diff --git a/policy-F16.patch b/policy-F16.patch index b1a3901..4338a88 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -17203,7 +17203,7 @@ index c19518a..04ef731 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..a8532db 100644 +index ff006ea..b733da8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -17343,7 +17343,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',` +@@ -1660,6 +1746,42 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -17365,10 +17365,28 @@ index ff006ea..a8532db 100644 + +######################################## +## ++## Relabel a rootfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:filesystem relabel_file_perms; ++') ++ ++######################################## ++## ## Unmount a rootfs filesystem. ## ## -@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',` +@@ -1678,6 +1800,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -17393,7 +17411,7 @@ index ff006ea..a8532db 100644 ## Get attributes of the /boot directory. ## ## -@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',` +@@ -1848,7 +1988,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -17402,7 +17420,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2512,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -17427,7 +17445,7 @@ index ff006ea..a8532db 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2609,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -17436,7 +17454,7 @@ index ff006ea..a8532db 100644 ## ## # -@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',` +@@ -2507,6 +2665,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -17462,7 +17480,7 @@ index ff006ea..a8532db 100644 ## Delete system configuration files in /etc. ## ## -@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2702,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -17487,7 +17505,7 @@ index ff006ea..a8532db 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2819,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -17496,7 +17514,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2875,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -17521,7 +17539,7 @@ index ff006ea..a8532db 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2915,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -17546,7 +17564,7 @@ index ff006ea..a8532db 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2970,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -17554,7 +17572,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -2796,6 +2992,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -17562,7 +17580,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3561,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -17571,7 +17589,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3699,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -17615,7 +17633,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',` +@@ -3804,7 +4019,7 @@ interface(`files_kernel_modules_filetrans',` type modules_object_t; ') @@ -17624,7 +17642,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +4115,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -17724,7 +17742,7 @@ index ff006ea..a8532db 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4253,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -17733,7 +17751,7 @@ index ff006ea..a8532db 100644 ## ## # -@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4325,7 @@ interface(`files_list_tmp',` ## ## ## @@ -17742,12 +17760,14 @@ index ff006ea..a8532db 100644 ## ## # -@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,9 +4337,27 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') +-######################################## +####################################### -+## + ## +-## Remove entries from the tmp directory. +## Allow read and write to the tmp directory (/tmp). +## +## @@ -17764,16 +17784,18 @@ index ff006ea..a8532db 100644 + allow $1 tmp_t:dir rw_dir_perms; +') + - ######################################## - ## - ## Remove entries from the tmp directory. -@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',` ++######################################## ++## ++## Remove entries from the tmp directory. + ## + ## + ## +@@ -4085,6 +4411,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## --## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. - ## ++## +## +##

+## Allow shared library text relocations in tmp files. @@ -17782,16 +17804,14 @@ index ff006ea..a8532db 100644 +## This is added to support java policy. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`files_manage_generic_tmp_files',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_execmod_tmp',` - gen_require(` -- type tmp_t; ++ gen_require(` + attribute tmpfile; + ') + @@ -17800,21 +17820,10 @@ index ff006ea..a8532db 100644 + +######################################## +## -+## Manage temporary files and directories in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_tmp_files',` -+ gen_require(` -+ type tmp_t; - ') - - manage_files_pattern($1, tmp_t, tmp_t) -@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',` + ## Manage temporary files and directories in /tmp. + ## + ## +@@ -4139,6 +4491,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -17857,7 +17866,7 @@ index ff006ea..a8532db 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4590,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -17866,7 +17875,7 @@ index ff006ea..a8532db 100644 ## ## # -@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4650,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -17875,7 +17884,7 @@ index ff006ea..a8532db 100644 ## ## # -@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4706,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -17884,7 +17893,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4730,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -17901,7 +17910,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5079,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -17910,7 +17919,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -4914,6 +5294,24 @@ interface(`files_list_var',` +@@ -4914,6 +5312,24 @@ interface(`files_list_var',` ######################################## ## @@ -17935,7 +17944,7 @@ index ff006ea..a8532db 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5084,7 +5482,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5500,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -17944,7 +17953,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -5219,7 +5617,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5635,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17953,7 +17962,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -5259,6 +5657,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5259,6 +5675,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -17979,7 +17988,7 @@ index ff006ea..a8532db 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5304,6 +5721,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5739,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -18005,7 +18014,7 @@ index ff006ea..a8532db 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5753,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5771,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -18014,7 +18023,7 @@ index ff006ea..a8532db 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5774,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5792,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -18030,7 +18039,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -5349,12 +5789,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5807,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -18063,7 +18072,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -5373,6 +5831,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5849,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -18071,7 +18080,7 @@ index ff006ea..a8532db 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5844,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5862,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -18079,7 +18088,7 @@ index ff006ea..a8532db 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5870,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5888,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -18088,7 +18097,7 @@ index ff006ea..a8532db 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5886,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5904,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -18105,7 +18114,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -5452,7 +5910,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5928,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -18114,7 +18123,7 @@ index ff006ea..a8532db 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5951,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5969,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -18123,7 +18132,7 @@ index ff006ea..a8532db 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5973,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5991,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -18132,7 +18141,7 @@ index ff006ea..a8532db 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +6005,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +6023,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -18143,7 +18152,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -5608,6 +6066,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6084,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -18187,7 +18196,7 @@ index ff006ea..a8532db 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6124,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,6 +6142,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -18213,7 +18222,7 @@ index ff006ea..a8532db 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -5736,7 +6250,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6268,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -18222,7 +18231,7 @@ index ff006ea..a8532db 100644 ') ######################################## -@@ -5815,29 +6329,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6347,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -18256,7 +18265,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -5845,42 +6355,35 @@ interface(`files_read_all_pids',` +@@ -5845,42 +6373,35 @@ interface(`files_read_all_pids',` ## ## # @@ -18306,7 +18315,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -5888,20 +6391,17 @@ interface(`files_delete_all_pids',` +@@ -5888,20 +6409,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -18330,7 +18339,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -5909,56 +6409,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -5909,56 +6427,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -18406,7 +18415,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -5966,18 +6469,17 @@ interface(`files_list_spool',` +@@ -5966,18 +6487,17 @@ interface(`files_list_spool',` ## ## # @@ -18429,7 +18438,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -5985,19 +6487,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5985,19 +6505,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -18454,7 +18463,7 @@ index ff006ea..a8532db 100644 ## ## ## -@@ -6005,50 +6506,313 @@ interface(`files_read_generic_spool',` +@@ -6005,31 +6524,294 @@ interface(`files_read_generic_spool',` ## ## # @@ -18488,28 +18497,17 @@ index ff006ea..a8532db 100644 -## -## -## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## - # --interface(`files_spool_filetrans',` ++# +interface(`files_mounton_all_poly_members',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute polymember; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3) ++ ') ++ + allow $1 polymember:dir mounton; - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Delete all process IDs. +## +## @@ -18769,29 +18767,19 @@ index ff006ea..a8532db 100644 +## +## +## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## -+# -+interface(`files_spool_filetrans',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. - ## - ## ## -@@ -6117,3 +6881,302 @@ interface(`files_unconfined',` + ## Object class(es) (single or set including {}) for which this + ## the transition will occur. +@@ -6042,7 +6824,7 @@ interface(`files_spool_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3) ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) + ') + + ######################################## +@@ -6117,3 +6899,302 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -21280,7 +21268,7 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 01dd2f1..7a8e118 100644 +index 01dd2f1..c9ac6c7 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -21333,7 +21321,32 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -462,6 +485,24 @@ interface(`term_list_ptys',` +@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',` + + ######################################## + ## ++## Relabel a pty filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_relabel_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem relabel_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the + ## attributes of the /dev/pts directory. + ## +@@ -462,6 +503,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -21358,7 +21371,7 @@ index 01dd2f1..7a8e118 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -21366,7 +21379,7 @@ index 01dd2f1..7a8e118 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -860,6 +902,26 @@ interface(`term_use_all_ptys',` +@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -21393,7 +21406,7 @@ index 01dd2f1..7a8e118 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -873,7 +935,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -21402,7 +21415,7 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -921,7 +983,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -21411,7 +21424,7 @@ index 01dd2f1..7a8e118 100644 ## ## # -@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1240,7 +1320,28 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -21441,7 +21454,7 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1256,11 +1357,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -21455,7 +21468,7 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',` +@@ -1277,10 +1380,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -21468,7 +21481,7 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',` +@@ -1358,7 +1463,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -21497,7 +21510,7 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1377,7 +1502,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -21506,7 +21519,7 @@ index 01dd2f1..7a8e118 100644 ') ######################################## -@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',` +@@ -1485,7 +1610,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -21515,7 +21528,7 @@ index 01dd2f1..7a8e118 100644 ## ## # -@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1493,3 +1618,426 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -22099,7 +22112,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..cdcc621 100644 +index 2be17d2..123ce31 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0) @@ -22158,7 +22171,7 @@ index 2be17d2..cdcc621 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,23 +66,119 @@ optional_policy(` +@@ -23,23 +66,123 @@ optional_policy(` ') optional_policy(` @@ -22248,6 +22261,10 @@ index 2be17d2..cdcc621 100644 +') + +optional_policy(` ++ obex_role(staff_r, staff_t, staff) ++') ++ ++optional_policy(` + polipo_role(staff_r, staff_t) + polipo_named_filetrans_cache_home_dirs(staff_t) + polipo_named_filetrans_config_home_files(staff_t) @@ -22280,7 +22297,7 @@ index 2be17d2..cdcc621 100644 ') optional_policy(` -@@ -48,10 +187,52 @@ optional_policy(` +@@ -48,10 +191,52 @@ optional_policy(` ') optional_policy(` @@ -22333,7 +22350,7 @@ index 2be17d2..cdcc621 100644 xserver_role(staff_r, staff_t) ') -@@ -61,10 +242,6 @@ ifndef(`distro_redhat',` +@@ -61,10 +246,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22344,7 +22361,7 @@ index 2be17d2..cdcc621 100644 cdrecord_role(staff_r, staff_t) ') -@@ -89,18 +266,10 @@ ifndef(`distro_redhat',` +@@ -89,18 +270,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22363,7 +22380,7 @@ index 2be17d2..cdcc621 100644 java_role(staff_r, staff_t) ') -@@ -121,10 +290,6 @@ ifndef(`distro_redhat',` +@@ -121,10 +294,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22374,7 +22391,7 @@ index 2be17d2..cdcc621 100644 pyzor_role(staff_r, staff_t) ') -@@ -137,10 +302,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +306,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22385,7 +22402,7 @@ index 2be17d2..cdcc621 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +333,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +337,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -23971,10 +23988,10 @@ index 0000000..c21c9a4 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..7e0ea58 100644 +index e5bfdd4..c74962a 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,105 @@ role user_r; +@@ -12,15 +12,109 @@ role user_r; userdom_unpriv_user_template(user) @@ -24034,6 +24051,10 @@ index e5bfdd4..7e0ea58 100644 +') + +optional_policy(` ++ obex_role(user_r, user_t, user) ++') ++ ++optional_policy(` + netutils_run_ping_cond(user_t, user_r) + netutils_run_traceroute_cond(user_t, user_r) +') @@ -24080,7 +24101,7 @@ index e5bfdd4..7e0ea58 100644 vlock_run(user_t, user_r) ') -@@ -62,19 +152,11 @@ ifndef(`distro_redhat',` +@@ -62,19 +156,11 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24101,7 +24122,7 @@ index e5bfdd4..7e0ea58 100644 ') optional_policy(` -@@ -98,10 +180,6 @@ ifndef(`distro_redhat',` +@@ -98,10 +184,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24112,7 +24133,7 @@ index e5bfdd4..7e0ea58 100644 postgresql_role(user_r, user_t) ') -@@ -118,11 +196,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +200,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24125,7 +24146,7 @@ index e5bfdd4..7e0ea58 100644 ') optional_policy(` -@@ -157,3 +231,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +235,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -28230,17 +28251,15 @@ index a7a0e71..5352ef6 100644 ') diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc -index 59aa54f..a1c5de9 100644 +index 59aa54f..643afce 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc -@@ -4,6 +4,14 @@ +@@ -4,6 +4,12 @@ /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/unbound/.*\.pem -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/dnssec-trigger/.*\.pem -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/dnssec-trigger/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) + +/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0) + @@ -28248,14 +28267,6 @@ index 59aa54f..a1c5de9 100644 /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -@@ -17,6 +25,7 @@ - /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - /var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+/var/run/dnssec.* gen_context(system_u:object_r:named_var_run_t,s0) - - ifdef(`distro_debian',` - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 44a1e3d..776e2ed 100644 --- a/policy/modules/services/bind.if @@ -37938,13 +37949,13 @@ index fdaeeba..b1ea136 100644 ') diff --git a/policy/modules/services/dnssec.fc b/policy/modules/services/dnssec.fc new file mode 100755 -index 0000000..06b9b19 +index 0000000..9e231a8 --- /dev/null +++ b/policy/modules/services/dnssec.fc @@ -0,0 +1,3 @@ -+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) ++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) + -+/var/run/dnssec-triggerd(/.*)? gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) ++/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) diff --git a/policy/modules/services/dnssec.if b/policy/modules/services/dnssec.if new file mode 100755 index 0000000..a9dbcf2 @@ -38023,10 +38034,10 @@ index 0000000..a9dbcf2 +') diff --git a/policy/modules/services/dnssec.te b/policy/modules/services/dnssec.te new file mode 100755 -index 0000000..0d3ca7a +index 0000000..8aa75f3 --- /dev/null +++ b/policy/modules/services/dnssec.te -@@ -0,0 +1,58 @@ +@@ -0,0 +1,60 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -38063,6 +38074,7 @@ index 0000000..0d3ca7a + +corenet_tcp_bind_generic_node(dnssec_trigger_t) +corenet_tcp_bind_dnssec_port(dnssec_trigger_t) ++corenet_tcp_connect_rndc_port(dnssec_trigger_t) + +dev_read_urand(dnssec_trigger_t) + @@ -38082,6 +38094,7 @@ index 0000000..0d3ca7a + +optional_policy(` + bind_read_config(dnssec_trigger_t) ++ bind_read_dnssec_keys(dnssec_trigger_t) +') + + @@ -50743,14 +50756,12 @@ index 0000000..eebfda8 + diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if new file mode 100644 -index 0000000..2d78f06 +index 0000000..d3b9544 --- /dev/null +++ b/policy/modules/services/obex.if -@@ -0,0 +1,43 @@ +@@ -0,0 +1,77 @@ +## SELinux policy for obex-data-server + -+ -+ +######################################## +## +## Transition to obex. @@ -50790,6 +50801,42 @@ index 0000000..2d78f06 + allow $1 obex_t:dbus send_msg; + allow obex_t $1:dbus send_msg; +') ++ ++####################################### ++## ++## Role access for obex domains ++## that executes via dbus-session ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## User domain prefix to be used. ++## ++## ++# ++template(`obex_role',` ++ gen_require(` ++ type obex_t, obex_exec_t; ++ ') ++ ++ role $1 types obex_t; ++ ++ allow $2 obex_t:process signal_perms; ++ ps_process_pattern($2, obex_t) ++ ++ dbus_session_domain($3, obex_exec_t, obex_t) ++ ++ obex_dbus_chat($2) ++') diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te new file mode 100644 index 0000000..4a6f24c @@ -51134,7 +51181,7 @@ index d883214..d6afa87 100644 init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te -index 8b550f4..6b73075 100644 +index 8b550f4..117a7ac 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0) @@ -51218,7 +51265,7 @@ index 8b550f4..6b73075 100644 logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -@@ -112,21 +122,21 @@ sysnet_exec_ifconfig(openvpn_t) +@@ -112,21 +122,23 @@ sysnet_exec_ifconfig(openvpn_t) sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) @@ -51226,6 +51273,8 @@ index 8b550f4..6b73075 100644 +userdom_use_inherited_user_terminals(openvpn_t) +userdom_read_home_certs(openvpn_t) +userdom_attach_admin_tun_iface(openvpn_t) ++userdom_read_inherited_user_tmp_files(openvpn_t) ++userdom_read_inherited_user_home_content_files(openvpn_t) tunable_policy(`openvpn_enable_homedirs',` - userdom_read_user_home_content_files(openvpn_t) @@ -51248,7 +51297,7 @@ index 8b550f4..6b73075 100644 optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) -@@ -138,3 +148,7 @@ optional_policy(` +@@ -138,3 +150,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') @@ -51827,10 +51876,10 @@ index 0000000..548d0a2 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..ad76682 +index 0000000..44c7098 --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,300 @@ +@@ -0,0 +1,302 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -52020,7 +52069,9 @@ index 0000000..ad76682 + +corecmd_exec_bin(piranha_pulse_t) +corecmd_exec_shell(piranha_pulse_t) -+consoletype_exec(piranha_pulse_t) ++optional_policy(` ++ consoletype_exec(piranha_pulse_t) ++') + +corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) +corenet_udp_bind_cma_port(piranha_pulse_t) @@ -67010,7 +67061,7 @@ index 7c5d8d8..e6bb21e 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..c0eaf5e 100644 +index 3eca020..aef43eb 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,84 @@ policy_module(virt, 1.4.0) @@ -67568,7 +67619,7 @@ index 3eca020..c0eaf5e 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +627,365 @@ files_search_all(virt_domain) +@@ -440,25 +627,368 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -67576,12 +67627,12 @@ index 3eca020..c0eaf5e 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -67768,6 +67819,7 @@ index 3eca020..c0eaf5e 100644 + +files_read_etc_files(virtd_lxc_t) +files_read_usr_files(virtd_lxc_t) ++files_relabel_rootfs(virtd_lxc_t) +files_mounton_non_security(virtd_lxc_t) +files_mount_all_file_type_fs(virtd_lxc_t) +files_unmount_all_file_type_fs(virtd_lxc_t) @@ -67789,6 +67841,7 @@ index 3eca020..c0eaf5e 100644 + +term_use_generic_ptys(virtd_lxc_t) +term_use_ptmx(virtd_lxc_t) ++term_relabel_pty_fs(virtd_lxc_t) + +auth_use_nsswitch(virtd_lxc_t) + @@ -67797,6 +67850,7 @@ index 3eca020..c0eaf5e 100644 +miscfiles_read_localization(virtd_lxc_t) + +seutil_domtrans_setfiles(virtd_lxc_t) ++seutil_read_default_contexts(virtd_lxc_t) + +sysnet_domtrans_ifconfig(virtd_lxc_t) + @@ -67811,12 +67865,12 @@ index 3eca020..c0eaf5e 100644 +# +allow svirt_lxc_domain self:capability { kill setuid setgid dac_override }; + ++allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_lxc_domain:process { signal_perms }; +allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; -+ +allow svirt_lxc_domain virtd_lxc_t:fd use; +allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms; -+dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write }; ++allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; + +allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +allow svirt_lxc_domain self:fifo_file manage_file_perms; @@ -74101,7 +74155,7 @@ index 94fd8dd..5a52670 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..26fe806 100644 +index 29a9565..854f935 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -74296,7 +74350,7 @@ index 29a9565..26fe806 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +252,142 @@ tunable_policy(`init_upstart',` +@@ -186,16 +252,143 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -74404,6 +74458,7 @@ index 29a9565..26fe806 100644 + systemd_manage_unit_dirs(init_t) + systemd_manage_all_unit_files(init_t) + systemd_logger_stream_connect(init_t) ++ systemd_filetrans_named_content(init_t) + + create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + @@ -74441,7 +74496,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -203,6 +395,17 @@ optional_policy(` +@@ -203,6 +396,17 @@ optional_policy(` ') optional_policy(` @@ -74459,7 +74514,7 @@ index 29a9565..26fe806 100644 unconfined_domain(init_t) ') -@@ -212,7 +415,8 @@ optional_policy(` +@@ -212,7 +416,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -74469,7 +74524,7 @@ index 29a9565..26fe806 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +445,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +446,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -74485,7 +74540,7 @@ index 29a9565..26fe806 100644 init_write_initctl(initrc_t) -@@ -258,20 +465,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +466,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -74522,7 +74577,7 @@ index 29a9565..26fe806 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +498,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +499,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -74530,7 +74585,7 @@ index 29a9565..26fe806 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +509,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +510,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -74541,7 +74596,7 @@ index 29a9565..26fe806 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,17 +520,16 @@ dev_manage_generic_files(initrc_t) +@@ -298,17 +521,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -74561,7 +74616,7 @@ index 29a9565..26fe806 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -316,6 +537,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +538,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -74569,7 +74624,7 @@ index 29a9565..26fe806 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +545,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +546,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -74581,7 +74636,7 @@ index 29a9565..26fe806 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +564,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +565,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -74595,7 +74650,7 @@ index 29a9565..26fe806 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,9 +579,12 @@ fs_mount_all_fs(initrc_t) +@@ -351,9 +580,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -74609,7 +74664,7 @@ index 29a9565..26fe806 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -363,6 +594,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +595,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -74617,7 +74672,7 @@ index 29a9565..26fe806 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +606,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +607,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -74625,7 +74680,7 @@ index 29a9565..26fe806 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +627,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +628,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -74647,7 +74702,7 @@ index 29a9565..26fe806 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +690,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +691,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -74658,7 +74713,7 @@ index 29a9565..26fe806 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +714,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +715,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -74667,7 +74722,7 @@ index 29a9565..26fe806 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +729,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +730,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -74675,7 +74730,7 @@ index 29a9565..26fe806 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +759,35 @@ ifdef(`distro_redhat',` +@@ -522,8 +760,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -74711,7 +74766,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -531,10 +795,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +796,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -74734,7 +74789,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -549,6 +825,39 @@ ifdef(`distro_suse',` +@@ -549,6 +826,39 @@ ifdef(`distro_suse',` ') ') @@ -74774,7 +74829,7 @@ index 29a9565..26fe806 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +870,8 @@ optional_policy(` +@@ -561,6 +871,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -74783,7 +74838,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -577,6 +888,7 @@ optional_policy(` +@@ -577,6 +889,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -74791,7 +74846,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -589,6 +901,17 @@ optional_policy(` +@@ -589,6 +902,17 @@ optional_policy(` ') optional_policy(` @@ -74809,7 +74864,7 @@ index 29a9565..26fe806 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +928,13 @@ optional_policy(` +@@ -605,9 +929,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -74823,7 +74878,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -632,6 +959,10 @@ optional_policy(` +@@ -632,6 +960,10 @@ optional_policy(` ') optional_policy(` @@ -74834,7 +74889,7 @@ index 29a9565..26fe806 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +980,11 @@ optional_policy(` +@@ -649,6 +981,11 @@ optional_policy(` ') optional_policy(` @@ -74846,7 +74901,7 @@ index 29a9565..26fe806 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1025,7 @@ optional_policy(` +@@ -689,6 +1026,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -74854,7 +74909,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -706,7 +1043,13 @@ optional_policy(` +@@ -706,7 +1044,13 @@ optional_policy(` ') optional_policy(` @@ -74868,7 +74923,7 @@ index 29a9565..26fe806 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1072,10 @@ optional_policy(` +@@ -729,6 +1073,10 @@ optional_policy(` ') optional_policy(` @@ -74879,7 +74934,7 @@ index 29a9565..26fe806 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1085,20 @@ optional_policy(` +@@ -738,10 +1086,20 @@ optional_policy(` ') optional_policy(` @@ -74900,7 +74955,7 @@ index 29a9565..26fe806 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1107,10 @@ optional_policy(` +@@ -750,6 +1108,10 @@ optional_policy(` ') optional_policy(` @@ -74911,7 +74966,7 @@ index 29a9565..26fe806 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1132,6 @@ optional_policy(` +@@ -771,8 +1133,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -74920,7 +74975,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -781,6 +1140,10 @@ optional_policy(` +@@ -781,6 +1141,10 @@ optional_policy(` ') optional_policy(` @@ -74931,7 +74986,7 @@ index 29a9565..26fe806 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -790,10 +1153,12 @@ optional_policy(` +@@ -790,10 +1154,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -74944,7 +74999,7 @@ index 29a9565..26fe806 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1170,6 @@ optional_policy(` +@@ -805,7 +1171,6 @@ optional_policy(` ') optional_policy(` @@ -74952,7 +75007,7 @@ index 29a9565..26fe806 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1179,25 @@ optional_policy(` +@@ -815,11 +1180,25 @@ optional_policy(` ') optional_policy(` @@ -74979,7 +75034,7 @@ index 29a9565..26fe806 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1207,18 @@ optional_policy(` +@@ -829,6 +1208,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -74998,7 +75053,7 @@ index 29a9565..26fe806 100644 ') optional_policy(` -@@ -844,6 +1234,10 @@ optional_policy(` +@@ -844,6 +1235,10 @@ optional_policy(` ') optional_policy(` @@ -75009,7 +75064,7 @@ index 29a9565..26fe806 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1248,161 @@ optional_policy(` +@@ -854,3 +1249,161 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -75591,17 +75646,21 @@ index f3e1b57..d7fd7fb 100644 ') diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc -index 14d9670..7742cf4 100644 +index 14d9670..16d4a57 100644 --- a/policy/modules/system/iscsi.fc +++ b/policy/modules/system/iscsi.fc -@@ -1,7 +1,12 @@ +@@ -1,7 +1,16 @@ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) ++ /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) ++ /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) ++/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0) ++ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) + +/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -80480,10 +80539,10 @@ index 0000000..0d3e625 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..929dfde +index 0000000..a142bb1 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,547 @@ +@@ -0,0 +1,567 @@ +## SELinux policy for systemd components + +####################################### @@ -81031,6 +81090,26 @@ index 0000000..929dfde +') + + ++######################################## ++## ++## Transition to systemd named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_filetrans_named_content',` ++ gen_require(` ++ type systemd_passwd_var_run_t; ++ ') ++ ++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") ++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") ++') ++ ++ diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 index 0000000..ca4e7d9 diff --git a/selinux-policy.spec b/selinux-policy.spec index 852547e..acb783e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,12 +19,11 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 85%{?dist} +Release: 86%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F16.patch -patch1: unconfined_permissive.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -242,7 +241,6 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-%{version} -q %patch -p1 -%patch1 -p1 -b .unconfined %install mkdir selinux_config @@ -483,6 +481,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Feb 10 2012 Miroslav Grepl 3.10.0-86 +- make consoletype_exec optional, so we can remove consoletype policy +- remove unconfined_permisive.patch +- Allow openvpn_t to inherit user home content and tmp content +- Fix dnssec-trigger labeling +- Turn on obex policy for staff_t +- Pem files should not be secret +- Add lots of rules to fix AVC's when playing with containers +- Fix policy for dnssec +- Label ask-passwd directories correctly for systemd + * Thu Feb 9 2012 Miroslav Grepl 3.10.0-85 - sshd fixes seem to be causing unconfined domains to dyntrans to themselves - fuse file system is now being mounted in /run/user