diff --git a/container-selinux.tgz b/container-selinux.tgz index 2eaaf44..8b0d167 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0d6489d..e9b9e2d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -50199,10 +50199,10 @@ index 000000000..5871e072d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..5033e0eb6 +index 000000000..bb880db4a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1039 @@ +@@ -0,0 +1,1040 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50272,6 +50272,7 @@ index 000000000..5033e0eb6 + +type systemd_resolved_var_run_t; +files_pid_file(systemd_resolved_var_run_t) ++files_mountpoint(systemd_resolved_var_run_t) + +type systemd_resolved_unit_file_t; +systemd_unit_file(systemd_resolved_unit_file_t) @@ -58380,7 +58381,7 @@ index e79d54501..101086d66 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e9131723..dc1c884fe 100644 +index 6e9131723..528c5d2d1 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -58389,7 +58390,7 @@ index 6e9131723..dc1c884fe 100644 # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') - -+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }') ++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket dccp_socket }') # # Datagram socket classes. diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e24c5b2..71c1df7 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5626,7 +5626,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..cb95398ea 100644 +index 6649962b6..3db9df9f9 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6345,7 +6345,7 @@ index 6649962b6..cb95398ea 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +571,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6412,6 +6412,7 @@ index 6649962b6..cb95398ea 100644 -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) +fs_rw_hugetlbfs_files(httpd_t) ++fs_exec_hugetlbfs_files(httpd_t) +fs_list_inotifyfs(httpd_t) + +auth_use_nsswitch(httpd_t) @@ -6588,7 +6589,7 @@ index 6649962b6..cb95398ea 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +754,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6648,7 +6649,7 @@ index 6649962b6..cb95398ea 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +806,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6751,7 +6752,7 @@ index 6649962b6..cb95398ea 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +865,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6832,7 +6833,7 @@ index 6649962b6..cb95398ea 100644 ') optional_policy(` -@@ -749,24 +917,32 @@ optional_policy(` +@@ -749,24 +918,32 @@ optional_policy(` ') optional_policy(` @@ -6871,7 +6872,7 @@ index 6649962b6..cb95398ea 100644 ') optional_policy(` -@@ -775,6 +951,10 @@ optional_policy(` +@@ -775,6 +952,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6882,7 +6883,7 @@ index 6649962b6..cb95398ea 100644 ') optional_policy(` -@@ -786,35 +966,62 @@ optional_policy(` +@@ -786,35 +967,62 @@ optional_policy(` ') optional_policy(` @@ -6958,7 +6959,7 @@ index 6649962b6..cb95398ea 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1029,31 @@ optional_policy(` +@@ -822,8 +1030,31 @@ optional_policy(` ') optional_policy(` @@ -6990,7 +6991,7 @@ index 6649962b6..cb95398ea 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1062,8 @@ optional_policy(` +@@ -832,6 +1063,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6999,7 +7000,7 @@ index 6649962b6..cb95398ea 100644 ') optional_policy(` -@@ -842,20 +1074,48 @@ optional_policy(` +@@ -842,20 +1075,48 @@ optional_policy(` ') optional_policy(` @@ -7054,7 +7055,7 @@ index 6649962b6..cb95398ea 100644 ') optional_policy(` -@@ -863,16 +1123,31 @@ optional_policy(` +@@ -863,16 +1124,31 @@ optional_policy(` ') optional_policy(` @@ -7088,7 +7089,7 @@ index 6649962b6..cb95398ea 100644 ') optional_policy(` -@@ -883,65 +1158,189 @@ optional_policy(` +@@ -883,65 +1159,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7300,7 +7301,7 @@ index 6649962b6..cb95398ea 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1350,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7454,7 +7455,7 @@ index 6649962b6..cb95398ea 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1434,107 @@ optional_policy(` +@@ -1083,172 +1435,107 @@ optional_policy(` ') ') @@ -7692,7 +7693,7 @@ index 6649962b6..cb95398ea 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1543,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7790,7 +7791,7 @@ index 6649962b6..cb95398ea 100644 ######################################## # -@@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1618,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7807,7 +7808,7 @@ index 6649962b6..cb95398ea 100644 ') ######################################## -@@ -1330,49 +1633,43 @@ optional_policy(` +@@ -1330,49 +1634,43 @@ optional_policy(` # User content local policy # @@ -7876,7 +7877,7 @@ index 6649962b6..cb95398ea 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1680,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -13908,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644 + roleattribute $2 chronyc_roles; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c29..89ecee1f7 100644 +index e5b621c29..47b5fe7e4 100644 --- a/chronyd.te +++ b/chronyd.te @@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0) @@ -13967,17 +13968,19 @@ index e5b621c29..89ecee1f7 100644 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) -@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) +@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) kernel_read_system_state(chronyd_t) kernel_read_network_state(chronyd_t) +kernel_request_load_module(chronyd_t) + ++can_exec(chronyd_t,chronyc_exec_t) ++ +clock_read_adjtime(chronyd_t) corenet_all_recvfrom_unlabeled(chronyd_t) corenet_all_recvfrom_netlabel(chronyd_t) -@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -22724,7 +22727,7 @@ index 83bfda6ed..92d9fb2e7 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 4283f2de2..fe348758e 100644 +index 4283f2de2..c29c47501 100644 --- a/cyrus.te +++ b/cyrus.te @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) @@ -22736,9 +22739,11 @@ index 4283f2de2..fe348758e 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t) +@@ -62,13 +62,14 @@ files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) + kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) kernel_read_all_sysctls(cyrus_t) ++kernel_read_network_state(cyrus_t) -corenet_all_recvfrom_unlabeled(cyrus_t) corenet_all_recvfrom_netlabel(cyrus_t) @@ -22750,7 +22755,7 @@ index 4283f2de2..fe348758e 100644 corenet_sendrecv_mail_server_packets(cyrus_t) corenet_tcp_bind_mail_port(cyrus_t) -@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t) +@@ -76,6 +77,9 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_sendrecv_lmtp_server_packets(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -22760,7 +22765,7 @@ index 4283f2de2..fe348758e 100644 corenet_sendrecv_pop_server_packets(cyrus_t) corenet_tcp_bind_pop_port(cyrus_t) -@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t) +@@ -95,8 +99,6 @@ domain_use_interactive_fds(cyrus_t) files_list_var_lib(cyrus_t) files_read_etc_runtime_files(cyrus_t) @@ -22769,7 +22774,7 @@ index 4283f2de2..fe348758e 100644 fs_getattr_all_fs(cyrus_t) fs_search_auto_mountpoints(cyrus_t) -@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t) +@@ -107,7 +109,6 @@ libs_exec_lib_files(cyrus_t) logging_send_syslog_msg(cyrus_t) @@ -22777,7 +22782,7 @@ index 4283f2de2..fe348758e 100644 miscfiles_read_generic_certs(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) -@@ -121,6 +121,14 @@ optional_policy(` +@@ -121,6 +122,14 @@ optional_policy(` ') optional_policy(` @@ -22792,7 +22797,7 @@ index 4283f2de2..fe348758e 100644 kerberos_read_keytab(cyrus_t) kerberos_use(cyrus_t) ') -@@ -134,8 +142,8 @@ optional_policy(` +@@ -134,8 +143,8 @@ optional_policy(` ') optional_policy(` @@ -26230,10 +26235,10 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..f068532e7 +index 000000000..58a8bf4fd --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,207 @@ +@@ -0,0 +1,210 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -26418,6 +26423,8 @@ index 000000000..f068532e7 +manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); +filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) + ++kernel_read_system_state(dirsrv_snmp_t) ++ +corenet_tcp_connect_agentx_port(dirsrv_snmp_t) + +dev_read_rand(dirsrv_snmp_t) @@ -26430,10 +26437,11 @@ index 000000000..f068532e7 +fs_getattr_tmpfs(dirsrv_snmp_t) +fs_search_tmpfs(dirsrv_snmp_t) + -+ +sysnet_read_config(dirsrv_snmp_t) +sysnet_dns_name_resolve(dirsrv_snmp_t) + ++userdom_use_inherited_user_ptys(dirsrv_snmp_t) ++ +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) + snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) @@ -32102,10 +32110,10 @@ index 000000000..d9ba5fa27 +') diff --git a/ganesha.te b/ganesha.te new file mode 100644 -index 000000000..3cf186efc +index 000000000..0fdeecfd6 --- /dev/null +++ b/ganesha.te -@@ -0,0 +1,109 @@ +@@ -0,0 +1,110 @@ +policy_module(ganesha, 1.0.0) + +######################################## @@ -32182,6 +32190,7 @@ index 000000000..3cf186efc + +dev_rw_infiniband_dev(ganesha_t) +dev_read_gpfs(ganesha_t) ++dev_read_rand(ganesha_t) + +logging_send_syslog_msg(ganesha_t) + @@ -33861,10 +33870,10 @@ index 000000000..450146018 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 000000000..5d279ca35 +index 000000000..7eeb7b0c0 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,324 @@ +@@ -0,0 +1,331 @@ +policy_module(glusterd, 1.1.3) + +## @@ -33916,6 +33925,9 @@ index 000000000..5d279ca35 +type glusterd_tmp_t; +files_tmp_file(glusterd_tmp_t) + ++type glusterd_tmpfs_t; ++files_tmpfs_file(glusterd_tmpfs_t) ++ +type glusterd_log_t; +logging_log_file(glusterd_log_t) + @@ -33954,6 +33966,10 @@ index 000000000..5d279ca35 +files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) +allow glusterd_t glusterd_tmp_t:dir mounton; + ++manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t) ++manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t) ++fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file }) ++ +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) @@ -38150,10 +38166,10 @@ index 000000000..8a2013af9 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 000000000..86a4d31a1 +index 000000000..800eb43a1 --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,75 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -38196,6 +38212,7 @@ index 000000000..86a4d31a1 +files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) ++kernel_read_network_state(gssproxy_t) + +domain_use_interactive_fds(gssproxy_t) + @@ -43845,10 +43862,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..f84877209 +index 000000000..d7cf7c7c3 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,101 @@ +@@ -0,0 +1,102 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43926,6 +43943,7 @@ index 000000000..f84877209 + snmp_manage_var_lib_files(keepalived_t) + snmp_manage_var_lib_sock_files(keepalived_t) + snmp_manage_var_lib_dirs(keepalived_t) ++ snmp_stream_connect(keepalived_t) +') + +######################################## @@ -47497,10 +47515,10 @@ index 000000000..7ba50607c + diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 -index 000000000..7acdb2d40 +index 000000000..37414ae0d --- /dev/null +++ b/linuxptp.te -@@ -0,0 +1,180 @@ +@@ -0,0 +1,184 @@ +policy_module(linuxptp, 1.0.0) + + @@ -47670,10 +47688,14 @@ index 000000000..7acdb2d40 +corenet_udp_bind_generic_node(ptp4l_t) +corenet_udp_bind_reserved_port(ptp4l_t) + ++kernel_read_network_state(ptp4l_t) ++ +dev_rw_realtime_clock(ptp4l_t) + +logging_send_syslog_msg(ptp4l_t) + ++userdom_dgram_send(ptp4l_t) ++ +optional_policy(` + chronyd_rw_shm(ptp4l_t) +') @@ -48443,6 +48465,32 @@ index be0ab84b3..af94fb163 100644 +role system_r types logrotate_mail_t; logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) +diff --git a/logwatch.if b/logwatch.if +index 06c3d36ca..2bb771f02 100644 +--- a/logwatch.if ++++ b/logwatch.if +@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',` + files_search_var($1) + allow $1 logwatch_cache_t:dir search_dir_perms; + ') ++ ++####################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`logwatch_dontaudit_leaks',` ++ gen_require(` ++ type logwatch_t; ++ ') ++ ++ dontaudit $1 logwatch_t:fifo_file { read write }; ++') diff --git a/logwatch.te b/logwatch.te index ab650340c..433d37810 100644 --- a/logwatch.te @@ -54207,7 +54255,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..28c1c5f16 100644 +index 11ac8e4fc..bb6533dae 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54488,11 +54536,11 @@ index 11ac8e4fc..28c1c5f16 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) @@ -54626,34 +54674,34 @@ index 11ac8e4fc..28c1c5f16 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ java_domtrans(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ lpd_domtrans_lpr(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ nscd_socket_use(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -+ nscd_socket_use(mozilla_t) -+') -+ -+optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -54661,7 +54709,7 @@ index 11ac8e4fc..28c1c5f16 100644 ') optional_policy(` -@@ -300,259 +340,261 @@ optional_policy(` +@@ -300,259 +340,265 @@ optional_policy(` ######################################## # @@ -55026,13 +55074,6 @@ index 11ac8e4fc..28c1c5f16 100644 + dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ gnome_manage_config(mozilla_plugin_t) -+ gnome_read_usr_config(mozilla_plugin_t) -+ gnome_filetrans_home_content(mozilla_plugin_t) -+ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` @@ -55040,6 +55081,17 @@ index 11ac8e4fc..28c1c5f16 100644 - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") ++ devicekit_dbus_chat_disk(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ gnome_manage_config(mozilla_plugin_t) ++ gnome_read_usr_config(mozilla_plugin_t) ++ gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') @@ -55069,7 +55121,7 @@ index 11ac8e4fc..28c1c5f16 100644 ') optional_policy(` -@@ -560,7 +602,11 @@ optional_policy(` +@@ -560,7 +606,11 @@ optional_policy(` ') optional_policy(` @@ -55082,7 +55134,7 @@ index 11ac8e4fc..28c1c5f16 100644 ') optional_policy(` -@@ -568,108 +614,144 @@ optional_policy(` +@@ -568,108 +618,144 @@ optional_policy(` ') optional_policy(` @@ -71802,10 +71854,10 @@ index 000000000..02df03ad6 +') diff --git a/pdns.te b/pdns.te new file mode 100644 -index 000000000..63ddc577c +index 000000000..4df7ada2a --- /dev/null +++ b/pdns.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +policy_module(pdns, 1.0.2) + +######################################## @@ -71849,6 +71901,8 @@ index 000000000..63ddc577c +allow pdns_t self:unix_dgram_socket create_socket_perms; +pdns_read_config(pdns_t) + ++kernel_read_network_state(pdns_t) ++ +corenet_tcp_bind_dns_port(pdns_t) +corenet_udp_bind_dns_port(pdns_t) + @@ -72037,7 +72091,7 @@ index d2fc677c1..86dce34a2 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454d8..8f0f5fd9c 100644 +index 608f454d8..64782ff03 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -72056,7 +72110,7 @@ index 608f454d8..8f0f5fd9c 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,335 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,337 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -72189,6 +72243,8 @@ index 608f454d8..8f0f5fd9c 100644 + +kernel_read_network_state(pegasus_openlmi_services_t) + ++miscfiles_read_certs(pegasus_openlmi_services_t) ++ +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_services_t) +') @@ -72398,7 +72454,7 @@ index 608f454d8..8f0f5fd9c 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -72433,7 +72489,7 @@ index 608f454d8..8f0f5fd9c 100644 kernel_read_fs_sysctls(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) -@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -72466,7 +72522,7 @@ index 608f454d8..8f0f5fd9c 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -72478,7 +72534,7 @@ index 608f454d8..8f0f5fd9c 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -72500,21 +72556,21 @@ index 608f454d8..8f0f5fd9c 100644 +optional_policy(` + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) - -- optional_policy(` -- networkmanager_dbus_chat(pegasus_t) -- ') ++ + optional_policy(` + networkmanager_dbus_chat(pegasus_t) + ') +') -+ + +- optional_policy(` +- networkmanager_dbus_chat(pegasus_t) +- ') +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` -@@ -151,16 +473,24 @@ optional_policy(` +@@ -151,16 +475,24 @@ optional_policy(` ') optional_policy(` @@ -72543,7 +72599,7 @@ index 608f454d8..8f0f5fd9c 100644 ') optional_policy(` -@@ -168,7 +498,7 @@ optional_policy(` +@@ -168,7 +500,7 @@ optional_policy(` ') optional_policy(` @@ -72552,7 +72608,7 @@ index 608f454d8..8f0f5fd9c 100644 ') optional_policy(` -@@ -180,12 +510,17 @@ optional_policy(` +@@ -180,12 +512,17 @@ optional_policy(` ') optional_policy(` @@ -77332,7 +77388,7 @@ index ded95ec3a..210018ce4 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83eca..67f813d34 100644 +index 5cfb83eca..5de033f81 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -78040,7 +78096,7 @@ index 5cfb83eca..67f813d34 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +595,80 @@ optional_policy(` +@@ -655,69 +595,84 @@ optional_policy(` ######################################## # @@ -78104,6 +78160,10 @@ index 5cfb83eca..67f813d34 100644 term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) ++optional_policy(` ++ logwatch_dontaudit_leaks(postfix_showq_t) ++') ++ ######################################## # -# Smtp delivery local policy @@ -78138,7 +78198,7 @@ index 5cfb83eca..67f813d34 100644 ') optional_policy(` -@@ -730,28 +681,32 @@ optional_policy(` +@@ -730,28 +685,32 @@ optional_policy(` ######################################## # @@ -78179,7 +78239,7 @@ index 5cfb83eca..67f813d34 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +719,7 @@ optional_policy(` +@@ -764,6 +723,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -78187,7 +78247,7 @@ index 5cfb83eca..67f813d34 100644 ') optional_policy(` -@@ -774,31 +730,102 @@ optional_policy(` +@@ -774,31 +734,102 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -93683,7 +93743,7 @@ index 0bf13c220..79a2a9c48 100644 + allow $1 gssd_t:process { noatsecure rlimitinh }; +') diff --git a/rpc.te b/rpc.te -index 2da9fca2f..9099c9800 100644 +index 2da9fca2f..c8afd1e50 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -93888,7 +93948,7 @@ index 2da9fca2f..9099c9800 100644 ') ######################################## -@@ -201,42 +231,64 @@ optional_policy(` +@@ -201,42 +231,66 @@ optional_policy(` # NFSD local policy # @@ -93935,6 +93995,8 @@ index 2da9fca2f..9099c9800 100644 files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) ++fs_read_configfs_files(nfsd_t) ++fs_read_configfs_dirs(nfsd_t) +fs_mounton_nfsd_fs(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) @@ -93964,7 +94026,7 @@ index 2da9fca2f..9099c9800 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -93972,7 +94034,7 @@ index 2da9fca2f..9099c9800 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -93987,7 +94049,7 @@ index 2da9fca2f..9099c9800 100644 ') ######################################## -@@ -270,7 +321,7 @@ optional_policy(` +@@ -270,7 +323,7 @@ optional_policy(` # GSSD local policy # @@ -93996,7 +94058,7 @@ index 2da9fca2f..9099c9800 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -94004,7 +94066,7 @@ index 2da9fca2f..9099c9800 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +340,31 @@ kernel_signal(gssd_t) +@@ -288,25 +342,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -94039,7 +94101,7 @@ index 2da9fca2f..9099c9800 100644 ') optional_policy(` -@@ -314,9 +372,12 @@ optional_policy(` +@@ -314,9 +374,12 @@ optional_policy(` ') optional_policy(` @@ -111403,7 +111465,7 @@ index 5406b6ee8..dc5b46e28 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index d01096386..ae473b2b2 100644 +index d01096386..c491b2f9c 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t) @@ -111435,7 +111497,7 @@ index d01096386..ae473b2b2 100644 corenet_tcp_sendrecv_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_client_packets(tgtd_t) -@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t) +@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t) dev_read_sysfs(tgtd_t) @@ -111444,6 +111506,8 @@ index d01096386..ae473b2b2 100644 fs_read_anon_inodefs_files(tgtd_t) ++miscfiles_read_generic_certs(tgtd_t) ++ storage_manage_fixed_disk(tgtd_t) +storage_read_scsi_generic(tgtd_t) +storage_write_scsi_generic(tgtd_t) @@ -120205,11 +120269,12 @@ index 6b72968ea..de409cc61 100644 +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmtools.fc b/vmtools.fc new file mode 100644 -index 000000000..c5deffb77 +index 000000000..13ee573e4 --- /dev/null +++ b/vmtools.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,6 @@ +/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0) ++/usr/bin/VGAuthService -- gen_context(system_u:object_r:vmtools_exec_t,s0) + +/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 6cc0ea7..6014ce9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 300%{?dist} +Release: 301%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,22 @@ exit 0 %endif %changelog +* Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301 +- Merge pull request #37 from milosmalik/rawhide +- Allow mozilla_plugin_t domain to dbus chat with devicekit +- Dontaudit leaked logwatch pipes +- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. +- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) +- Allow chronyd daemon to execute chronyc. BZ(1507478) +- Allow pdns to read network system state BZ(1507244) +- Allow gssproxy to read network system state Resolves: rhbz#1507191 +- Allow nfsd_t domain to read configfs_t files/dirs +- Allow tgtd_t domain to read generic certs +- Allow ptp4l to send msgs via dgram socket to unprivileged user domains +- Allow dirsrv_snmp_t to use inherited user ptys and read system state +- Allow glusterd_t domain to create own tmpfs dirs/files +- Allow keepalived stream connect to snmp + * Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300 - Allow zabbix_t domain to change its resource limits - Add new boolean nagios_use_nfs