diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c09ae40..4cc0f25 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9193,7 +9193,7 @@ index cf04cb5..c8fc903 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..be423a7 100644 +index c2c6e05..d14e35b 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9390,7 +9390,7 @@ index c2c6e05..be423a7 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +243,22 @@ ifndef(`distro_redhat',` +@@ -237,11 +243,24 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9408,13 +9408,15 @@ index c2c6e05..be423a7 100644 +/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + ++/var/lib/servicelog/servicelog.db -- gen_context(system_u:object_r:system_db_t,s0) ++ +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) +/var/lock/.* <> /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +273,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +275,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9429,14 +9431,14 @@ index c2c6e05..be423a7 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +289,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +291,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..27c051d 100644 +index 64ff4d7..4adeb32 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10440,7 +10442,7 @@ index 64ff4d7..27c051d 100644 ') ######################################## -@@ -4199,14 +4748,141 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,14 +4748,178 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10577,6 +10579,43 @@ index 64ff4d7..27c051d 100644 + filetrans_pattern($1, etc_t, system_conf_t, file) +') + ++###################################### ++## ++## Manage manageable system db files in /var/lib. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_system_db_files',` ++ gen_require(` ++ type var_lib_t, system_db_t; ++ ') ++ ++ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) ++ files_filetrans_system_db_named_files($1) ++') ++ ++##################################### ++## ++## File name transition for system db files in /var/lib. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_filetrans_system_db_named_files',` ++ gen_require(` ++ type var_lib_t, system_db_t; ++ ') ++ ++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") ++') ++ +######################################## +## +## Allow the specified type to associate @@ -10588,7 +10627,7 @@ index 64ff4d7..27c051d 100644 ## Type of the file to associate. ## ## -@@ -4221,6 +4897,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +4934,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -10615,7 +10654,7 @@ index 64ff4d7..27c051d 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +4930,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +4967,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -10654,7 +10693,7 @@ index 64ff4d7..27c051d 100644 ## ## # -@@ -4271,6 +4987,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +5024,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -10662,7 +10701,7 @@ index 64ff4d7..27c051d 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +5024,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +5061,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -10670,7 +10709,7 @@ index 64ff4d7..27c051d 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +5034,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +5071,7 @@ interface(`files_list_tmp',` ## ## ## @@ -10679,7 +10718,7 @@ index 64ff4d7..27c051d 100644 ## ## # -@@ -4328,6 +5046,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +5083,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -10705,7 +10744,7 @@ index 64ff4d7..27c051d 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +5080,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +5117,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -10713,7 +10752,7 @@ index 64ff4d7..27c051d 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +5122,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +5159,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -10746,7 +10785,7 @@ index 64ff4d7..27c051d 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4438,6 +5202,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,6 +5239,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -10789,7 +10828,7 @@ index 64ff4d7..27c051d 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4456,6 +5256,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4456,6 +5293,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -10850,7 +10889,7 @@ index 64ff4d7..27c051d 100644 ## List all tmp directories. ## ## -@@ -4501,7 +5355,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4501,7 +5392,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -10859,7 +10898,7 @@ index 64ff4d7..27c051d 100644 ## ## # -@@ -4561,7 +5415,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5452,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -10868,7 +10907,7 @@ index 64ff4d7..27c051d 100644 ## ## # -@@ -4593,6 +5447,44 @@ interface(`files_read_all_tmp_files',` +@@ -4593,6 +5484,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -10913,7 +10952,7 @@ index 64ff4d7..27c051d 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4646,6 +5538,16 @@ interface(`files_purge_tmp',` +@@ -4646,6 +5575,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10930,14 +10969,17 @@ index 64ff4d7..27c051d 100644 ') ######################################## -@@ -5223,6 +6125,24 @@ interface(`files_list_var',` +@@ -5223,12 +6162,30 @@ interface(`files_list_var',` ######################################## ## +-## Create, read, write, and delete directories +-## in the /var directory. +## Do not audit listing of the var directory (/var). -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. +## +## @@ -10952,30 +10994,30 @@ index 64ff4d7..27c051d 100644 + +######################################## +## - ## Create, read, write, and delete directories - ## in the /var directory. - ## -@@ -5578,13 +6498,10 @@ interface(`files_read_var_lib_symlinks',` ++## Create, read, write, and delete directories ++## in the /var directory. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +@@ -5578,6 +6535,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') --# cjp: the next two interfaces really need to be fixed --# in some way. They really neeed their own types. -- - ######################################## - ## --## Create, read, write, and delete the --## pseudorandom number generator seed. ++######################################## ++## +## manage generic symbolic links +## in the /var/lib directory. - ## - ## - ## -@@ -5592,7 +6509,29 @@ interface(`files_read_var_lib_symlinks',` - ## - ## - # --interface(`files_manage_urandom_seed',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_var_lib_symlinks',` + gen_require(` + type var_lib_t; @@ -10984,25 +11026,10 @@ index 64ff4d7..27c051d 100644 + manage_lnk_files_pattern($1,var_lib_t,var_lib_t) +') + -+# cjp: the next two interfaces really need to be fixed -+# in some way. They really neeed their own types. -+ -+######################################## -+## -+## Create, read, write, and delete the -+## pseudorandom number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_urandom_seed',` - gen_require(` - type var_t, var_lib_t; - ') -@@ -5623,7 +6562,7 @@ interface(`files_manage_mounttab',` + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. + +@@ -5623,7 +6599,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11011,7 +11038,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -5631,12 +6570,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6607,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11027,7 +11054,7 @@ index 64ff4d7..27c051d 100644 ') ######################################## -@@ -5654,6 +6594,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6631,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11035,7 +11062,7 @@ index 64ff4d7..27c051d 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6621,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6658,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11063,7 +11090,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -5688,13 +6648,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6685,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11080,7 +11107,7 @@ index 64ff4d7..27c051d 100644 ') ######################################## -@@ -5713,7 +6672,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6709,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11089,7 +11116,7 @@ index 64ff4d7..27c051d 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6705,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6742,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11097,7 +11124,7 @@ index 64ff4d7..27c051d 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5761,7 +6719,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5761,7 +6756,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11106,7 +11133,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -5769,13 +6727,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,13 +6764,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11141,7 +11168,7 @@ index 64ff4d7..27c051d 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6769,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6806,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11159,7 +11186,7 @@ index 64ff4d7..27c051d 100644 ') ######################################## -@@ -5816,9 +6793,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6830,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11170,7 +11197,7 @@ index 64ff4d7..27c051d 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6835,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6872,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11180,7 +11207,7 @@ index 64ff4d7..27c051d 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6857,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6894,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11190,7 +11217,7 @@ index 64ff4d7..27c051d 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6894,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6931,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11200,7 +11227,7 @@ index 64ff4d7..27c051d 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +6933,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +6970,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11209,7 +11236,7 @@ index 64ff4d7..27c051d 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +6953,48 @@ interface(`files_search_pids',` +@@ -5981,10 +6990,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11258,7 +11285,7 @@ index 64ff4d7..27c051d 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +7017,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +7054,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11284,7 +11311,7 @@ index 64ff4d7..27c051d 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6021,7 +7050,7 @@ interface(`files_list_pids',` +@@ -6021,7 +7087,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11293,7 +11320,7 @@ index 64ff4d7..27c051d 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6040,7 +7069,7 @@ interface(`files_read_generic_pids',` +@@ -6040,7 +7106,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11302,7 +11329,7 @@ index 64ff4d7..27c051d 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7089,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7126,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11311,7 +11338,7 @@ index 64ff4d7..27c051d 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7151,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7188,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11319,7 +11346,7 @@ index 64ff4d7..27c051d 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6151,6 +7179,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6151,6 +7216,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11344,7 +11371,7 @@ index 64ff4d7..27c051d 100644 ## Read and write generic process ID files. ## ## -@@ -6164,7 +7210,7 @@ interface(`files_rw_generic_pids',` +@@ -6164,7 +7247,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11353,7 +11380,7 @@ index 64ff4d7..27c051d 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,55 +7277,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7314,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11416,7 +11443,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6287,42 +7321,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7358,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -11466,7 +11493,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6330,18 +7357,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7394,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -11490,7 +11517,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6349,37 +7376,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7413,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -11542,7 +11569,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6387,18 +7417,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7454,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -11565,7 +11592,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6406,18 +7435,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7472,18 @@ interface(`files_list_spool',` ## ## # @@ -11589,7 +11616,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6425,19 +7454,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6425,19 +7491,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -11614,7 +11641,7 @@ index 64ff4d7..27c051d 100644 ## ## ## -@@ -6445,55 +7473,43 @@ interface(`files_read_generic_spool',` +@@ -6445,45 +7510,312 @@ interface(`files_read_generic_spool',` ## ## # @@ -11665,31 +11692,27 @@ index 64ff4d7..27c051d 100644 - type var_t, var_spool_t; + attribute pidfile; + type var_t, var_run_t; - ') - ++ ') ++ + files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Delete all process ID directories. - ## - ## - ## -@@ -6501,7 +7517,286 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; @@ -11952,28 +11975,10 @@ index 64ff4d7..27c051d 100644 +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` - gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; -@@ -6562,3 +7857,491 @@ interface(`files_unconfined',` + ') + + allow $1 var_t:dir search_dir_perms; +@@ -6562,3 +7894,491 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12466,7 +12471,7 @@ index 64ff4d7..27c051d 100644 + allow $1 etc_t:service status; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 148d87a..822f6be 100644 +index 148d87a..15e8466 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.17.5) @@ -12486,7 +12491,7 @@ index 148d87a..822f6be 100644 # For labeling types that are to be polyinstantiated attribute polydir; -@@ -48,28 +52,40 @@ attribute usercanread; +@@ -48,28 +52,45 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) @@ -12519,6 +12524,11 @@ index 148d87a..822f6be 100644 +# compatibility aliases for removed type: +typealias system_conf_t alias iptables_conf_t; + ++# system_db_t is a new type of various ++# db files. ++type system_db_t; ++files_type(system_db_t) ++ # # etc_runtime_t is the type of various # files in /etc that are automatically @@ -12529,7 +12539,7 @@ index 148d87a..822f6be 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t; +@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t; # type file_t; files_mountpoint(file_t) @@ -12537,7 +12547,7 @@ index 148d87a..822f6be 100644 kernel_rootfs_mountpoint(file_t) sid file gen_context(system_u:object_r:file_t,s0) -@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0) +@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0) # are created # type home_root_t; @@ -12545,7 +12555,7 @@ index 148d87a..822f6be 100644 files_mountpoint(home_root_t) files_poly_parent(home_root_t) -@@ -96,12 +114,13 @@ files_poly_parent(home_root_t) +@@ -96,12 +119,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; @@ -12560,7 +12570,7 @@ index 148d87a..822f6be 100644 files_mountpoint(mnt_t) # -@@ -123,6 +142,7 @@ files_type(readable_t) +@@ -123,6 +147,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; @@ -12568,7 +12578,7 @@ index 148d87a..822f6be 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -12632,7 +12642,7 @@ index 148d87a..822f6be 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -186,7 +217,9 @@ files_mountpoint(var_run_t) +@@ -186,7 +222,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -12642,7 +12652,7 @@ index 148d87a..822f6be 100644 ######################################## # -@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile) # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3ce5e12..a454f43 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -60749,7 +60749,7 @@ index efcb653..ff2c96a 100644 +/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/ppp.if b/ppp.if -index cd8b8b9..cde0d62 100644 +index cd8b8b9..6c73980 100644 --- a/ppp.if +++ b/ppp.if @@ -1,110 +1,91 @@ @@ -61089,7 +61089,13 @@ index cd8b8b9..cde0d62 100644 ## ## ## -@@ -413,37 +388,25 @@ interface(`ppp_manage_pid_files',` +@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',` + ') + + files_search_pids($1) +- allow $1 pppd_var_run_t:file manage_file_perms; ++ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) + ') ######################################## ## @@ -76246,6 +76252,263 @@ index e3e7c96..ec50426 100644 - inetd_service_domain(rsync_t, rsync_exec_t) + swift_manage_data_files(rsync_t) ') +diff --git a/rtas.fc b/rtas.fc +new file mode 100644 +index 0000000..25d96cb +--- /dev/null ++++ b/rtas.fc +@@ -0,0 +1,13 @@ ++/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0) ++ ++/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0) ++ ++/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t) ++/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t) ++ ++/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t) ++/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t) ++/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t) ++ ++/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0) ++ +diff --git a/rtas.if b/rtas.if +new file mode 100644 +index 0000000..9381936 +--- /dev/null ++++ b/rtas.if +@@ -0,0 +1,166 @@ ++ ++## rtas_errd - Platform diagnostics report firmware events ++ ++######################################## ++## ++## Execute TEMPLATE in the rtas_errd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rtas_errd_domtrans',` ++ gen_require(` ++ type rtas_errd_t, rtas_errd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t) ++') ++######################################## ++## ++## Read rtas_errd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`rtas_errd_read_log',` ++ gen_require(` ++ type rtas_errd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++') ++ ++######################################## ++## ++## Append to rtas_errd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtas_errd_append_log',` ++ gen_require(` ++ type rtas_errd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++') ++ ++######################################## ++## ++## Manage rtas_errd log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtas_errd_manage_log',` ++ gen_require(` ++ type rtas_errd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) ++') ++######################################## ++## ++## Read rtas_errd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtas_errd_read_pid_files',` ++ gen_require(` ++ type rtas_errd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t) ++') ++ ++######################################## ++## ++## Execute rtas_errd server in the rtas_errd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rtas_errd_systemctl',` ++ gen_require(` ++ type rtas_errd_t; ++ type rtas_errd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rtas_errd_unit_file_t:file read_file_perms; ++ allow $1 rtas_errd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rtas_errd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rtas_errd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`rtas_errd_admin',` ++ gen_require(` ++ type rtas_errd_t; ++ type rtas_errd_log_t; ++ type rtas_errd_var_run_t; ++ type rtas_errd_unit_file_t; ++ ') ++ ++ allow $1 rtas_errd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rtas_errd_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, rtas_errd_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, rtas_errd_var_run_t) ++ ++ rtas_errd_systemctl($1) ++ admin_pattern($1, rtas_errd_unit_file_t) ++ allow $1 rtas_errd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/rtas.te b/rtas.te +new file mode 100644 +index 0000000..4e6663f +--- /dev/null ++++ b/rtas.te +@@ -0,0 +1,60 @@ ++policy_module(rtas, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rtas_errd_t; ++type rtas_errd_exec_t; ++init_daemon_domain(rtas_errd_t, rtas_errd_exec_t) ++ ++type rtas_errd_log_t; ++logging_log_file(rtas_errd_log_t) ++ ++type rtas_errd_var_run_t; ++files_pid_file(rtas_errd_var_run_t) ++ ++type rtas_errd_var_lock_t; ++files_lock_file(rtas_errd_var_lock_t) ++ ++type rtas_errd_unit_file_t; ++systemd_unit_file(rtas_errd_unit_file_t) ++ ++######################################## ++# ++# rtas_errd local policy ++# ++ ++allow rtas_errd_t self:capability sys_admin; ++allow rtas_errd_t self:process fork; ++allow rtas_errd_t self:fifo_file rw_fifo_file_perms; ++allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) ++manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) ++manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t) ++logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file }) ++ ++manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t) ++manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t) ++files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } ) ++ ++manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) ++manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) ++manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) ++files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file }) ++ ++kernel_read_system_state(rtas_errd_t) ++ ++auth_use_nsswitch(rtas_errd_t) ++ ++corecmd_exec_bin(rtas_errd_t) ++ ++dev_read_raw_memory(rtas_errd_t) ++dev_write_raw_memory(rtas_errd_t) ++ ++files_manage_system_db_files(rtas_errd_t) ++ ++logging_read_generic_logs(rtas_errd_t) ++ diff --git a/rtkit.if b/rtkit.if index bd35afe..051addd 100644 --- a/rtkit.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 319b537..aed549e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 91%{?dist} +Release: 92%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -572,6 +572,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Oct 17 2013 Miroslav Grepl 3.12.1-92 +- Add rtas policy + * Thu Oct 17 2013 Miroslav Grepl 3.12.1-91 - Allow mailserver_domains to manage and transition to mailman data - Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands