diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f05841c..c1404bd 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -7691,7 +7691,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..274ef6d 100644 +index cf04cb5..431baa5 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -7817,7 +7817,7 @@ index cf04cb5..274ef6d 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,261 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -7866,10 +7866,6 @@ index cf04cb5..274ef6d 100644 +') + +optional_policy(` -+ abrt_filetrans_named_content(unconfined_domain_type) -+') -+ -+optional_policy(` + alsa_filetrans_named_content(unconfined_domain_type) +') + @@ -18345,10 +18341,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..83e6404 100644 +index 88d0028..8c061b9 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -18425,10 +18421,6 @@ index 88d0028..83e6404 100644 +userdom_exec_admin_home_files(sysadm_t) + +optional_policy(` -+ abrt_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` + alsa_filetrans_named_content(sysadm_t) +') + @@ -18438,7 +18430,7 @@ index 88d0028..83e6404 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +90,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -18453,7 +18445,7 @@ index 88d0028..83e6404 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +104,9 @@ optional_policy(` +@@ -71,9 +100,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -18464,7 +18456,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -87,6 +120,7 @@ optional_policy(` +@@ -87,6 +116,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -18472,7 +18464,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -110,6 +144,10 @@ optional_policy(` +@@ -110,6 +140,10 @@ optional_policy(` ') optional_policy(` @@ -18483,7 +18475,7 @@ index 88d0028..83e6404 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -122,11 +160,19 @@ optional_policy(` +@@ -122,11 +156,19 @@ optional_policy(` ') optional_policy(` @@ -18505,7 +18497,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -140,6 +186,10 @@ optional_policy(` +@@ -140,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -18516,7 +18508,7 @@ index 88d0028..83e6404 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +206,11 @@ optional_policy(` +@@ -156,11 +202,11 @@ optional_policy(` ') optional_policy(` @@ -18530,7 +18522,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -179,6 +229,13 @@ optional_policy(` +@@ -179,6 +225,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -18544,7 +18536,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -186,15 +243,20 @@ optional_policy(` +@@ -186,15 +239,20 @@ optional_policy(` ') optional_policy(` @@ -18556,19 +18548,19 @@ index 88d0028..83e6404 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` -@@ -214,22 +276,20 @@ optional_policy(` +@@ -214,22 +272,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -18597,7 +18589,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -241,14 +301,27 @@ optional_policy(` +@@ -241,14 +297,27 @@ optional_policy(` ') optional_policy(` @@ -18625,7 +18617,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -256,10 +329,20 @@ optional_policy(` +@@ -256,10 +325,20 @@ optional_policy(` ') optional_policy(` @@ -18646,7 +18638,7 @@ index 88d0028..83e6404 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +353,36 @@ optional_policy(` +@@ -270,31 +349,36 @@ optional_policy(` ') optional_policy(` @@ -18690,7 +18682,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -319,12 +407,18 @@ optional_policy(` +@@ -319,12 +403,18 @@ optional_policy(` ') optional_policy(` @@ -18710,7 +18702,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -349,7 +443,18 @@ optional_policy(` +@@ -349,7 +439,18 @@ optional_policy(` ') optional_policy(` @@ -18730,7 +18722,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -360,19 +465,15 @@ optional_policy(` +@@ -360,19 +461,15 @@ optional_policy(` ') optional_policy(` @@ -18752,7 +18744,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -384,10 +485,6 @@ optional_policy(` +@@ -384,10 +481,6 @@ optional_policy(` ') optional_policy(` @@ -18763,7 +18755,7 @@ index 88d0028..83e6404 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +492,9 @@ optional_policy(` +@@ -395,6 +488,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -18773,7 +18765,7 @@ index 88d0028..83e6404 100644 ') optional_policy(` -@@ -402,31 +502,34 @@ optional_policy(` +@@ -402,31 +498,34 @@ optional_policy(` ') optional_policy(` @@ -18814,7 +18806,7 @@ index 88d0028..83e6404 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +542,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +538,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18825,7 +18817,7 @@ index 88d0028..83e6404 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +562,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +558,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22053,7 +22045,7 @@ index d1f64a0..3be3d00 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..d4ed029 100644 +index 6bf0ecc..1c8242d 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -22301,7 +22293,7 @@ index 6bf0ecc..d4ed029 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -22314,16 +22306,6 @@ index 6bf0ecc..d4ed029 100644 + userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c") + userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc") @@ -22338,7 +22320,7 @@ index 6bf0ecc..d4ed029 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -22368,7 +22350,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -22376,7 +22358,7 @@ index 6bf0ecc..d4ed029 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',` +@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) ') @@ -22419,7 +22401,7 @@ index 6bf0ecc..d4ed029 100644 ######################################## ## ## Create a Xauthority file in the user home directory. -@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -22427,7 +22409,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -22436,7 +22418,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -638,6 +744,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +734,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -22462,7 +22444,7 @@ index 6bf0ecc..d4ed029 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -22471,7 +22453,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -22480,7 +22462,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -22489,7 +22471,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -22503,7 +22485,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +879,71 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -22577,7 +22559,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +967,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -22603,7 +22585,7 @@ index 6bf0ecc..d4ed029 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +999,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -22630,7 +22612,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1057,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -22658,7 +22640,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1099,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -22683,7 +22665,7 @@ index 6bf0ecc..d4ed029 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1186,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -22711,7 +22693,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1224,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -22720,7 +22702,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1271,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -22766,7 +22748,7 @@ index 6bf0ecc..d4ed029 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1323,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -22775,7 +22757,7 @@ index 6bf0ecc..d4ed029 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1385,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -22818,7 +22800,7 @@ index 6bf0ecc..d4ed029 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1435,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -22827,7 +22809,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1453,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -22839,7 +22821,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1570,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -22866,7 +22848,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1615,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -22875,7 +22857,7 @@ index 6bf0ecc..d4ed029 100644 ## ## ## -@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1625,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -22900,7 +22882,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1658,577 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -32478,7 +32460,7 @@ index 72c746e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..0755e25 100644 +index 4584457..300c3f7 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -32577,7 +32559,7 @@ index 4584457..0755e25 100644 + type mount_var_run_t; + ') + -+ read_files_pattern($1, mount_var_run_t, mount_var_run_t) ++ allow $1 mount_var_run_t:file read_file_perms; + files_search_pids($1) +') + @@ -32766,7 +32748,7 @@ index 4584457..0755e25 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..ac90315 100644 +index 6a50270..bfb146f 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -32963,7 +32945,7 @@ index 6a50270..ac90315 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +187,19 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -32978,8 +32960,6 @@ index 6a50270..ac90315 100644 seutil_read_config(mount_t) -+systemd_passwd_agent_domtrans(mount_t) -+ userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) @@ -32987,7 +32967,7 @@ index 6a50270..ac90315 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +215,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -33027,7 +33007,7 @@ index 6a50270..ac90315 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +251,8 @@ optional_policy(` +@@ -179,6 +249,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -33036,7 +33016,7 @@ index 6a50270..ac90315 100644 ') optional_policy(` -@@ -186,6 +260,36 @@ optional_policy(` +@@ -186,6 +258,36 @@ optional_policy(` ') optional_policy(` @@ -33073,7 +33053,7 @@ index 6a50270..ac90315 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +298,124 @@ optional_policy(` +@@ -194,24 +296,124 @@ optional_policy(` ') optional_policy(` @@ -36487,10 +36467,10 @@ index 0000000..fc080a1 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..60e3e89 +index 0000000..dd93187 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,641 @@ +@@ -0,0 +1,639 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -36970,8 +36950,6 @@ index 0000000..60e3e89 + +userdom_dbus_send_all_users(systemd_localed_t) + -+xserver_read_config(systemd_localed_t) -+ +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) + dbus_system_bus_client(systemd_localed_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ff0cb24..f271bb8 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -64,7 +64,7 @@ index e4f84de..94697ea 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..702b716 100644 +index 058d908..b7620e3 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -156,7 +156,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',` +@@ -154,17 +174,54 @@ interface(`abrt_domtrans_helper',` # interface(`abrt_run_helper',` gen_require(` @@ -186,55 +186,55 @@ index 058d908..702b716 100644 + + read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++') ++ ++######################################## ++## ++## Append abrt cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_append_cache',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ ++ allow $1 abrt_var_cache_t:file append_inherited_file_perms; ') ######################################## ## -## Create, read, write, and delete -## abrt cache files. -+## Append abrt cache ++## Read/Write inherited abrt cache ## ## ## -@@ -172,15 +210,37 @@ interface(`abrt_run_helper',` +@@ -172,15 +229,18 @@ interface(`abrt_run_helper',` ## ## # -interface(`abrt_cache_manage',` - refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') - abrt_manage_cache($1) -+interface(`abrt_append_cache',` ++interface(`abrt_rw_inherited_cache',` + gen_require(` + type abrt_var_cache_t; + ') + + -+ allow $1 abrt_var_cache_t:file append_inherited_file_perms; ++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; ') ######################################## ## -## Create, read, write, and delete -## abrt cache content. -+## Read/Write inherited abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_rw_inherited_cache',` -+ gen_require(` -+ type abrt_var_cache_t; -+ ') -+ -+ -+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## +## Manage abrt cache ## ## @@ -329,7 +329,7 @@ index 058d908..702b716 100644 ## ## ## -@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +387,146 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -470,7 +470,7 @@ index 058d908..702b716 100644 + list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) - ') ++') + +######################################## +## @@ -488,33 +488,7 @@ index 058d908..702b716 100644 + ') + + dontaudit $1 abrt_t:sock_file write; -+') -+ -+######################################## -+## -+## Transition to abrt named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_filetrans_named_content',` -+ gen_require(` -+ type abrt_tmp_t; -+ type abrt_etc_t; -+ type abrt_var_cache_t; -+ type abrt_var_run_t; -+ ') -+ -+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt") -+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt") -+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt") -+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix") -+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt") -+') -+ + ') diff --git a/abrt.te b/abrt.te index cc43d25..304203f 100644 --- a/abrt.te @@ -7348,10 +7322,10 @@ index 089430a..7cd037b 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index a579c3b..512d6b1 100644 +index a579c3b..e8961f7 100644 --- a/automount.te +++ b/automount.te -@@ -22,12 +22,16 @@ type automount_tmp_t; +@@ -22,6 +22,9 @@ type automount_tmp_t; files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) @@ -7361,15 +7335,7 @@ index a579c3b..512d6b1 100644 ######################################## # # Local policy - # - --allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; -+allow automount_t self:capability2 block_suspend; - dontaudit automount_t self:capability sys_tty_config; - allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; - allow automount_t self:fifo_file rw_fifo_file_perms; -@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t) +@@ -62,7 +65,6 @@ kernel_dontaudit_search_xen_state(automount_t) corecmd_exec_bin(automount_t) corecmd_exec_shell(automount_t) @@ -7377,7 +7343,7 @@ index a579c3b..512d6b1 100644 corenet_all_recvfrom_netlabel(automount_t) corenet_tcp_sendrecv_generic_if(automount_t) corenet_udp_sendrecv_generic_if(automount_t) -@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t) +@@ -96,7 +98,6 @@ files_mount_all_file_type_fs(automount_t) files_mounton_all_mountpoints(automount_t) files_mounton_mnt(automount_t) files_read_etc_runtime_files(automount_t) @@ -7385,7 +7351,7 @@ index a579c3b..512d6b1 100644 files_search_boot(automount_t) files_search_all(automount_t) files_unmount_all_file_type_fs(automount_t) -@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t) +@@ -130,15 +131,18 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -67581,10 +67547,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..54fe358 100644 +index ebe91fc..cba31f2 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,69 @@ +@@ -1,61 +1,68 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -67607,7 +67573,6 @@ index ebe91fc..54fe358 100644 +/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -85655,7 +85620,7 @@ index 9dec06c..b991ec7 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..e780b1b 100644 +index 1f22fba..7b17f67 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -85951,9 +85916,7 @@ index 1f22fba..e780b1b 100644 -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -fs_getattr_xattr_fs(virt_domain) - -corecmd_exec_bin(virt_domain) @@ -86071,17 +86034,15 @@ index 1f22fba..e780b1b 100644 - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') -- --optional_policy(` -- dbus_read_lib_files(virt_domain) --') +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) @@ -86091,20 +86052,24 @@ index 1f22fba..e780b1b 100644 +corenet_tcp_connect_all_ports(svirt_t) -optional_policy(` -- nscd_use(virt_domain) +- dbus_read_lib_files(virt_domain) -') +miscfiles_read_generic_certs(svirt_t) optional_policy(` -- samba_domtrans_smbd(virt_domain) +- nscd_use(virt_domain) + xen_rw_image_files(svirt_t) ') optional_policy(` -- xen_rw_image_files(virt_domain) +- samba_domtrans_smbd(virt_domain) + nscd_use(svirt_t) ') +-optional_policy(` +- xen_rw_image_files(virt_domain) +-') +- -######################################## +####################################### # @@ -86124,9 +86089,7 @@ index 1f22fba..e780b1b 100644 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) - -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -86148,7 +86111,9 @@ index 1f22fba..e780b1b 100644 -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -86276,16 +86241,16 @@ index 1f22fba..e780b1b 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -86811,12 +86776,12 @@ index 1f22fba..e780b1b 100644 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") - -dontaudit virsh_t virt_var_lib_t:file read_file_perms; -- --allow virsh_t svirt_lxc_domain:process transition; +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +-allow virsh_t svirt_lxc_domain:process transition; +- -can_exec(virsh_t, virsh_exec_t) - -virt_domtrans(virsh_t) @@ -86963,13 +86928,11 @@ index 1f22fba..e780b1b 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +959,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +959,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; +files_associate_rootfs(svirt_lxc_file_t) -+ -+seutil_read_file_contexts(virtd_lxc_t) storage_manage_fixed_disk(virtd_lxc_t) +storage_rw_fuse(virtd_lxc_t) @@ -86981,7 +86944,7 @@ index 1f22fba..e780b1b 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +979,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -86992,7 +86955,7 @@ index 1f22fba..e780b1b 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +990,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +988,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -87000,7 +86963,7 @@ index 1f22fba..e780b1b 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1002,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1000,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -87019,7 +86982,7 @@ index 1f22fba..e780b1b 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1016,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,20 +1014,35 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -87057,14 +87020,12 @@ index 1f22fba..e780b1b 100644 # - -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock }; +allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit }; + allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; - allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1053,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1051,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -87091,7 +87052,7 @@ index 1f22fba..e780b1b 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1071,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1069,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -87110,7 +87071,7 @@ index 1f22fba..e780b1b 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1090,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1088,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -87137,7 +87098,7 @@ index 1f22fba..e780b1b 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1115,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1113,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -87273,7 +87234,7 @@ index 1f22fba..e780b1b 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1211,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1209,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -87288,7 +87249,7 @@ index 1f22fba..e780b1b 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1229,8 @@ optional_policy(` +@@ -1183,9 +1227,8 @@ optional_policy(` ######################################## # @@ -87299,7 +87260,7 @@ index 1f22fba..e780b1b 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1243,70 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1241,70 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b22aa16..f29b1cc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 23%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,17 +526,6 @@ SELinux Reference policy mls base module. %endif %changelog -* Wed Mar 20 2013 Miroslav Grepl 3.12.1-23 -- Allow localectl to read /etc/X11/xorg.conf.d directory -- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" -- Allow mount to transition to systemd_passwd_agent -- Make sure abrt directories are labeled correctly -- Allow commands that are going to read mount pid files to search mount_var_run_t -- label /usr/bin/repoquery as rpm_exec_t -- Allow automount to block suspend -- Add abrt_filetrans_named_content so that abrt directories get labeled correctly -- Allow virt domains to setrlimit and read file_context - * Mon Mar 18 2013 Miroslav Grepl 3.12.1-22 - Allow nagios to manage nagios spool files - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6