock_t; @@ -75456,7 +75978,7 @@ index 6dbc905..78746ef 100644 interface(`rhsmcertd_stream_connect',` gen_require(` type rhsmcertd_t, rhsmcertd_var_run_t; -@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',` +@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',` ###################################### ## @@ -75500,7 +76022,7 @@ index 6dbc905..78746ef 100644 ## ## ## -@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` +@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` ## ## ## @@ -75532,24 +76054,24 @@ index 6dbc905..78746ef 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') - -- logging_search_logs($1) -- admin_pattern($1, rhsmcertd_log_t) ++ + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; -- files_search_var_lib($1) -- admin_pattern($1, rhsmcertd_var_lib_t) +- logging_search_logs($1) +- admin_pattern($1, rhsmcertd_log_t) + logging_search_logs($1) + admin_pattern($1, rhsmcertd_log_t) -- files_search_pids($1) -- admin_pattern($1, rhsmcertd_var_run_t) +- files_search_var_lib($1) +- admin_pattern($1, rhsmcertd_var_lib_t) + files_search_var_lib($1) + admin_pattern($1, rhsmcertd_var_lib_t) -+ + +- files_search_pids($1) +- admin_pattern($1, rhsmcertd_var_run_t) + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) + @@ -77358,7 +77880,7 @@ index ebe91fc..576ca21 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..064712b 100644 +index ef3b225..d248cd3 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -77589,12 +78111,10 @@ index ef3b225..064712b 100644 - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm log files. ++') ++ ++######################################## ++## +## Create, read, write, and delete the RPM log. +## +## @@ -77609,10 +78129,12 @@ index ef3b225..064712b 100644 + ') + + read_files_pattern($1, rpm_log_t, rpm_log_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm log files. +## Create, read, write, and delete the RPM log. ## ## @@ -77817,7 +78339,7 @@ index ef3b225..064712b 100644 ## ## ## -@@ -573,66 +688,104 @@ interface(`rpm_manage_pid_files',` +@@ -573,43 +688,54 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -77889,18 +78411,36 @@ index ef3b225..064712b 100644 ## ## ## - ## Domain allowed access. +@@ -617,22 +743,56 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## -+# + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## +-## + # +-interface(`rpm_admin',` +interface(`rpm_transition_script',` -+ gen_require(` + gen_require(` +- type rpm_t, rpm_script_t, rpm_initrc_exec_t; +- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; +- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; +- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; + type rpm_script_t; + attribute rpm_transition_domain; -+ ') -+ ++ attribute_role rpm_script_roles; + ') + +- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { rpm_t rpm_script_t }) + typeattribute $1 rpm_transition_domain; + allow $1 rpm_script_t:process transition; ++ roleattribute $2 rpm_script_roles; + + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; @@ -77918,23 +78458,14 @@ index ef3b225..064712b 100644 +## Domain allowed access. +## +## - ## --## --## Role allowed access. --## ++## +## +## Role allowed access. +## - ## - ## - # - interface(`rpm_admin',` -- gen_require(` -- type rpm_t, rpm_script_t, rpm_initrc_exec_t; -- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; -- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; -- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; -- ') ++## ++## ++# ++interface(`rpm_admin',` + gen_require(` + type rpm_t, rpm_script_t, rpm_initrc_exec_t; + type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; @@ -77942,16 +78473,14 @@ index ef3b225..064712b 100644 + type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; + type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; + ') - -- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { rpm_t rpm_script_t }) ++ + allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { rpm_t rpm_script_t }) init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..955caa1 100644 +index 6fc360e..8c53520 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -78349,7 +78878,7 @@ index 6fc360e..955caa1 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +379,59 @@ ifdef(`distro_redhat',` +@@ -363,41 +379,63 @@ ifdef(`distro_redhat',` ') ') @@ -78369,6 +78898,10 @@ index 6fc360e..955caa1 100644 + +optional_policy(` + cups_filetrans_named_content(rpm_script_t) ++') ++ ++optional_policy(` ++ sblim_filetrans_named_content(rpm_script_t) ') optional_policy(` @@ -78420,7 +78953,7 @@ index 6fc360e..955caa1 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +443,6 @@ optional_policy(` +@@ -409,6 +447,6 @@ optional_policy(` ') optional_policy(` @@ -79319,10 +79852,10 @@ index 0000000..0ec3302 +') diff --git a/rtas.te b/rtas.te new file mode 100644 -index 0000000..4e6663f +index 0000000..52a39f8 --- /dev/null +++ b/rtas.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,62 @@ +policy_module(rtas, 1.0.0) + +######################################## @@ -79351,7 +79884,7 @@ index 0000000..4e6663f +# rtas_errd local policy +# + -+allow rtas_errd_t self:capability sys_admin; ++allow rtas_errd_t self:capability { chown sys_admin }; +allow rtas_errd_t self:process fork; +allow rtas_errd_t self:fifo_file rw_fifo_file_perms; +allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; @@ -79376,6 +79909,8 @@ index 0000000..4e6663f + +corecmd_exec_bin(rtas_errd_t) + ++dev_read_rand(rtas_errd_t) ++dev_read_urand(rtas_errd_t) +dev_read_raw_memory(rtas_errd_t) +dev_write_raw_memory(rtas_errd_t) + @@ -83196,7 +83731,7 @@ index 68a550d..e976fc6 100644 /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if -index 98c9e0a..df51942 100644 +index 98c9e0a..d4aa009 100644 --- a/sblim.if +++ b/sblim.if @@ -1,8 +1,36 @@ @@ -83247,25 +83782,41 @@ index 98c9e0a..df51942 100644 ## ## ## -@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',` +@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',` ######################################## ## -## All of the rules required to -## administrate an sblim environment. -+## All of the rules required to administrate -+## an gatherd environment ++## Transition to sblim named content ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain allowed access. ## ## -## --## ++# ++interface(`sblim_filetrans_named_content',` ++ gen_require(` ++ type sblim_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, sblim_var_run_t, dir, "gather") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gatherd environment ++## ++## + ## -## Role allowed access. --## --## ++## Domain allowed access. + ## + ## ## # interface(`sblim_admin',` @@ -86392,7 +86943,7 @@ index 0000000..ad232be + mount_domtrans(snapperd_t) +') diff --git a/snmp.fc b/snmp.fc -index 2f0a2f2..77bdf95 100644 +index 2f0a2f2..1569e33 100644 --- a/snmp.fc +++ b/snmp.fc @@ -1,6 +1,6 @@ @@ -86411,10 +86962,11 @@ index 2f0a2f2..77bdf95 100644 /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) +-/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + - /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) --/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/snmp.if b/snmp.if @@ -86709,7 +87261,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..399c345 100644 +index f2f507d..3d93f55 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -86871,7 +87423,7 @@ index f2f507d..399c345 100644 ') optional_policy(` -@@ -147,13 +195,33 @@ optional_policy(` +@@ -147,13 +195,34 @@ optional_policy(` ') optional_policy(` @@ -86887,6 +87439,7 @@ index f2f507d..399c345 100644 - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) + rhsmcertd_manage_lib_files(sosreport_t) ++ rhsmcertd_manage_pid_files(sosreport_t) +') + +optional_policy(` @@ -87476,7 +88029,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..ecd30f3 100644 +index cc58e35..6e9cde8 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -87549,7 +88102,7 @@ index cc58e35..ecd30f3 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +39,196 @@ type spamd_log_t; +@@ -72,87 +39,198 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -87686,6 +88239,8 @@ index cc58e35..ecd30f3 100644 +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") ++userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") +userdom_home_manager(spamassassin_t) + kernel_read_kernel_sysctls(spamassassin_t) @@ -87768,7 +88323,7 @@ index cc58e35..ecd30f3 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +236,8 @@ optional_policy(` +@@ -160,6 +238,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -87777,7 +88332,7 @@ index cc58e35..ecd30f3 100644 ') ######################################## -@@ -167,72 +245,85 @@ optional_policy(` +@@ -167,72 +247,85 @@ optional_policy(` # Client local policy # @@ -87894,7 +88449,7 @@ index cc58e35..ecd30f3 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +334,7 @@ optional_policy(` +@@ -243,6 +336,7 @@ optional_policy(` ') optional_policy(` @@ -87902,7 +88457,7 @@ index cc58e35..ecd30f3 100644 evolution_stream_connect(spamc_t) ') -@@ -251,10 +343,16 @@ optional_policy(` +@@ -251,10 +345,16 @@ optional_policy(` ') optional_policy(` @@ -87920,7 +88475,7 @@ index cc58e35..ecd30f3 100644 sendmail_stub(spamc_t) ') -@@ -267,36 +365,38 @@ optional_policy(` +@@ -267,36 +367,38 @@ optional_policy(` ######################################## # @@ -87976,7 +88531,7 @@ index cc58e35..ecd30f3 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +408,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +410,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -87986,7 +88541,7 @@ index cc58e35..ecd30f3 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +418,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +420,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -88002,7 +88557,7 @@ index cc58e35..ecd30f3 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +433,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +435,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -88105,7 +88660,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -421,21 +503,13 @@ optional_policy(` +@@ -421,21 +505,13 @@ optional_policy(` ') optional_policy(` @@ -88129,7 +88684,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -443,8 +517,8 @@ optional_policy(` +@@ -443,8 +519,8 @@ optional_policy(` ') optional_policy(` @@ -88139,7 +88694,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -455,7 +529,12 @@ optional_policy(` +@@ -455,7 +531,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -88153,7 +88708,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -463,9 +542,9 @@ optional_policy(` +@@ -463,9 +544,9 @@ optional_policy(` ') optional_policy(` @@ -88164,7 +88719,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -474,32 +553,32 @@ optional_policy(` +@@ -474,32 +555,32 @@ optional_policy(` ######################################## # @@ -88207,7 +88762,7 @@ index cc58e35..ecd30f3 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +587,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +589,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -92367,10 +92922,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..2ddef5c +index 0000000..ed78f6f --- /dev/null +++ b/thumb.te -@@ -0,0 +1,150 @@ +@@ -0,0 +1,154 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -92486,6 +93041,10 @@ index 0000000..2ddef5c +xserver_use_user_fonts(thumb_t) + +optional_policy(` ++ bumblebee_stream_connect(thumb_t) ++') ++ ++optional_policy(` + dbus_dontaudit_stream_connect_session_bus(thumb_t) + dbus_dontaudit_chat_session_bus(thumb_t) +') @@ -93429,7 +93988,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..44b286b 100644 +index 393a330..fc018c1 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -93459,7 +94018,7 @@ index 393a330..44b286b 100644 read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) +@@ -41,22 +48,29 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -93483,16 +94042,18 @@ index 393a330..44b286b 100644 kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) -@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t) + kernel_read_kernel_sysctls(tuned_t) + kernel_request_load_module(tuned_t) kernel_rw_kernel_sysctl(tuned_t) - kernel_rw_hotplug_sysctls(tuned_t) +-kernel_rw_hotplug_sysctls(tuned_t) ++kernel_rw_usermodehelper_state(tuned_t) kernel_rw_vm_sysctls(tuned_t) +kernel_setsched(tuned_t) +kernel_rw_all_sysctls(tuned_t) corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +78,59 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -93514,10 +94075,12 @@ index 393a330..44b286b 100644 +auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) ++#bug in tuned ++logging_manage_syslog_config(tuned_t) ++ ++mount_read_pid_files(tuned_t) -miscfiles_read_localization(tuned_t) -+mount_read_pid_files(tuned_t) -+ +modutils_domtrans_insmod(tuned_t) udev_read_pid_files(tuned_t) @@ -95200,7 +95763,7 @@ index a4f20bc..6351bcb 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..3ad56e3 100644 +index facdee8..09db35b 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -96215,44 +96778,40 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -860,74 +658,227 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',` ## ## # -interface(`virt_manage_lib_files',` +interface(`virt_manage_cache',` - gen_require(` -- type virt_var_lib_t; ++ gen_require(` + type virt_cache_t; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ ') ++ + files_search_var($1) + manage_dirs_pattern($1, virt_cache_t, virt_cache_t) + manage_files_pattern($1, virt_cache_t, virt_cache_t) + manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. ++') ++ ++######################################## ++## +## Allow domain to manage virt image files - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`virt_manage_images',` -+ gen_require(` -+ type virt_var_lib_t; + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; -+ ') -+ + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + manage_dirs_pattern($1, virt_image_type, virt_image_type) @@ -96282,10 +96841,12 @@ index facdee8..3ad56e3 100644 + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. +## Execute virt server in the virt domain. +## +## @@ -96312,12 +96873,10 @@ index facdee8..3ad56e3 100644 +## Ptrace the svirt domain +## +## - ## --## The type of the object to be created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +# +interface(`virt_ptrace',` + gen_require(` @@ -96330,14 +96889,13 @@ index facdee8..3ad56e3 100644 +####################################### +## +## Manage Sandbox Files -+## -+## + ## + ## ## --## The object class of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## --## +-## +# +interface(`virt_manage_sandbox_files',` + gen_require(` @@ -96355,16 +96913,14 @@ index facdee8..3ad56e3 100644 +## +## ## --## The name of the object being created. +-## The type of the object to be created. +## Domain allowed access. ## ## --## - # --interface(`virt_pid_filetrans',` +-## ++# +interface(`virt_relabel_sandbox_filesystem',` - gen_require(` -- type virt_var_run_t; ++ gen_require(` + type svirt_sandbox_file_t; + ') + @@ -96373,16 +96929,40 @@ index facdee8..3ad56e3 100644 + +####################################### +## -+## Connect to virt over a unix domain stream socket. ++## Mounton Sandbox Files +## +## -+## + ## +-## The object class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# -+interface(`virt_stream_connect_sandbox',` ++interface(`virt_mounton_sandbox_file',` + gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ ++ allow $1 svirt_sandbox_file_t:dir_file_class_set mounton; ++') ++ ++####################################### ++## ++## Connect to virt over a unix domain stream socket. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## +-## + # +-interface(`virt_pid_filetrans',` ++interface(`virt_stream_connect_sandbox',` + gen_require(` +- type virt_var_run_t; + attribute svirt_sandbox_domain; + type svirt_sandbox_file_t; ') @@ -96466,7 +97046,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -935,19 +886,17 @@ interface(`virt_read_log',` +@@ -935,19 +904,17 @@ interface(`virt_read_log',` ## ## # @@ -96490,7 +97070,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -955,20 +904,17 @@ interface(`virt_append_log',` +@@ -955,20 +922,17 @@ interface(`virt_append_log',` ## ## # @@ -96515,7 +97095,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -976,18 +922,17 @@ interface(`virt_manage_log',` +@@ -976,18 +940,17 @@ interface(`virt_manage_log',` ## ## # @@ -96538,7 +97118,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -995,36 +940,57 @@ interface(`virt_search_images',` +@@ -995,36 +958,57 @@ interface(`virt_search_images',` ## ## # @@ -96615,7 +97195,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -1032,20 +998,28 @@ interface(`virt_read_images',` +@@ -1032,20 +1016,28 @@ interface(`virt_read_images',` ## ## # @@ -96651,7 +97231,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -1053,37 +1027,129 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -96675,7 +97255,7 @@ index facdee8..3ad56e3 100644 ## -## +## - ## ++## +## Prefix for the domain. +## +## @@ -96700,7 +97280,7 @@ index facdee8..3ad56e3 100644 +## Make the specified type usable as a lxc domain +## +## -+## + ## +## Type to be used as a lxc domain +## +## @@ -96786,7 +97366,9 @@ index facdee8..3ad56e3 100644 + role $2 types svirt_sandbox_domain; + allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + ++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; + allow svirt_sandbox_domain $1:process sigchld; ++ ps_process_pattern($1, svirt_sandbox_domain) +') + +######################################## @@ -96795,7 +97377,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -1091,36 +1157,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -96869,7 +97451,7 @@ index facdee8..3ad56e3 100644 ## ## ## -@@ -1136,50 +1220,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -96911,7 +97493,8 @@ index facdee8..3ad56e3 100644 - - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- ++ allow $1 virt_domain:process signal_perms; + - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) - @@ -96920,8 +97503,7 @@ index facdee8..3ad56e3 100644 - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -+ allow $1 virt_domain:process signal_perms; - +- - files_search_var($1) - admin_pattern($1, svirt_cache_t) - @@ -96942,7 +97524,7 @@ index facdee8..3ad56e3 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..11a3c6f 100644 +index f03dcf5..2249f86 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -98204,7 +98786,7 @@ index f03dcf5..11a3c6f 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +926,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +926,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -98224,20 +98806,21 @@ index f03dcf5..11a3c6f 100644 -miscfiles_read_localization(virsh_t) +auth_read_passwd(virsh_t) - --sysnet_dns_name_resolve(virsh_t) ++ +logging_send_syslog_msg(virsh_t) + sysnet_dns_name_resolve(virsh_t) + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virsh_t) - fs_manage_fusefs_files(virsh_t) - fs_read_fusefs_symlinks(virsh_t) -') -+sysnet_dns_name_resolve(virsh_t) ++userdom_stream_connect(virsh_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +961,20 @@ optional_policy(` +@@ -856,14 +963,20 @@ optional_policy(` ') optional_policy(` @@ -98259,7 +98842,7 @@ index f03dcf5..11a3c6f 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +999,65 @@ optional_policy(` +@@ -888,49 +1001,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -98343,7 +98926,7 @@ index f03dcf5..11a3c6f 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1069,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1071,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -98363,7 +98946,7 @@ index f03dcf5..11a3c6f 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1090,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1092,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -98387,7 +98970,7 @@ index f03dcf5..11a3c6f 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1115,271 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1117,274 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -98420,12 +99003,12 @@ index f03dcf5..11a3c6f 100644 +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -98523,6 +99106,15 @@ index f03dcf5..11a3c6f 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') ++ ++optional_policy(` ++ docker_read_lib_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -98607,26 +99199,17 @@ index f03dcf5..11a3c6f 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ docker_read_lib_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ ssh_use_ptys(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ') @@ -98654,10 +99237,6 @@ index f03dcf5..11a3c6f 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -98669,6 +99248,13 @@ index f03dcf5..11a3c6f 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -98677,16 +99263,13 @@ index f03dcf5..11a3c6f 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) - ++ +dev_read_sysfs(svirt_lxc_net_t) dev_getattr_mtrr_dev(svirt_lxc_net_t) dev_read_rand(svirt_lxc_net_t) @@ -98696,10 +99279,13 @@ index f03dcf5..11a3c6f 100644 files_read_kernel_modules(svirt_lxc_net_t) +fs_noxattr_type(svirt_sandbox_file_t) ++# Do we actually need these? fs_mount_cgroup(svirt_lxc_net_t) fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) ++# Needed for docker ++fs_unmount_xattr_fs(svirt_lxc_net_t) -auth_use_nsswitch(svirt_lxc_net_t) +term_pty(svirt_sandbox_file_t) @@ -98750,11 +99336,11 @@ index f03dcf5..11a3c6f 100644 +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -98797,7 +99383,7 @@ index f03dcf5..11a3c6f 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1392,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1397,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -98812,7 +99398,7 @@ index f03dcf5..11a3c6f 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1410,8 @@ optional_policy(` +@@ -1192,9 +1415,8 @@ optional_policy(` ######################################## # @@ -98823,7 +99409,7 @@ index f03dcf5..11a3c6f 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1424,198 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1429,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -101669,7 +102255,7 @@ index 0928c5d..d270a72 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..0f7c96d 100644 +index a64aad3..fe078eb 100644 --- a/xguest.te +++ b/xguest.te @@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) @@ -101774,18 +102360,26 @@ index a64aad3..0f7c96d 100644 ') ') -@@ -84,12 +97,17 @@ optional_policy(` +@@ -84,12 +97,25 @@ optional_policy(` ') ') + optional_policy(` - apache_role(xguest_r, xguest_t) ++ abrt_dontaudit_read_config(xguest_t) ++') ++ ++optional_policy(` + colord_dbus_chat(xguest_t) +') + +optional_policy(` + chrome_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ thumb_role(xguest_r, xguest_t) ') optional_policy(` @@ -101794,7 +102388,7 @@ index a64aad3..0f7c96d 100644 ') optional_policy(` -@@ -97,75 +115,78 @@ optional_policy(` +@@ -97,75 +123,78 @@ optional_policy(` ') optional_policy(` @@ -101812,7 +102406,7 @@ index a64aad3..0f7c96d 100644 - kernel_read_network_state(xguest_t) + mount_run_fusermount(xguest_t, xguest_r) +') - ++ +optional_policy(` + pcscd_read_pid_files(xguest_t) + pcscd_stream_connect(xguest_t) @@ -101821,20 +102415,20 @@ index a64aad3..0f7c96d 100644 +optional_policy(` + rhsmcertd_dontaudit_dbus_chat(xguest_t) +') -+ + +optional_policy(` + tunable_policy(`xguest_connect_network',` networkmanager_dbus_chat(xguest_t) networkmanager_read_lib_files(xguest_t) + ') +') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ kernel_read_network_state(xguest_t) - corenet_all_recvfrom_unlabeled(xguest_t) - corenet_all_recvfrom_netlabel(xguest_t) ++optional_policy(` ++ tunable_policy(`xguest_connect_network',` ++ kernel_read_network_state(xguest_t) ++ + corenet_tcp_connect_pulseaudio_port(xguest_t) corenet_tcp_sendrecv_generic_if(xguest_t) corenet_raw_sendrecv_generic_if(xguest_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index bc5e146..a4d715c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 13%{?dist} +Release: 15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -117,6 +117,7 @@ SELinux policy development and man page package %{_usr}/share/selinux/devel/include/* %dir %{_usr}/share/selinux/devel/html %{_usr}/share/selinux/devel/html/*html +%{_usr}/share/selinux/devel/html/*css %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* @@ -388,6 +389,8 @@ chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp mkdir %{buildroot}%{_usr}/share/selinux/devel/html htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/` mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html +mv %{buildroot}%{_usr}/share/man/man8/index.html %{buildroot}%{_usr}/share/selinux/devel/html +mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html rm -rf ${htmldir} mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d @@ -576,6 +579,86 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 20 2014 Miroslav Grepl 3.13.1-15 +- Add cron unconfined role support for uncofined SELinux user +- Call kernel_rw_usermodehelper_state() in init.te +- Call corenet_udp_bind_all_ports() in milter.te +- Allow fence_virtd to connect to zented port +- Fix header for mirrormanager_admin() +- Allow dkim-milter to bind udp ports +- Allow milter domains to send signull itself +- Allow block_suspend for yum running as mock_t +- Allow beam.smp to manage couchdb files +- Add couchdb_manage_files() +- Add labeling for /var/log/php_errors.log +- Allow bumblebee to stream connect to xserver +- Allow bumblebee to send a signal to xserver +- gnome-thumbnail to stream connect to bumblebee +- Fix calling usermodehelper to use _state in interface name +- Allow xkbcomp running as bumblebee_t to execute bin_t +- Allow logrotate to read squid.conf +- Additional rules to get docker and lxc to play well with SELinux +- Call kernel_read_usermodhelper/kernel_rw_usermodhelper +- Make rpm_transition_script accept a role +- Added new policy for pcp +- Allow bumbleed to connect to xserver port +- Allow pegasus_openlmi_storage_t to read hwdata + +* Fri Jan 17 2014 Miroslav Grepl 3.13.1-14 +- Make rpm_transition_script accept a role +- Clean up pcp.te +- Added new policy for pcp +- Allow bumbleed to connect to xserver port +- Added support for named-sdb in bind policy +- Allow NetworkManager to signal and sigkill init scripts +- Allow pegasus_openlmi_storage_t to read hwdata +- Fix rhcs_rw_cluster_tmpfs() +- Allow fenced_t to bind on zented udp port +- Fix mirrormanager_read_lib_files() +- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files +- Dontaudit read/write to init stream socket for lsmd_plugin_t +- Allow automount to read nfs link files +- Allow lsm plugins to read/write lsmd stream socket +- Allow svirt_lxc domains to umount dockersocket filesytem +- Allow gnome keyring domains to create gnome config dirs +- Allow rpm scritplets to create /run/gather with correct labeling +- Add sblim_filetrans_named_content() interface +- Allow ctdb to create sock files in /var/run/ctdb +- Add also labeling for /var/run/ctdb +- Add missing labeling for /var/lib/ctdb +- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 +- Dontaudit hypervkvp to search homedirs +- Dontaudit hypervkvp to search admin homedirs +- Allow hypervkvp to execute bin_t and ifconfig in the caller domain +- Dontaudit xguest_t to read ABRT conf files +- Add abrt_dontaudit_read_config() +- Allow namespace-init to getattr on fs +- Add thumb_role() also for xguest +- Add filename transitions to create .spamassassin with correct labeling +- Allow apache domain to read mirrormanager pid files +- Allow domains to read/write shm and sem owned by mozilla_plugin_t +- Allow alsactl to send a generic signal to kernel_t +- Allow plymouthd to read run/udev/queue.bin +- Allow sys_chroot for NM required by iodine service +- Change glusterd to allow mounton all non security +- Labeled ~/.nv/GLCache as being gstreamer output +- Restrict the ability to set usermodehelpers and proc security settings. +- Limit the ability to write to the files that configure kernel i +- usermodehelpers and security-sensitive proc settings to the init domain. i +- Permissive domains can also continue to set these values. +- The current list is not exhaustive, just an initial set. +- Not all of these files will exist on all kernels/devices. +- Controlling access to certain kernel usermodehelpers, e.g. cgroup +- release_agent, will require kernel changes to support and cannot be +- addressed here. +- Ideas come from Stephen Smalley and seandroid +- Make rpm_transition_script accept a role +- Make rpm_transition_script accept a role +- Allow NetworkManager to signal and sigkill init scripts +- Allow init_t to work on transitient and snapshot unit files +- Add logging_manage_syslog_config() +- Update sysnet_dns_name_resolve() to allow connect to dnssec port + * Mon Jan 13 2014 Miroslav Grepl 3.13.1-13 - Remove file_t from the system and realias it with unlabeled_t