diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 56656df..c1404bd 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..330ed39 100644 +index 644d4d7..d2dbf35 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3089,11 +3089,12 @@ index 644d4d7..330ed39 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,10 +146,11 @@ ifdef(`distro_debian',` +@@ -134,10 +146,12 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) -/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0) /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) @@ -3102,7 +3103,7 @@ index 644d4d7..330ed39 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',` +@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -3111,7 +3112,7 @@ index 644d4d7..330ed39 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',` +@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3119,7 +3120,7 @@ index 644d4d7..330ed39 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',` +@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3178,7 +3179,7 @@ index 644d4d7..330ed39 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',` +@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3214,7 +3215,7 @@ index 644d4d7..330ed39 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',` +@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3230,7 +3231,7 @@ index 644d4d7..330ed39 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',` +@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3251,7 +3252,7 @@ index 644d4d7..330ed39 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3267,7 +3268,7 @@ index 644d4d7..330ed39 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',` +@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3292,7 +3293,7 @@ index 644d4d7..330ed39 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,20 +384,27 @@ ifdef(`distro_redhat', ` +@@ -321,20 +385,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3321,7 +3322,7 @@ index 644d4d7..330ed39 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +453,15 @@ ifdef(`distro_suse', ` +@@ -383,11 +454,15 @@ ifdef(`distro_suse', ` # # /var # @@ -3338,7 +3339,7 @@ index 644d4d7..330ed39 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +471,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +472,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -3352,10 +3353,33 @@ index 644d4d7..330ed39 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..87d577e 100644 +index 9e9263a..979f47f 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if -@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',` +@@ -8,6 +8,22 @@ + ## run init. + ## + ++##################################### ++## ++## corecmd stub bin_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`corecmd_stub_bin',` ++ gen_require(` ++ type bin_t; ++ ') ++') ++ + ######################################## + ## + ## Make the specified type usable for files +@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',` type bin_t; ') @@ -3363,7 +3387,7 @@ index 9e9263a..87d577e 100644 search_dirs_pattern($1, bin_t, bin_t) ') -@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',` +@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',` type bin_t; ') @@ -3371,7 +3395,7 @@ index 9e9263a..87d577e 100644 list_dirs_pattern($1, bin_t, bin_t) ') -@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',` +@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',` ## ## ## @@ -3380,7 +3404,7 @@ index 9e9263a..87d577e 100644 ## ## # -@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',` +@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',` type bin_t; ') @@ -3388,7 +3412,7 @@ index 9e9263a..87d577e 100644 read_files_pattern($1, bin_t, bin_t) ') -@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',` +@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',` ######################################## ## @@ -3413,7 +3437,7 @@ index 9e9263a..87d577e 100644 ## Read symbolic links in bin directories. ## ## -@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',` +@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',` type bin_t; ') @@ -3421,7 +3445,7 @@ index 9e9263a..87d577e 100644 read_fifo_files_pattern($1, bin_t, bin_t) ') -@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',` +@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',` type bin_t; ') @@ -3429,7 +3453,7 @@ index 9e9263a..87d577e 100644 read_sock_files_pattern($1, bin_t, bin_t) ') -@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',` +@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',` read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) @@ -3440,7 +3464,7 @@ index 9e9263a..87d577e 100644 ') ######################################## -@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',` +@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',` type bin_t; ') @@ -3448,7 +3472,7 @@ index 9e9263a..87d577e 100644 manage_files_pattern($1, bin_t, bin_t) ') -@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',` +@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') @@ -3456,7 +3480,7 @@ index 9e9263a..87d577e 100644 mmap_files_pattern($1, bin_t, bin_t) ') -@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',` +@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',` ######################################## ## @@ -3481,7 +3505,7 @@ index 9e9263a..87d577e 100644 ## Get the attributes of all executable files. ## ## -@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',` +@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -3492,7 +3516,7 @@ index 9e9263a..87d577e 100644 ') ######################################## -@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -3500,7 +3524,7 @@ index 9e9263a..87d577e 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') @@ -8056,7 +8080,7 @@ index cf04cb5..431baa5 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..d0e6d1c 100644 +index c2c6e05..96aeeef 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -8253,7 +8277,7 @@ index c2c6e05..d0e6d1c 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +243,21 @@ ifndef(`distro_redhat',` +@@ -237,11 +243,22 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -8263,6 +8287,7 @@ index c2c6e05..d0e6d1c 100644 /var/lib/nfs/rpc_pipefs(/.*)? <> +-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + @@ -8270,12 +8295,13 @@ index c2c6e05..d0e6d1c 100644 +/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) + - /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) ++/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) ++/var/lock/.* <> /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -262,6 +278,7 @@ ifndef(`distro_redhat',` +@@ -262,6 +279,7 @@ ifndef(`distro_redhat',` /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) @@ -8283,17 +8309,137 @@ index c2c6e05..d0e6d1c 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +287,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +288,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..8a9355a 100644 +index 64ff4d7..90999af 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -55,6 +55,7 @@ +@@ -19,6 +19,119 @@ + ## Comains the file initial SID. + ## + ++##################################### ++## ++## files stub etc_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_etc',` ++ gen_require(` ++ type etc_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_lock_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_lock',` ++ gen_require(` ++ type var_lock_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_log_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_log',` ++ gen_require(` ++ type var_log_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_lib_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_lib',` ++ gen_require(` ++ type var_lib_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_run',` ++ gen_require(` ++ type var_run_t; ++ ') ++') ++ ++##################################### ++## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++') ++ ++##################################### ++## ++## files stub tmp_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_tmp',` ++ gen_require(` ++ type tmp_t; ++ ') ++') ++ ++ + ######################################## + ## + ## Make the specified type usable for files +@@ -55,6 +168,7 @@ ##
  • files_pid_file()
    • ##
  • files_security_file()
    • ##
  • files_security_mountpoint()
    • @@ -8301,7 +8447,87 @@ index 64ff4d7..8a9355a 100644 ##
  • files_tmp_file()
    • ##
  • files_tmpfs_file()
    • ##
  • logging_log_file()
    • -@@ -521,7 +522,7 @@ interface(`files_mounton_non_security',` +@@ -125,30 +239,31 @@ interface(`files_security_file',` + typeattribute $1 file_type, security_file_type, non_auth_file_type; + ') + ++ + ######################################## + ## + ## Make the specified type usable for +-## lock files. ++## filesystem mount points. + ## + ## + ## +-## Type to be used for lock files. ++## Type to be used for mount points. + ## + ## + # +-interface(`files_lock_file',` ++interface(`files_mountpoint',` + gen_require(` +- attribute lockfile; ++ attribute mountpoint; + ') + + files_type($1) +- typeattribute $1 lockfile; ++ typeattribute $1 mountpoint; + ') + + ######################################## + ## + ## Make the specified type usable for +-## filesystem mount points. ++## security file filesystem mount points. + ## + ## + ## +@@ -156,33 +271,33 @@ interface(`files_lock_file',` + ## + ## + # +-interface(`files_mountpoint',` ++interface(`files_security_mountpoint',` + gen_require(` + attribute mountpoint; + ') + +- files_type($1) ++ files_security_file($1) + typeattribute $1 mountpoint; + ') + + ######################################## + ## + ## Make the specified type usable for +-## security file filesystem mount points. ++## lock files. + ## + ## + ## +-## Type to be used for mount points. ++## Type to be used for lock files. + ## + ## + # +-interface(`files_security_mountpoint',` ++interface(`files_lock_file',` + gen_require(` +- attribute mountpoint; ++ attribute lockfile; + ') + +- files_security_file($1) +- typeattribute $1 mountpoint; ++ files_type($1) ++ typeattribute $1 lockfile; + ') + + ######################################## +@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') @@ -8310,7 +8536,7 @@ index 64ff4d7..8a9355a 100644 allow $1 non_security_file_type:file mounton; ') -@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -8374,7 +8600,7 @@ index 64ff4d7..8a9355a 100644 ## Read all files. ## ## -@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',` +@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -8457,7 +8683,7 @@ index 64ff4d7..8a9355a 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ##     -@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -8483,7 +8709,7 @@ index 64ff4d7..8a9355a 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -8509,7 +8735,7 @@ index 64ff4d7..8a9355a 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8522,7 +8748,7 @@ index 64ff4d7..8a9355a 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1346,6 @@ interface(`files_list_all',` +@@ -1182,24 +1460,6 @@ interface(`files_list_all',` ######################################## ## @@ -8547,7 +8773,7 @@ index 64ff4d7..8a9355a 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -8557,7 +8783,7 @@ index 64ff4d7..8a9355a 100644 ') ############################################# -@@ -1583,6 +1726,24 @@ interface(`files_getattr_all_mountpoints',` +@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',` ######################################## ## @@ -8582,7 +8808,7 @@ index 64ff4d7..8a9355a 100644 ## Set the attributes of all mount points. ## ## -@@ -1673,6 +1834,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -8607,11 +8833,33 @@ index 64ff4d7..8a9355a 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1691,6 +1870,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## +-## List the contents of the root directory. +## Write all file type directories. + ## + ## + ## +@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',` + ## + ## + # +-interface(`files_list_root',` ++interface(`files_write_all_dirs',` + gen_require(` +- type root_t; ++ attribute file_type; + ') + +- allow $1 root_t:dir list_dir_perms; ++ allow $1 file_type:dir write; ++') ++ ++######################################## ++## ++## List the contents of the root directory. +## +## +## @@ -8619,20 +8867,16 @@ index 64ff4d7..8a9355a 100644 +## +## +# -+interface(`files_write_all_dirs',` ++interface(`files_list_root',` + gen_require(` -+ attribute file_type; ++ type root_t; + ') + -+ allow $1 file_type:dir write; -+') -+ -+######################################## -+## - ## List the contents of the root directory. - ## - ## -@@ -1874,25 +2071,25 @@ interface(`files_delete_root_dir_entry',` ++ allow $1 root_t:dir list_dir_perms; + allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; + ') + +@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -8664,7 +8908,7 @@ index 64ff4d7..8a9355a 100644 ## ## ## -@@ -1905,7 +2102,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -8673,7 +8917,7 @@ index 64ff4d7..8a9355a 100644 ') ######################################## -@@ -1928,6 +2125,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -8698,7 +8942,7 @@ index 64ff4d7..8a9355a 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2842,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -8723,7 +8967,7 @@ index 64ff4d7..8a9355a 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +2931,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -8731,7 +8975,7 @@ index 64ff4d7..8a9355a 100644 ') ######################################## -@@ -2706,7 +2940,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -8740,104 +8984,37 @@ index 64ff4d7..8a9355a 100644 ## ## # -@@ -2762,25 +2996,26 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',` ######################################## ## --## Delete system configuration files in /etc. +## Do not audit attempts to check the +## access on etc files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_delete_etc_files',` ++## ++## ++# +interface(`files_dontaudit_access_check_etc',` - gen_require(` - type etc_t; - ') - -- delete_files_pattern($1, etc_t, etc_t) ++ gen_require(` ++ type etc_t; ++ ') ++ + dontaudit $1 etc_t:dir_file_class_set audit_access; - ') - - ######################################## - ## --## Execute generic files in /etc. -+## Delete system configuration files in /etc. - ## - ## - ## -@@ -2788,19 +3023,17 @@ interface(`files_delete_etc_files',` - ## - ## - # --interface(`files_exec_etc_files',` -+interface(`files_delete_etc_files',` - gen_require(` - type etc_t; - ') - -- allow $1 etc_t:dir list_dir_perms; -- read_lnk_files_pattern($1, etc_t, etc_t) -- exec_files_pattern($1, etc_t, etc_t) -+ delete_files_pattern($1, etc_t, etc_t) - ') - --####################################### ++') ++ +######################################## - ## --## Relabel from and to generic files in /etc. -+## Remove entries from the etc directory. ++## + ## Delete system configuration files in /etc. ## ## - ## -@@ -2808,18 +3041,17 @@ interface(`files_exec_etc_files',` - ## - ## - # --interface(`files_relabel_etc_files',` -+interface(`files_delete_etc_dir_entry',` - gen_require(` - type etc_t; - ') - -- allow $1 etc_t:dir list_dir_perms; -- relabel_files_pattern($1, etc_t, etc_t) -+ allow $1 etc_t:dir del_entry_dir_perms; - ') +@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',` ######################################## ## --## Read symbolic links in /etc. -+## Execute generic files in /etc. - ## - ## - ## -@@ -2827,17 +3059,56 @@ interface(`files_relabel_etc_files',` - ## - ## - # --interface(`files_read_etc_symlinks',` -+interface(`files_exec_etc_files',` - gen_require(` - type etc_t; - ') - -+ allow $1 etc_t:dir list_dir_perms; - read_lnk_files_pattern($1, etc_t, etc_t) -+ exec_files_pattern($1, etc_t, etc_t) - ') - --######################################## -+####################################### - ## --## Create, read, write, and delete symbolic links in /etc. -+## Relabel from and to generic files in /etc. ++## Remove entries from the etc directory. +## +## +## @@ -8845,40 +9022,20 @@ index 64ff4d7..8a9355a 100644 +## +## +# -+interface(`files_relabel_etc_files',` ++interface(`files_delete_etc_dir_entry',` + gen_require(` + type etc_t; + ') + -+ allow $1 etc_t:dir list_dir_perms; -+ relabel_files_pattern($1, etc_t, etc_t) -+') -+ -+######################################## -+## -+## Read symbolic links in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_etc_symlinks',` -+ gen_require(` -+ type etc_t; -+ ') -+ -+ read_lnk_files_pattern($1, etc_t, etc_t) ++ allow $1 etc_t:dir del_entry_dir_perms; +') + +######################################## +## -+## Create, read, write, and delete symbolic links in /etc. + ## Execute generic files in /etc. ## ## - ## -@@ -2945,24 +3216,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -8903,7 +9060,7 @@ index 64ff4d7..8a9355a 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3003,9 +3256,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -8914,7 +9071,7 @@ index 64ff4d7..8a9355a 100644 ## ## ## -@@ -3013,18 +3264,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -8936,7 +9093,7 @@ index 64ff4d7..8a9355a 100644 ## ## ## -@@ -3042,6 +3292,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -8963,7 +9120,7 @@ index 64ff4d7..8a9355a 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3329,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -8971,7 +9128,7 @@ index 64ff4d7..8a9355a 100644 ') ######################################## -@@ -3080,6 +3351,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -8979,7 +9136,7 @@ index 64ff4d7..8a9355a 100644 ') ######################################## -@@ -3132,6 +3404,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -9005,7 +9162,7 @@ index 64ff4d7..8a9355a 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3499,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -9031,7 +9188,7 @@ index 64ff4d7..8a9355a 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3765,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -9057,7 +9214,7 @@ index 64ff4d7..8a9355a 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4125,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -9101,64 +9258,98 @@ index 64ff4d7..8a9355a 100644 ') ######################################## -@@ -4199,6 +4546,133 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') +-######################################## +####################################### -+## + ## +-## Allow the specified type to associate +-## to a filesystem with the type of the +-## temporary directory (/tmp). +## Read manageable system configuration files in /etc -+## + ## +-## +-## +-## Type of the file to associate. +-## +## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_associate_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Do not audit attempts to get the +-## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -9175,124 +9366,195 @@ index 64ff4d7..8a9355a 100644 + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +################################### -+## + ## +-## Read the tmp directory (/tmp). +## Create files in /etc with the type used for +## the manageable system config files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## The type of the process performing this action. +## -+## -+# + ## + # +-interface(`files_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) -+') -+ + ') + ######################################## ## - ## Allow the specified type to associate -@@ -4221,6 +4695,26 @@ interface(`files_associate_tmp',` +-## Do not audit listing of the tmp directory (/tmp). ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## temporary directory (/tmp). + ## +-## ++## + ## +-## Domain not to audit. ++## Type of the file to associate. + ## + ## + # +-interface(`files_dontaudit_list_tmp',` ++interface(`files_associate_tmp',` + gen_require(` + type tmp_t; + ') + +- dontaudit $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:filesystem associate; + ') ######################################## ## +-## Remove entries from the tmp directory. +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Type of the file to associate. -+## -+## -+# + ## + ## + # +-interface(`files_delete_tmp_dir_entry',` +interface(`files_associate_rootfs',` -+ gen_require(` + gen_require(` +- type tmp_t; + type root_t; -+ ') -+ + ') + +- allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 root_t:filesystem associate; -+') -+ -+######################################## -+## - ## Get the attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Read files in the tmp directory (/tmp). ++## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +4728,37 @@ interface(`files_getattr_tmp_dirs',` + ## +@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',` + ## + ## + # +-interface(`files_read_generic_tmp_files',` ++interface(`files_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') +- read_files_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir getattr; ++ allow $1 tmp_t:dir getattr; ') ######################################## ## +-## Manage temporary directories in /tmp. +## Do not audit attempts to check the +## access on tmp files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_dontaudit_access_check_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + type etc_t; -+ ') -+ + ') + +- manage_dirs_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Manage temporary files and directories in /tmp. ++## Do not audit attempts to get the ++## attributes of the tmp directory (/tmp). ## ## ## @@ -9301,116 +9563,2298 @@ index 64ff4d7..8a9355a 100644 ## ## # -@@ -4271,6 +4785,7 @@ interface(`files_search_tmp',` +-interface(`files_manage_generic_tmp_files',` ++interface(`files_dontaudit_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; +- manage_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir getattr; ') -@@ -4307,6 +4822,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## Read symbolic links in the tmp directory (/tmp). ++## Search the tmp directory (/tmp). + ## + ## + ## +@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',` + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` ++interface(`files_search_tmp',` + gen_require(` type tmp_t; ') -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:dir search_dir_perms; ') -@@ -4316,7 +4832,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Do not audit attempts to search the tmp directory (/tmp). ## ## ## --## Domain not to audit. +-## Domain allowed access. +## Domain to not audit. ## ## # -@@ -4328,6 +4844,25 @@ interface(`files_dontaudit_list_tmp',` - dontaudit $1 tmp_t:dir list_dir_perms; +-interface(`files_rw_generic_tmp_sockets',` ++interface(`files_dontaudit_search_tmp',` + gen_require(` + type tmp_t; + ') + +- rw_sock_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir search_dir_perms; ') -+####################################### -+## -+## Allow read and write to the tmp directory (/tmp). -+## -+## -+## -+## Domain not to audit. -+## -+## -+# -+interface(`files_rw_generic_tmp_dir',` -+ gen_require(` + ######################################## + ## +-## Set the attributes of all tmp directories. ++## Read the tmp directory (/tmp). + ## + ## + ## +@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_list_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:dir list_dir_perms; + ') + + ######################################## + ## +-## List all tmp directories. ++## Do not audit listing of the tmp directory (/tmp). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_dontaudit_list_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ dontaudit $1 tmp_t:dir list_dir_perms; + ') + +-######################################## ++####################################### + ## +-## Relabel to and from all temporary +-## directory types. ++## Allow read and write to the tmp directory (/tmp). + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain not to audit. ++## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` +- gen_require(` +- attribute tmpfile; +- type var_t; +- ') ++interface(`files_rw_generic_tmp_dir',` ++ gen_require(` + type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) ++ files_search_tmp($1) ++ allow $1 tmp_t:dir rw_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## Remove entries from the tmp directory. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_delete_tmp_dir_entry',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:file getattr; ++ files_search_tmp($1) ++ allow $1 tmp_t:dir del_entry_dir_perms; + ') + + ######################################## + ## +-## Allow attempts to get the attributes +-## of all tmp files. ++## Read files in the tmp directory (/tmp). + ## + ## + ## +@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',` + ## + ## + # +-interface(`files_getattr_all_tmp_files',` ++interface(`files_read_generic_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:file getattr; ++ read_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## file types. ++## Manage temporary directories in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_manage_generic_tmp_dirs',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ manage_dirs_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Allow shared library text relocations in tmp files. + ## ++## ++##

    ++## Allow shared library text relocations in tmp files. ++##

    ++##

    ++## This is added to support java policy. ++##

    ++##     + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_execmod_tmp',` + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ allow $1 tmpfile:file execmod; + ') + + ######################################## + ## +-## Read all tmp files. ++## Manage temporary files and directories in /tmp. + ## + ## + ## +@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` + ## + ## + # +-interface(`files_read_all_tmp_files',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- read_files_pattern($1, tmpfile, tmpfile) ++ manage_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Create an object in the tmp directories, with a private +-## type using a type transition. ++## Read symbolic links in the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_tmp_filetrans',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` + type tmp_t; + ') + +- filetrans_pattern($1, tmp_t, $2, $3, $4) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Delete the contents of /tmp. ++## Read and write generic named sockets in the tmp directory (/tmp). + ## + ## + ## +@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',` + ## + ## + # +-interface(`files_purge_tmp',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; +- delete_dirs_pattern($1, tmpfile, tmpfile) +- delete_files_pattern($1, tmpfile, tmpfile) +- delete_lnk_files_pattern($1, tmpfile, tmpfile) +- delete_fifo_files_pattern($1, tmpfile, tmpfile) +- delete_sock_files_pattern($1, tmpfile, tmpfile) ++ rw_sock_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Set the attributes of the /usr directory. ++## Relabel a dir from the type used in /tmp. + ## + ## + ## +@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',` + ## + ## + # +-interface(`files_setattr_usr_dirs',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') + +- allow $1 usr_t:dir setattr; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Search the content of /usr. ++## Relabel a file from the type used in /tmp. + ## + ## + ## +@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',` + ## + ## + # +-interface(`files_search_usr',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') + +- allow $1 usr_t:dir search_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## List the contents of generic +-## directories in /usr. ++## Set the attributes of all tmp directories. + ## + ## + ## +@@ -4695,35 +5158,35 @@ interface(`files_search_usr',` + ## + ## + # +-interface(`files_list_usr',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir list_dir_perms; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; + ') + + ######################################## + ## +-## Do not audit write of /usr dirs ++## Allow caller to read inherited tmp files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_write_usr_dirs',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- dontaudit $1 usr_t:dir write; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; + ') + + ######################################## + ## +-## Add and remove entries from /usr directories. ++## Allow caller to append inherited tmp files. + ## + ## + ## +@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',` + ## + ## + # +-interface(`files_rw_usr_dirs',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir rw_dir_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to add and remove +-## entries from /usr directories. ++## Allow caller to read and write inherited tmp files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_rw_usr_dirs',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- dontaudit $1 usr_t:dir rw_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Delete generic directories in /usr in the caller domain. ++## List all tmp directories. + ## + ## + ## +@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',` + ## + ## + # +-interface(`files_delete_usr_dirs',` ++interface(`files_list_all_tmp',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- delete_dirs_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:dir list_dir_perms; + ') + + ######################################## + ## +-## Delete generic files in /usr in the caller domain. ++## Relabel to and from all temporary ++## directory types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_delete_usr_files',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; + ') + +- delete_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Get the attributes of files in /usr. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_getattr_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- getattr_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file getattr; + ') + + ######################################## + ## +-## Read generic files in /usr. ++## Allow attempts to get the attributes ++## of all tmp files. + ## +-## +-##

    +-## Allow the specified domain to read generic +-## files in /usr. These files are various program +-## files that do not have more specific SELinux types. +-## Some examples of these files are: +-##

    +-##
      +-##
    • /usr/include/*
      • +-##
    • /usr/share/doc/*
      • +-##
    • /usr/share/info/*
      • +-##
    +-##

    +-## Generally, it is safe for many domains to have +-## this access. +-##

    +-##     + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_usr_files',` ++interface(`files_getattr_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- allow $1 usr_t:dir list_dir_perms; +- read_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file getattr; + ') + + ######################################## + ## +-## Execute generic programs in /usr in the caller domain. ++## Relabel to and from all temporary ++## file types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_exec_usr_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; + ') + +- allow $1 usr_t:dir list_dir_perms; +- exec_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## dontaudit write of /usr files ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## +@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',` + ## + ## + # +-interface(`files_dontaudit_write_usr_files',` +- gen_require(` +- type usr_t; +- ') +- +- dontaudit $1 usr_t:file write; +-') +- +-######################################## +-## +-## Create, read, write, and delete files in the /usr directory. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`files_manage_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- manage_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:sock_file getattr; + ') + + ######################################## + ## +-## Relabel a file to the type used in /usr. ++## Read all tmp files. + ## + ## + ## +@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',` + ## + ## + # +-interface(`files_relabelto_usr_files',` ++interface(`files_read_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- relabelto_files_pattern($1, usr_t, usr_t) ++ read_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## +-## Relabel a file from the type used in /usr. ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_relabelfrom_usr_files',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- relabelfrom_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Read symbolic links in /usr. ++## Do allow attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_usr_symlinks',` ++interface(`files_rw_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') + +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Create objects in the /usr directory ++## Create an object in the tmp directories, with a private ++## type using a type transition. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## +-## The type of the object to be created ++## The type of the object to be created. + ## + ## +-## ++## + ## +-## The object class. ++## The object class of the object being created. + ## + ## + ## +@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',` + ##     + ## + # +-interface(`files_usr_filetrans',` ++interface(`files_tmp_filetrans',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') + +- filetrans_pattern($1, usr_t, $2, $3, $4) ++ filetrans_pattern($1, tmp_t, $2, $3, $4) + ') + + ######################################## + ## +-## Do not audit attempts to search /usr/src. ++## Delete the contents of /tmp. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_src',` ++interface(`files_purge_tmp',` + gen_require(` +- type src_t; ++ attribute tmpfile; + ') + +- dontaudit $1 src_t:dir search_dir_perms; ++ allow $1 tmpfile:dir list_dir_perms; ++ delete_dirs_pattern($1, tmpfile, tmpfile) ++ delete_files_pattern($1, tmpfile, tmpfile) ++ delete_lnk_files_pattern($1, tmpfile, tmpfile) ++ delete_fifo_files_pattern($1, tmpfile, tmpfile) ++ delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) + ') + + ######################################## + ## +-## Get the attributes of files in /usr/src. ++## Set the attributes of the /usr directory. + ## + ## + ## +@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',` + ## + ## + # +-interface(`files_getattr_usr_src_files',` ++interface(`files_setattr_usr_dirs',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') + +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) ++ allow $1 usr_t:dir setattr; + ') + + ######################################## + ## +-## Read files in /usr/src. ++## Search the content of /usr. + ## + ## + ## +@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',` + ## + ## + # +-interface(`files_read_usr_src_files',` ++interface(`files_search_usr',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') + + allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Execute programs in /usr/src in the caller domain. ++## List the contents of generic ++## directories in /usr. + ## + ## + ## +@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',` + ## + ## + # +-interface(`files_exec_usr_src_files',` ++interface(`files_list_usr',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; + ') + +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) ++ allow $1 usr_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Install a system.map into the /boot directory. ++## Do not audit write of /usr dirs + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_create_kernel_symbol_table',` ++interface(`files_dontaudit_write_usr_dirs',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; + ') + +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ dontaudit $1 usr_t:dir write; + ') + + ######################################## + ## +-## Read system.map in the /boot directory. ++## Add and remove entries from /usr directories. + ## + ## + ## +@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',` + ## + ## + # +-interface(`files_read_kernel_symbol_table',` ++interface(`files_rw_usr_dirs',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; + ') + +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) ++ allow $1 usr_t:dir rw_dir_perms; + ') + + ######################################## + ## +-## Delete a system.map in the /boot directory. ++## Do not audit attempts to add and remove ++## entries from /usr directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaudit_rw_usr_dirs',` + gen_require(` +- type boot_t, system_map_t; ++ type usr_t; + ') + +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 usr_t:dir rw_dir_perms; + ') + + ######################################## + ## +-## Search the contents of /var. ++## Delete generic directories in /usr in the caller domain. + ## + ## + ## +@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',` + ## + ## + # +-interface(`files_search_var',` ++interface(`files_delete_usr_dirs',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Do not audit attempts to write to /var. ++## Delete generic files in /usr in the caller domain. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_write_var_dirs',` ++interface(`files_delete_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- dontaudit $1 var_t:dir write; ++ delete_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Allow attempts to write to /var.dirs ++## Get the attributes of files in /usr. + ## + ## + ## +@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',` + ## + ## + # +-interface(`files_write_var_dirs',` ++interface(`files_getattr_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir write; ++ getattr_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Do not audit attempts to search +-## the contents of /var. ++## Read generic files in /usr. + ## ++## ++##

    ++## Allow the specified domain to read generic ++## files in /usr. These files are various program ++## files that do not have more specific SELinux types. ++## Some examples of these files are: ++##

    ++##
      ++##
    • /usr/include/*
      • ++##
    • /usr/share/doc/*
      • ++##
    • /usr/share/info/*
      • ++##
    ++##

    ++## Generally, it is safe for many domains to have ++## this access. ++##

    ++##     + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_search_var',` ++interface(`files_read_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- dontaudit $1 var_t:dir search_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ read_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## List the contents of /var. ++## Execute generic programs in /usr in the caller domain. + ## + ## + ## +@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',` + ## + ## + # +-interface(`files_list_var',` ++interface(`files_exec_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir list_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ exec_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Create, read, write, and delete directories +-## in the /var directory. ++## dontaudit write of /usr files + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_var_dirs',` ++interface(`files_dontaudit_write_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- allow $1 var_t:dir manage_dir_perms; ++ dontaudit $1 usr_t:file write; + ') + + ######################################## + ## +-## Read files in the /var directory. ++## Create, read, write, and delete files in the /usr directory. + ## + ## + ## +@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',` + ## + ## + # +-interface(`files_read_var_files',` ++interface(`files_manage_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- read_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Append files in the /var directory. ++## Relabel a file to the type used in /usr. + ## + ## + ## +@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',` + ## + ## + # +-interface(`files_append_var_files',` ++interface(`files_relabelto_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- append_files_pattern($1, var_t, var_t) ++ relabelto_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Read and write files in the /var directory. ++## Relabel a file from the type used in /usr. + ## + ## + ## +@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',` + ## + ## + # +-interface(`files_rw_var_files',` ++interface(`files_relabelfrom_usr_files',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- rw_files_pattern($1, var_t, var_t) ++ relabelfrom_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Do not audit attempts to read and write +-## files in the /var directory. ++## Read symbolic links in /usr. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_rw_var_files',` ++interface(`files_read_usr_symlinks',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Create, read, write, and delete files in the /var directory. ++## Create objects in the /usr directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_var_files',` ++interface(`files_usr_filetrans',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- manage_files_pattern($1, var_t, var_t) ++ filetrans_pattern($1, usr_t, $2, $3, $4) + ') + + ######################################## + ## +-## Read symbolic links in the /var directory. ++## Do not audit attempts to search /usr/src. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_symlinks',` ++interface(`files_dontaudit_search_src',` + gen_require(` +- type var_t; ++ type src_t; + ') + +- read_lnk_files_pattern($1, var_t, var_t) ++ dontaudit $1 src_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Get the attributes of files in /usr/src. + ## + ## + ## +@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_getattr_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ getattr_files_pattern($1, src_t, src_t) ++ ++ # /usr/src/linux symlink: ++ read_lnk_files_pattern($1, usr_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Read files in /usr/src. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_var_filetrans',` ++interface(`files_read_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- filetrans_pattern($1, var_t, $2, $3, $4) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Get the attributes of the /var/lib directory. ++## Execute programs in /usr/src in the caller domain. + ## + ## + ## +@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',` + ## + ## + # +-interface(`files_getattr_var_lib_dirs',` ++interface(`files_exec_usr_src_files',` + gen_require(` +- type var_t, var_lib_t; ++ type usr_t, src_t; + ') + +- getattr_dirs_pattern($1, var_t, var_lib_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') + + ######################################## + ## +-## Search the /var/lib directory. ++## Install a system.map into the /boot directory. + ## +-## +-##

    +-## Search the /var/lib directory. This is +-## necessary to access files or directories under +-## /var/lib that have a private type. For example, a +-## domain accessing a private library file in the +-## /var/lib directory: +-##

    +-##

    +-## allow mydomain_t mylibfile_t:file read_file_perms; +-## files_search_var_lib(mydomain_t) +-##

    +-##     + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_search_var_lib',` ++interface(`files_create_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- search_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## contents of /var/lib. ++## Read system.map in the /boot directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## +-## + # +-interface(`files_dontaudit_search_var_lib',` ++interface(`files_read_kernel_symbol_table',` + gen_require(` +- type var_lib_t; ++ type boot_t, system_map_t; + ') + +- dontaudit $1 var_lib_t:dir search_dir_perms; ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) + ') + + ######################################## + ## +-## List the contents of the /var/lib directory. ++## Delete a system.map in the /boot directory. + ## + ## + ## +@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',` + ## + ## + # +-interface(`files_list_var_lib',` ++interface(`files_delete_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- list_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) + ') + +-########################################### ++######################################## + ## +-## Read-write /var/lib directories ++## Search the contents of /var. + ## + ## + ## +@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',` + ## + ## + # +-interface(`files_rw_var_lib_dirs',` ++interface(`files_search_var',` + gen_require(` +- type var_lib_t; ++ type var_t; + ') + +- rw_dirs_pattern($1, var_lib_t, var_lib_t) ++ allow $1 var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create objects in the /var/lib directory ++## Do not audit attempts to write to /var. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain to not audit. + ## + ## + # +-interface(`files_var_lib_filetrans',` ++interface(`files_dontaudit_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_lib_t, $2, $3, $4) ++ dontaudit $1 var_t:dir write; + ') + + ######################################## + ## +-## Read generic files in /var/lib. ++## Allow attempts to write to /var.dirs + ## + ## + ## +@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',` + ## + ## + # +-interface(`files_read_var_lib_files',` ++interface(`files_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_lib_t:dir list_dir_perms; +- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_t:dir write; + ') + + ######################################## + ## +-## Read generic symbolic links in /var/lib ++## Do not audit attempts to search ++## the contents of /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_lib_symlinks',` ++interface(`files_dontaudit_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ dontaudit $1 var_t:dir search_dir_perms; + ') + +-# cjp: the next two interfaces really need to be fixed +-# in some way. They really neeed their own types. +- + ######################################## + ## +-## Create, read, write, and delete the +-## pseudorandom number generator seed. ++## List the contents of /var. + ## + ## + ## +@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',` + ## + ## + # +-interface(`files_manage_urandom_seed',` ++interface(`files_list_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ allow $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Allow domain to manage mount tables +-## necessary for rpcd, nfsd, etc. ++## Do not audit listing of the var directory (/var). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_mounttab',` ++interface(`files_dontaudit_list_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ dontaudit $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## Create, read, write, and delete directories ++## in the /var directory. + ## + ## + ## +@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',` + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_manage_var_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_t:dir manage_dir_perms; + ') + + ######################################## + ## +-## Search the locks directory (/var/lock). ++## Read files in the /var directory. + ## + ## + ## +@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',` + ## + ## + # +-interface(`files_search_locks',` ++interface(`files_read_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_lock_t) ++ read_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## locks directory (/var/lock). ++## Append files in the /var directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_locks',` ++interface(`files_append_var_files',` + gen_require(` +- type var_lock_t; ++ type var_t; + ') + +- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_lock_t:dir search_dir_perms; ++ append_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## List generic lock directories. ++## Read and write files in the /var directory. + ## + ## + ## +@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ rw_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Add and remove entries in the /var/lock +-## directories. ++## Do not audit attempts to read and write ++## files in the /var directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_rw_lock_dirs',` ++interface(`files_dontaudit_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- rw_dirs_pattern($1, var_t, var_lock_t) ++ dontaudit $1 var_t:file rw_file_perms; + ') + + ######################################## + ## +-## Create lock directories ++## Create, read, write, and delete files in the /var directory. + ## + ## +-## +-## Domain allowed access ++## ++## Domain allowed access. + ## + ## + # +-interface(`files_create_lock_dirs',` ++interface(`files_manage_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- create_dirs_pattern($1, var_lock_t, var_lock_t) ++ manage_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Relabel to and from all lock directory types. ++## Read symbolic links in the /var directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_lock_dirs',` ++interface(`files_read_var_symlinks',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- relabel_dirs_pattern($1, lockfile, lockfile) ++ read_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Create, read, write, and delete symbolic ++## links in the /var directory. + ## + ## + ## +@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_manage_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) ++ manage_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Delete generic lock files. ++## Create objects in the /var directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_delete_generic_locks',` ++interface(`files_var_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ filetrans_pattern($1, var_t, $2, $3, $4) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## lock files. ++## Get the attributes of the /var/lib directory. + ## + ## + ## +@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',` + ## + ## + # +-interface(`files_manage_generic_locks',` ++interface(`files_getattr_var_lib_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) ++ getattr_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Delete all lock files. ++## Search the /var/lib directory. + ## ++## ++##

    ++## Search the /var/lib directory. This is ++## necessary to access files or directories under ++## /var/lib that have a private type. For example, a ++## domain accessing a private library file in the ++## /var/lib directory: ++##

    ++##

    ++## allow mydomain_t mylibfile_t:file read_file_perms; ++## files_search_var_lib(mydomain_t) ++##

    ++##     + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + # +-interface(`files_delete_all_locks',` ++interface(`files_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, lockfile, lockfile) ++ search_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Read all lock files. ++## Do not audit attempts to search the ++## contents of /var/lib. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## ++## + # +-interface(`files_read_all_locks',` ++interface(`files_dontaudit_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) ++ dontaudit $1 var_lib_t:dir search_dir_perms; + ') + + ######################################## + ## +-## manage all lock files. ++## List the contents of the /var/lib directory. + ## + ## + ## +@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',` + ## + ## + # +-interface(`files_manage_all_locks',` ++interface(`files_list_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) ++ list_dirs_pattern($1, var_t, var_lib_t) ++') ++ ++########################################### ++## ++## Read-write /var/lib directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## + ## +-## Create an object in the locks directory, with a private +-## type using a type transition. ++## Create objects in the /var/lib directory + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## +-## The type of the object to be created. ++## The type of the object to be created + ## + ## +-## ++## + ## +-## The object class of the object being created. ++## The object class. + ## + ## + ## +@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',` + ##     + ## + # +-interface(`files_lock_filetrans',` ++interface(`files_var_lib_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of the /var/run directory. ++## Read generic files in /var/lib. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_pid_dirs',` ++interface(`files_read_var_lib_files',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; ++ allow $1 var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## Set the attributes of the /var/run directory. ++## Read generic symbolic links in /var/lib + ## + ## + ## +@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## + ## + # +-interface(`files_setattr_pid_dirs',` ++interface(`files_read_var_lib_symlinks',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; ++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## Search the contents of runtime process +-## ID directories (/var/run). ++## manage generic symbolic links ++## in the /var/lib directory. + ## + ## + ## +@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',` + ## + ## + # +-interface(`files_search_pids',` ++interface(`files_manage_var_lib_symlinks',` + gen_require(` +- type var_t, var_run_t; ++ type var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_run_t) ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) + ') + ++# cjp: the next two interfaces really need to be fixed ++# in some way. They really neeed their own types. ++ + ######################################## + ## +-## Do not audit attempts to search +-## the /var/run directory. ++## Create, read, write, and delete the ++## pseudorandom number generator seed. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_pids',` ++interface(`files_manage_urandom_seed',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). ++## Allow domain to manage mount tables ++## necessary for rpcd, nfsd, etc. + ## + ## + ## +@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_manage_mounttab',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## List generic lock directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Search the locks directory (/var/lock). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the ++## locks directory (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_lock_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') + -+ files_search_tmp($1) -+ allow $1 tmp_t:dir rw_dir_perms; ++######################################## ++## ++## Set the attributes of the /var/lock directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_lock_dirs',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ allow $1 var_lock_t:dir setattr; +') + - ######################################## - ## - ## Remove entries from the tmp directory. -@@ -4343,6 +4878,7 @@ interface(`files_delete_tmp_dir_entry',` - type tmp_t; - ') - -+ files_search_tmp($1) - allow $1 tmp_t:dir del_entry_dir_perms; - ') - -@@ -4384,13 +4920,39 @@ interface(`files_manage_generic_tmp_dirs',` - - ######################################## - ## --## Manage temporary files and directories in /tmp. -+## Allow shared library text relocations in tmp files. - ## --## --## --## Domain allowed access. --## --## -+## -+##

    -+## Allow shared library text relocations in tmp files. -+##

    -+##

    -+## This is added to support java policy. -+##

    -+##     ++######################################## ++## ++## Add and remove entries in the /var/lock ++## directories. ++## +## +## +## Domain allowed access. +## +## +# -+interface(`files_execmod_tmp',` ++interface(`files_rw_lock_dirs',` + gen_require(` -+ attribute tmpfile; ++ type var_t, var_lock_t; + ') + -+ allow $1 tmpfile:file execmod; ++ files_search_locks($1) ++ rw_dirs_pattern($1, var_t, var_lock_t) +') + +######################################## +## -+## Manage temporary files and directories in /tmp. ++## Create lock directories ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_create_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ create_dirs_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Relabel to and from all lock directory types. +## +## +## +## Domain allowed access. +## +## - # - interface(`files_manage_generic_tmp_files',` - gen_require(` -@@ -4438,6 +5000,42 @@ interface(`files_rw_generic_tmp_sockets',` - - ######################################## - ## -+## Relabel a dir from the type used in /tmp. ++# ++interface(`files_relabel_all_lock_dirs',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. +## +## +## @@ -9418,17 +11862,19 @@ index 64ff4d7..8a9355a 100644 +## +## +# -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_getattr_generic_locks',` + gen_require(` -+ type tmp_t; ++ type var_t, var_lock_t; + ') + -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ files_search_locks($1) ++ allow $1 var_lock_t:dir list_dir_perms; ++ getattr_files_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## -+## Relabel a file from the type used in /tmp. ++## Delete generic lock files. +## +## +## @@ -9436,425 +11882,458 @@ index 64ff4d7..8a9355a 100644 +## +## +# -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_delete_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_locks',` + gen_require(` -+ type tmp_t; ++ type var_t, var_lock_t; + ') + -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ files_search_locks($1) ++ manage_files_pattern($1, var_lock_t, var_lock_t) +') + +######################################## +## - ## Set the attributes of all tmp directories. - ## - ## -@@ -4456,6 +5054,60 @@ interface(`files_setattr_all_tmp_dirs',` - - ######################################## - ## -+## Allow caller to read inherited tmp files. ++## Delete all lock files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_read_inherited_tmp_files',` ++interface(`files_delete_all_locks',` + gen_require(` -+ attribute tmpfile; ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ delete_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Read all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 lockfile:dir list_dir_perms; ++ read_files_pattern($1, lockfile, lockfile) ++ read_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## manage all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Create an object in the locks directory, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_lock_filetrans',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ filetrans_pattern($1, var_lock_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir getattr; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:dir setattr; ++') ++ ++######################################## ++## ++## Search the contents of runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_pids',` ++ gen_require(` ++ type var_t, var_run_t; + ') + -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_run_t) ++') ++ ++###################################### ++## ++## Add and remove entries from pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir rw_dir_perms; ++') ++ ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; +') + +######################################## +## -+## Allow caller to append inherited tmp files. ++## Do not audit attempts to search ++## the /var/run directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_append_inherited_tmp_files',` ++interface(`files_dontaudit_search_pids',` + gen_require(` -+ attribute tmpfile; ++ type var_run_t; + ') + -+ allow $1 tmpfile:file append_inherited_file_perms; ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir search_dir_perms; +') + +######################################## +## -+## Allow caller to read and write inherited tmp files. ++## Do not audit attempts to search ++## the all /var/run directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` -+ attribute tmpfile; ++ attribute pidfile; + ') + -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ dontaudit $1 pidfile:dir search_dir_perms; +') + +######################################## +## - ## List all tmp directories. - ## - ## -@@ -4501,7 +5153,7 @@ interface(`files_relabel_all_tmp_dirs',` - ## - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4561,7 +5213,7 @@ interface(`files_relabel_all_tmp_files',` - ##     - ## - ## --## Domain not to audit. -+## Domain to not audit. - ## - ## - # -@@ -4593,6 +5245,44 @@ interface(`files_read_all_tmp_files',` - - ######################################## - ## -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. ++## List the contents of the runtime process ++## ID directories (/var/run). +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_tmp_file_leaks',` ++interface(`files_list_pids',` + gen_require(` -+ attribute tmpfile; ++ type var_t, var_run_t; + ') + -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ list_dirs_pattern($1, var_t, var_run_t) +') + +######################################## +## -+## Do allow attempts to read or write -+## all leaked tmpfiles files. ++## Read generic process ID files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_rw_tmp_file_leaks',` ++interface(`files_read_generic_pids',` + gen_require(` -+ attribute tmpfile; ++ type var_t, var_run_t; + ') + -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ list_dirs_pattern($1, var_t, var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## - ## Create an object in the tmp directories, with a private - ## type using a type transition. - ## -@@ -4646,6 +5336,16 @@ interface(`files_purge_tmp',` - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) - ') - - ######################################## -@@ -5223,6 +5923,24 @@ interface(`files_list_var',` - - ######################################## - ## -+## Do not audit listing of the var directory (/var). ++## Write named generic process ID pipes +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_list_var',` ++interface(`files_write_generic_pid_pipes',` + gen_require(` -+ type var_t; ++ type var_run_t; + ') + -+ dontaudit $1 var_t:dir list_dir_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:fifo_file write; +') + +######################################## +## - ## Create, read, write, and delete directories - ## in the /var directory. - ## -@@ -5578,6 +6296,25 @@ interface(`files_read_var_lib_symlinks',` - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## manage generic symbolic links -+## in the /var/lib directory. ++## Create an object in the process ID directory, with a private type. +## ++## ++##

    ++## Create an object in the process ID directory (e.g., /var/run) ++## with a private type. Typically this is used for creating ++## private PID files in /var/run with the private type instead ++## of the general PID file type. To accomplish this goal, ++## either the program must be SELinux-aware, or use this interface. ++##

    ++##

    ++## Related interfaces: ++##

    ++##
      ++##
    • files_pid_file()
      • ++##
    ++##

    ++## Example usage with a domain that can create and ++## write its PID file with a private PID file type in the ++## /var/run directory: ++##

    ++##

    ++## type mypidfile_t; ++## files_pid_file(mypidfile_t) ++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ++## files_pid_filetrans(mydomain_t, mypidfile_t, file) ++##

    ++##     +## +## +## Domain allowed access. +## +## -+# -+interface(`files_manage_var_lib_symlinks',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. - -@@ -5623,7 +6360,7 @@ interface(`files_manage_mounttab',` - - ######################################## - ## --## Set the attributes of the generic lock directories. -+## List generic lock directories. - ## - ## - ## -@@ -5631,12 +6368,13 @@ interface(`files_manage_mounttab',` - ## - ## - # --interface(`files_setattr_lock_dirs',` -+interface(`files_list_locks',` - gen_require(` - type var_t, var_lock_t; - ') - -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) - ') - - ######################################## -@@ -5654,6 +6392,7 @@ interface(`files_search_locks',` - type var_t, var_lock_t; - ') - -+ files_search_pids($1) - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) - ') -@@ -5680,7 +6419,26 @@ interface(`files_dontaudit_search_locks',` - - ######################################## - ## --## List generic lock directories. -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## ++## +## -+## Domain to not audit. ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. +## +## ++## ++## ++## The name of the object being created. ++## ++## ++## +# -+interface(`files_dontaudit_rw_inherited_locks',` ++interface(`files_pid_filetrans',` + gen_require(` -+ type var_lock_t; ++ type var_t, var_run_t; + ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. - ## - ## - ## -@@ -5688,13 +6446,12 @@ interface(`files_dontaudit_search_locks',` - ## - ## - # --interface(`files_list_locks',` -+interface(`files_setattr_lock_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_lock_t:dir setattr; - ') - - ######################################## -@@ -5713,7 +6470,7 @@ interface(`files_rw_lock_dirs',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - rw_dirs_pattern($1, var_t, var_lock_t) - ') - -@@ -5746,7 +6503,6 @@ interface(`files_create_lock_dirs',` - ## Domain allowed access. - ##     - ## --## - # - interface(`files_relabel_all_lock_dirs',` - gen_require(` -@@ -5774,8 +6530,7 @@ interface(`files_getattr_generic_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) - ') -@@ -5791,13 +6546,12 @@ interface(`files_getattr_generic_locks',` - ## - # - interface(`files_delete_generic_locks',` -- gen_require(` -+ gen_require(` - type var_t, var_lock_t; -- ') -+ ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) - ') - - ######################################## -@@ -5816,9 +6570,7 @@ interface(`files_manage_generic_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) - manage_files_pattern($1, var_lock_t, var_lock_t) - ') - -@@ -5860,8 +6612,7 @@ interface(`files_read_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6634,7 @@ interface(`files_manage_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6671,7 @@ interface(`files_lock_filetrans',` - type var_t, var_lock_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3, $4) - ') - -@@ -5985,6 +6734,43 @@ interface(`files_search_pids',` - search_dirs_pattern($1, var_t, var_run_t) - ') - -+###################################### ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_run_t, $2, $3, $4) ++') ++ ++######################################## +## -+## Add and remove entries from pid directories. ++## Create a generic lock directory within the run directories +## +## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_pid_filetrans_lock_dir',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ files_pid_filetrans($1, var_lock_t, dir, $2) ++') ++ ++######################################## +## -+## Domain allowed access. ++## Read and write generic process ID files. +## ++## ++## ++## Domain allowed access. ++## +## +# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') ++interface(`files_rw_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') + -+ allow $1 var_run_t:dir rw_dir_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) +') + -+####################################### ++######################################## +## -+## Create generic pid directory. ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') ++interface(`files_dontaudit_getattr_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') + -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file getattr; +') + - ######################################## - ## - ## Do not audit attempts to search -@@ -6007,6 +6793,25 @@ interface(`files_dontaudit_search_pids',` - - ######################################## - ## -+## Do not audit attempts to search -+## the all /var/run directory. ++######################################## ++## ++## Do not audit attempts to write to daemon runtime data files. +## +## +## @@ -9862,76 +12341,68 @@ index 64ff4d7..8a9355a 100644 +## +## +# -+interface(`files_dontaudit_search_all_pids',` ++interface(`files_dontaudit_write_all_pids',` + gen_require(` + attribute pidfile; + ') + -+ dontaudit $1 pidfile:dir search_dir_perms; ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file write; ++') ++ ++######################################## ++## ++## Do not audit attempts to ioctl daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_ioctl_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file ioctl; +') + +######################################## +## - ## List the contents of the runtime process - ## ID directories (/var/run). - ## -@@ -6122,7 +6927,6 @@ interface(`files_pid_filetrans',` - ') - - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) - ') - -@@ -6231,46 +7035,230 @@ interface(`files_dontaudit_ioctl_all_pids',` - - ######################################## - ## --## Read all process ID files. +## Relable all pid directories - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_read_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_dirs',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + relabel_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## Delete all pid sockets - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file delete_sock_file_perms; +') + @@ -10125,15 +12596,35 @@ index 64ff4d7..8a9355a 100644 + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) - delete_fifo_files_pattern($1, pidfile, pidfile) -@@ -6300,29 +7288,73 @@ interface(`files_delete_all_pid_dirs',` - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## +## Make the specified type a file +## used for spool files. +## @@ -10183,399 +12674,757 @@ index 64ff4d7..8a9355a 100644 +######################################## +## +## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` + gen_require(` +- type var_t, var_run_t; ++ attribute spoolfile; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) ++ allow $1 spoolfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Read generic process ID files. ++## Delete all spool sockets ## ## ## --## Domain alloed access. -+## Domain allowed access. +@@ -6035,123 +7476,336 @@ interface(`files_list_pids',` ## ## # --interface(`files_manage_all_pids',` -+interface(`files_create_all_spool_sockets',` +-interface(`files_read_generic_pids',` ++interface(`files_delete_all_spool_sockets',` gen_require(` -- attribute pidfile; +- type var_t, var_run_t; + attribute spoolfile; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 spoolfile:sock_file create_sock_file_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all spool sockets +-## Write named generic process ID pipes ++## Relabel to and from all spool ++## directory types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_write_generic_pid_pipes',` ++interface(`files_relabel_all_spool_dirs',` + gen_require(` +- type var_run_t; ++ attribute spoolfile; ++ type var_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; ++ relabel_dirs_pattern($1, spoolfile, spoolfile) + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. ++## Search the contents of generic spool ++## directories (/var/spool). ## +-## +-##

    +-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

    +-##

    +-## Related interfaces: +-##

    +-##
      +-##
    • files_pid_file()
      • +-##
    +-##

    +-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

    +-##

    +-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +-##

    +-##     ## ## -@@ -6330,12 +7362,33 @@ interface(`files_manage_all_pids',` + ## Domain allowed access. + ## + ## +-## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## + ## +-## The type of the object to be created. ++## Domain to not audit. ## ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute polymember; -+ attribute spoolfile; - ') - -- allow $1 polymember:dir mounton; -+ allow $1 spoolfile:sock_file delete_sock_file_perms; +-## ++# ++interface(`files_dontaudit_search_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++ ++ dontaudit $1 var_spool_t:dir search_dir_perms; +') + +######################################## +## -+## Relabel to and from all spool -+## directory types. ++## List the contents of generic spool ++## (/var/spool) directories. +## +## -+## + ## +-## The object class of the object being created. +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_all_spool_dirs',` ++interface(`files_list_spool',` + gen_require(` -+ attribute spoolfile; -+ type var_t; ++ type var_t, var_spool_t; + ') + -+ relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6562,3 +7615,459 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') ++ list_dirs_pattern($1, var_t, var_spool_t) ++') + +######################################## +## -+## Create a core files in / ++## Create, read, write, and delete generic ++## spool directories (/var/spool). +## -+## -+##

    -+## Create a core file in /, -+##

    -+##     +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_manage_root_files',` ++interface(`files_manage_generic_spool_dirs',` + gen_require(` -+ type root_t; ++ type var_t, var_spool_t; + ') + -+ manage_files_pattern($1, root_t, root_t) ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Create a default directory ++## Read generic spool files. +## -+## -+##

    -+## Create a default_t direcrory -+##

    -+##     +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`files_create_default_dir',` -+ gen_require(` -+ type default_t; -+ ') ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') + -+ allow $1 default_t:dir create; ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Create, default_t objects with an automatic -+## type transition. ++## Create, read, write, and delete generic ++## spool files. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The class of the object being created. -+## -+## +# -+interface(`files_root_filetrans_default',` -+ gen_require(` -+ type root_t, default_t; -+ ') ++interface(`files_manage_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') + -+ filetrans_pattern($1, root_t, default_t, $2) ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## manage generic symbolic links -+## in the /var/run directory. ++## Create objects in the spool directory ++## with a private type with a type transition. +## +## +## +## Domain allowed access. +## +## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. + ## + ## + ## + ## +-## The name of the object being created. ++## The name of the object being created. ++## ++## +# -+interface(`files_manage_generic_pids_symlinks',` ++interface(`files_spool_filetrans',` + gen_require(` -+ type var_run_t; ++ type var_t, var_spool_t; + ') + -+ manage_lnk_files_pattern($1,var_run_t,var_run_t) ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) +') + +######################################## +## -+## Do not audit attempts to getattr -+## all tmpfs files. ++## Allow access to manage all polyinstantiated ++## directories on the system. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_getattr_tmpfs_files',` ++interface(`files_polyinstantiate_all',` + gen_require(` -+ attribute tmpfsfile; ++ attribute polydir, polymember, polyparent; ++ type poly_t; + ') + -+ allow $1 tmpfsfile:file getattr; ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') +') + +######################################## +## -+## Allow read write all tmpfs files ++## Unconfined access to files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_rw_tmpfs_files',` ++interface(`files_unconfined',` + gen_require(` -+ attribute tmpfsfile; ++ attribute files_unconfined_type; + ') + -+ allow $1 tmpfsfile:file { read write }; ++ typeattribute $1 files_unconfined_type; +') + +######################################## +## -+## Do not audit attempts to read security files ++## Create a core files in / +## ++## ++##

    ++## Create a core file in /, ++##

    ++##     +## +## -+## Domain to not audit. -+## ++## Domain allowed access. + ##     + ## +-## ++## + # +-interface(`files_pid_filetrans',` ++interface(`files_manage_root_files',` + gen_require(` +- type var_t, var_run_t; ++ type root_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ manage_files_pattern($1, root_t, root_t) + ') + + ######################################## + ## +-## Create a generic lock directory within the run directories ++## Create a default directory + ## ++## ++##

    ++## Create a default_t direcrory ++##

    ++##     + ## +-## +-## Domain allowed access ++## ++## Domain allowed access. ++## +## ++## +# ++interface(`files_create_default_dir',` ++ gen_require(` ++ type default_t; ++ ') ++ ++ allow $1 default_t:dir create; ++') ++ ++######################################## ++## ++## Create, default_t objects with an automatic ++## type transition. ++## ++## ++## ++## Domain allowed access. + ## + ## +-## ++## + ## +-## The name of the object being created. ++## The class of the object being created. + ## + ## + # +-interface(`files_pid_filetrans_lock_dir',` +- gen_require(` +- type var_lock_t; +- ') ++interface(`files_root_filetrans_default',` ++ gen_require(` ++ type root_t, default_t; ++ ') + +- files_pid_filetrans($1, var_lock_t, dir, $2) ++ filetrans_pattern($1, root_t, default_t, $2) + ') + + ######################################## + ## +-## Read and write generic process ID files. ++## manage generic symbolic links ++## in the /var/run directory. + ## + ## + ## +@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',` + ## + ## + # +-interface(`files_rw_generic_pids',` ++interface(`files_manage_generic_pids_symlinks',` + gen_require(` +- type var_t, var_run_t; ++ type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) ++ manage_lnk_files_pattern($1,var_run_t,var_run_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. ++## Do not audit attempts to getattr ++## all tmpfs files. + ## + ## + ## +@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',` + ## + ## + # +-interface(`files_dontaudit_getattr_all_pids',` ++interface(`files_dontaudit_getattr_tmpfs_files',` + gen_require(` +- attribute pidfile; +- type var_run_t; ++ attribute tmpfsfile; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file getattr; ++ allow $1 tmpfsfile:file getattr; + ') + + ######################################## + ## +-## Do not audit attempts to write to daemon runtime data files. ++## Allow read write all tmpfs files + ## + ## + ## +@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',` + ## + ## + # +-interface(`files_dontaudit_write_all_pids',` ++interface(`files_rw_tmpfs_files',` + gen_require(` +- attribute pidfile; ++ attribute tmpfsfile; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file write; ++ allow $1 tmpfsfile:file { read write }; + ') + + ######################################## + ## +-## Do not audit attempts to ioctl daemon runtime data files. ++## Do not audit attempts to read security files + ## + ## + ## +@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',` + ## + ## + # +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_read_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; + dontaudit $1 security_file_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read all process ID files. +## rw any files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +## +## Object type. +## +## -+# + # +-interface(`files_read_all_pids',` +interface(`files_rw_all_inherited_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# + ## + ## + ## +@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_delete_all_pids',` +interface(`files_entrypoint_all_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 file_type:file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Do not audit attempts to rw inherited file perms +## of non security files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_dontaudit_all_non_security_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Do not audit attempts to read or write +## all leaked files. -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_dontaudit_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute file_type; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Allow domain to create_file_ass all types -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_create_as_is_all_files',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute file_type; + class kernel_service create_files_as; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 file_type:kernel_service create_files_as; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## Do not audit attempts to check the +## access on all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_search_spool',` +interface(`files_dontaudit_all_access_check',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## Do not audit attempts to write to all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6368,186 +8007,169 @@ interface(`files_search_spool',` + ## + ## + # +-interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_write_all_files',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute file_type; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Allow domain to delete to all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_list_spool',` +interface(`files_delete_all_non_security_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Transition named content in the var_run_t directory -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type mnt_t; + type usr_t; + type var_t; + type tmp_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -10597,13 +13446,15 @@ index 64ff4d7..8a9355a 100644 + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Make the specified type a +## base file. -+## + ## +-## +## +##

    +## Identify file type as base file type. Tools will use this attribute, @@ -10611,103 +13462,185 @@ index 64ff4d7..8a9355a 100644 +##

    +##     +## -+## + ## +-## Domain allowed access. +## Type to be used as a base files. -+## -+## + ## + ## +## -+# + # +-interface(`files_read_generic_spool',` +interface(`files_base_file',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_file_type; -+ ') + ') +- +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + files_type($1) + typeattribute $1 base_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Make the specified type a +## base read only file. -+## + ## +-## +## +##

    +## Make the specified type readable for all domains. +##

    +##     +## -+## + ## +-## Domain allowed access. +## Type to be used as a base read only files. -+## -+## + ## + ## +## -+# + # +-interface(`files_manage_generic_spool',` +interface(`files_ro_base_file',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + files_base_file($1) + typeattribute $1 base_ro_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Read all ro base files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_read_all_base_ro_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) + read_files_pattern($1, base_ro_file_type, base_ro_file_type) + read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Execute all base ro files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`files_polyinstantiate_all',` +interface(`files_exec_all_base_ro_files',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') + can_exec($1, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Allow the specified domain to modify the systemd configuration of +## any file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` +interface(`files_config_all_files',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + attribute file_type; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 file_type:service all_service_perms; -+') + ') + diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 148d87a..822f6be 100644 @@ -23765,10 +26698,32 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..c0ec978 100644 +index 24e7804..f03be17 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -106,6 +106,8 @@ interface(`init_domain',` +@@ -1,5 +1,21 @@ + ## System initialization programs (init and init scripts). + ++###################################### ++## ++## initrc stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`init_stub_initrc',` ++ gen_require(` ++ type initrc_t; ++ ') ++') ++ + ######################################## + ## + ## Create a file type used for init scripts. +@@ -106,6 +122,8 @@ interface(`init_domain',` role system_r types $1; domtrans_pattern(init_t, $2, $1) @@ -23777,7 +26732,7 @@ index 24e7804..c0ec978 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -192,50 +194,43 @@ interface(`init_ranged_domain',` +@@ -192,50 +210,43 @@ interface(`init_ranged_domain',` interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -23850,7 +26805,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -283,17 +278,20 @@ interface(`init_daemon_domain',` +@@ -283,17 +294,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -23872,7 +26827,7 @@ index 24e7804..c0ec978 100644 ') ') -@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',` +@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -23903,7 +26858,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -401,20 +395,41 @@ interface(`init_system_domain',` +@@ -401,20 +411,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -23945,7 +26900,7 @@ index 24e7804..c0ec978 100644 ######################################## ## ## Mark the file type as a daemon run dir, allowing initrc_t -@@ -469,7 +484,6 @@ interface(`init_domtrans',` +@@ -469,7 +500,6 @@ interface(`init_domtrans',` ## Domain allowed access. ## ## @@ -23953,7 +26908,7 @@ index 24e7804..c0ec978 100644 # interface(`init_exec',` gen_require(` -@@ -478,6 +492,48 @@ interface(`init_exec',` +@@ -478,6 +508,48 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -24002,7 +26957,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -566,6 +622,58 @@ interface(`init_sigchld',` +@@ -566,6 +638,58 @@ interface(`init_sigchld',` ######################################## ## @@ -24061,7 +27016,7 @@ index 24e7804..c0ec978 100644 ## Connect to init with a unix socket. ## ## -@@ -576,10 +684,66 @@ interface(`init_sigchld',` +@@ -576,10 +700,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -24130,7 +27085,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -743,22 +907,23 @@ interface(`init_write_initctl',` +@@ -743,22 +923,23 @@ interface(`init_write_initctl',` interface(`init_telinit',` gen_require(` type initctl_t; @@ -24163,7 +27118,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -787,7 +952,7 @@ interface(`init_rw_initctl',` +@@ -787,7 +968,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -24172,7 +27127,7 @@ index 24e7804..c0ec978 100644 ## ## # -@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',` +@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -24187,7 +27142,7 @@ index 24e7804..c0ec978 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',` +@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -24201,7 +27156,7 @@ index 24e7804..c0ec978 100644 ') ') -@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',` +@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -24247,7 +27202,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',` +@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -24262,7 +27217,7 @@ index 24e7804..c0ec978 100644 files_search_etc($1) ') -@@ -1026,7 +1219,9 @@ interface(`init_ptrace',` +@@ -1026,7 +1235,9 @@ interface(`init_ptrace',` type init_t; ') @@ -24273,7 +27228,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',` +@@ -1125,6 +1336,25 @@ interface(`init_getattr_all_script_files',` ######################################## ## @@ -24299,7 +27254,7 @@ index 24e7804..c0ec978 100644 ## Read all init script files. ## ## -@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',` +@@ -1144,6 +1374,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -24324,7 +27279,7 @@ index 24e7804..c0ec978 100644 ## Dontaudit read all init script files. ## ## -@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1443,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -24338,7 +27293,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',` +@@ -1440,6 +1683,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -24366,7 +27321,7 @@ index 24e7804..c0ec978 100644 ## init scripts over dbus. ## ## -@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',` +@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -24392,17 +27347,26 @@ index 24e7804..c0ec978 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',` ######################################## ## +-## Create files in a init script +-## temporary data directory. +## Read and write init script inherited temporary data. -+## -+## -+## -+## Domain allowed access. -+## -+## + ##     + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +# +interface(`init_rw_inherited_script_tmp_files',` + gen_require(` @@ -24414,19 +27378,32 @@ index 24e7804..c0ec978 100644 + +######################################## +## - ## Create files in a init script - ## temporary data directory. - ## -@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',` ++## Create files in a init script ++## temporary data directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## + ## The object class. + ## + ## +@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',` ######################################## ## --## Do not audit attempts to write utmp. +## Read utmp. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. +## +## @@ -24460,15 +27437,10 @@ index 24e7804..c0ec978 100644 + +######################################## +## -+## Do not audit attempts to write utmp. -+## -+## -+## -+## Domain to not audit. - ## - ## - # -@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',` + ## Do not audit attempts to write utmp. + ##     + ## +@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -24477,7 +27449,7 @@ index 24e7804..c0ec978 100644 ') ######################################## -@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -24611,7 +27583,7 @@ index 24e7804..c0ec978 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -24896,7 +27868,7 @@ index 24e7804..c0ec978 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..4d9b509 100644 +index dd3be8d..8913598 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -25134,7 +28106,7 @@ index dd3be8d..4d9b509 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +271,177 @@ ifdef(`distro_gentoo',` +@@ -186,29 +271,178 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -25245,6 +28217,7 @@ index dd3be8d..4d9b509 100644 +fs_mount_all_fs(init_t) +fs_unmount_all_fs(init_t) +fs_remount_all_fs(init_t) ++fs_list_all(init_t) +fs_list_auto_mountpoints(init_t) +fs_register_binary_executable_type(init_t) +fs_relabel_tmpfs_sock_file(init_t) @@ -25320,7 +28293,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -216,6 +449,27 @@ optional_policy(` +@@ -216,6 +450,27 @@ optional_policy(` ') optional_policy(` @@ -25348,7 +28321,7 @@ index dd3be8d..4d9b509 100644 unconfined_domain(init_t) ') -@@ -225,8 +479,9 @@ optional_policy(` +@@ -225,8 +480,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -25360,7 +28333,7 @@ index dd3be8d..4d9b509 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -25377,7 +28350,7 @@ index dd3be8d..4d9b509 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -25420,7 +28393,7 @@ index dd3be8d..4d9b509 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -25432,7 +28405,7 @@ index dd3be8d..4d9b509 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +586,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -25443,7 +28416,7 @@ index dd3be8d..4d9b509 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +597,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +598,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -25453,7 +28426,7 @@ index dd3be8d..4d9b509 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +606,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +607,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -25461,7 +28434,7 @@ index dd3be8d..4d9b509 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +614,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -25469,7 +28442,7 @@ index dd3be8d..4d9b509 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +621,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +622,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -25487,7 +28460,7 @@ index dd3be8d..4d9b509 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +640,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -25501,7 +28474,7 @@ index dd3be8d..4d9b509 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +655,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -25515,7 +28488,7 @@ index dd3be8d..4d9b509 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +668,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -25523,7 +28496,7 @@ index dd3be8d..4d9b509 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +680,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -25531,7 +28504,7 @@ index dd3be8d..4d9b509 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +699,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -25555,7 +28528,7 @@ index dd3be8d..4d9b509 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +731,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +732,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -25563,7 +28536,7 @@ index dd3be8d..4d9b509 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +765,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -25574,7 +28547,7 @@ index dd3be8d..4d9b509 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +789,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +790,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -25583,7 +28556,7 @@ index dd3be8d..4d9b509 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +804,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +805,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -25591,7 +28564,7 @@ index dd3be8d..4d9b509 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +825,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +826,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -25599,7 +28572,7 @@ index dd3be8d..4d9b509 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +835,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +836,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -25644,7 +28617,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -558,14 +880,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +881,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -25676,7 +28649,7 @@ index dd3be8d..4d9b509 100644 ') ') -@@ -576,6 +915,39 @@ ifdef(`distro_suse',` +@@ -576,6 +916,39 @@ ifdef(`distro_suse',` ') ') @@ -25716,7 +28689,7 @@ index dd3be8d..4d9b509 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +960,8 @@ optional_policy(` +@@ -588,6 +961,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -25725,7 +28698,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -609,6 +983,7 @@ optional_policy(` +@@ -609,6 +984,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -25733,7 +28706,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -625,6 +1000,17 @@ optional_policy(` +@@ -625,6 +1001,17 @@ optional_policy(` ') optional_policy(` @@ -25751,7 +28724,7 @@ index dd3be8d..4d9b509 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1027,13 @@ optional_policy(` +@@ -641,9 +1028,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -25765,7 +28738,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -656,15 +1046,11 @@ optional_policy(` +@@ -656,15 +1047,11 @@ optional_policy(` ') optional_policy(` @@ -25783,7 +28756,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -685,6 +1071,15 @@ optional_policy(` +@@ -685,6 +1072,15 @@ optional_policy(` ') optional_policy(` @@ -25799,7 +28772,7 @@ index dd3be8d..4d9b509 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1120,7 @@ optional_policy(` +@@ -725,6 +1121,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -25807,7 +28780,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -742,7 +1138,14 @@ optional_policy(` +@@ -742,7 +1139,14 @@ optional_policy(` ') optional_policy(` @@ -25822,7 +28795,7 @@ index dd3be8d..4d9b509 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1168,10 @@ optional_policy(` +@@ -765,6 +1169,10 @@ optional_policy(` ') optional_policy(` @@ -25833,7 +28806,7 @@ index dd3be8d..4d9b509 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1181,20 @@ optional_policy(` +@@ -774,10 +1182,20 @@ optional_policy(` ') optional_policy(` @@ -25854,7 +28827,7 @@ index dd3be8d..4d9b509 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1203,10 @@ optional_policy(` +@@ -786,6 +1204,10 @@ optional_policy(` ') optional_policy(` @@ -25865,7 +28838,7 @@ index dd3be8d..4d9b509 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1228,6 @@ optional_policy(` +@@ -807,8 +1229,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -25874,7 +28847,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -817,6 +1236,10 @@ optional_policy(` +@@ -817,6 +1237,10 @@ optional_policy(` ') optional_policy(` @@ -25885,7 +28858,7 @@ index dd3be8d..4d9b509 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1249,12 @@ optional_policy(` +@@ -826,10 +1250,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -25898,7 +28871,7 @@ index dd3be8d..4d9b509 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1281,27 @@ optional_policy(` +@@ -856,12 +1282,27 @@ optional_policy(` ') optional_policy(` @@ -25927,7 +28900,7 @@ index dd3be8d..4d9b509 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1311,18 @@ optional_policy(` +@@ -871,6 +1312,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -25946,7 +28919,7 @@ index dd3be8d..4d9b509 100644 ') optional_policy(` -@@ -886,6 +1338,10 @@ optional_policy(` +@@ -886,6 +1339,10 @@ optional_policy(` ') optional_policy(` @@ -25957,7 +28930,7 @@ index dd3be8d..4d9b509 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1352,185 @@ optional_policy(` +@@ -896,3 +1353,185 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -33494,10 +36467,10 @@ index 0000000..fc080a1 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..3932b82 +index 0000000..dd93187 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,636 @@ +@@ -0,0 +1,639 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -33533,6 +36506,7 @@ index 0000000..3932b82 + +type random_seed_t; +files_security_file(random_seed_t) ++files_mountpoint(random_seed_t) + +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components @@ -33826,6 +36800,7 @@ index 0000000..3932b82 +auth_manage_faillog(systemd_tmpfiles_t) +auth_relabel_faillog(systemd_tmpfiles_t) +auth_manage_var_auth(systemd_tmpfiles_t) ++auth_manage_login_records(systemd_tmpfiles_t) +auth_relabel_var_auth_dirs(systemd_tmpfiles_t) +auth_relabel_login_records(systemd_tmpfiles_t) +auth_setattr_login_records(systemd_tmpfiles_t) @@ -34076,6 +37051,7 @@ index 0000000..3932b82 +optional_policy(` + gnome_manage_usr_config(systemd_timedated_t) + gnome_manage_home_config(systemd_timedated_t) ++ gnome_manage_home_config_dirs(systemd_timedated_t) +') + +optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c1a9cc7..f271bb8 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -41758,7 +41758,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 44ad3b7..7508aef 100644 +index 44ad3b7..f675581 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -41797,7 +41797,17 @@ index 44ad3b7..7508aef 100644 ######################################## # -@@ -123,7 +124,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -110,7 +111,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) + files_pid_filetrans(nagios_t, nagios_var_run_t, file) + + manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) ++manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file}) + + manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) + manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) +@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -41805,7 +41815,7 @@ index 44ad3b7..7508aef 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +143,6 @@ domain_read_all_domains_state(nagios_t) +@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -41813,7 +41823,7 @@ index 44ad3b7..7508aef 100644 files_search_spool(nagios_t) fs_getattr_all_fs(nagios_t) -@@ -153,8 +152,6 @@ auth_use_nsswitch(nagios_t) +@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -41822,7 +41832,7 @@ index 44ad3b7..7508aef 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,6 +175,7 @@ optional_policy(` +@@ -178,6 +176,7 @@ optional_policy(` # # CGI local policy # @@ -41830,7 +41840,7 @@ index 44ad3b7..7508aef 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -231,7 +229,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin +@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin kernel_read_kernel_sysctls(nrpe_t) kernel_read_software_raid_state(nrpe_t) @@ -41838,7 +41848,7 @@ index 44ad3b7..7508aef 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -253,7 +250,6 @@ domain_use_interactive_fds(nrpe_t) +@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) @@ -41846,7 +41856,7 @@ index 44ad3b7..7508aef 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +258,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -41855,7 +41865,7 @@ index 44ad3b7..7508aef 100644 userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -310,15 +304,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -41874,7 +41884,7 @@ index 44ad3b7..7508aef 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +339,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -41882,7 +41892,7 @@ index 44ad3b7..7508aef 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +352,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -41896,7 +41906,7 @@ index 44ad3b7..7508aef 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -411,6 +408,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -41904,7 +41914,7 @@ index 44ad3b7..7508aef 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +418,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -41917,7 +41927,7 @@ index 44ad3b7..7508aef 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,6 +441,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -41932,7 +41942,7 @@ index 44ad3b7..7508aef 100644 ######################################## # # Unconfined plugin policy -@@ -450,3 +456,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t) +@@ -450,3 +457,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t) optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -50935,15 +50945,17 @@ index 977b972..0000000 -miscfiles_read_localization(pkcs_slotd_t) diff --git a/pkcsslotd.fc b/pkcsslotd.fc new file mode 100644 -index 0000000..dd1b8f2 +index 0000000..38fa01d --- /dev/null +++ b/pkcsslotd.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0) + +/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0) + +/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0) ++ ++/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0) diff --git a/pkcsslotd.if b/pkcsslotd.if new file mode 100644 index 0000000..848ddc9 @@ -51107,10 +51119,10 @@ index 0000000..848ddc9 +') diff --git a/pkcsslotd.te b/pkcsslotd.te new file mode 100644 -index 0000000..d6d79b9 +index 0000000..f788d35 --- /dev/null +++ b/pkcsslotd.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,66 @@ +policy_module(pkcsslotd, 1.0.0) + +######################################## @@ -51125,6 +51137,9 @@ index 0000000..d6d79b9 +type pkcsslotd_var_lib_t; +files_type(pkcsslotd_var_lib_t) + ++type pkcsslotd_lock_t; ++files_lock_file(pkcsslotd_lock_t) ++ +type pkcsslotd_unit_file_t; +systemd_unit_file(pkcsslotd_unit_file_t) + @@ -51142,14 +51157,16 @@ index 0000000..d6d79b9 +# pkcsslotd local policy +# + -+allow pkcsslotd_t self:capability { kill }; -+allow pkcsslotd_t self:process { fork }; ++allow pkcsslotd_t self:capability { chown kill }; + +allow pkcsslotd_t self:fifo_file rw_fifo_file_perms; +allow pkcsslotd_t self:sem create_sem_perms; +allow pkcsslotd_t self:shm create_shm_perms; +allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t) ++files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file) ++ +manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) +manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) +files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir }) @@ -51169,6 +51186,7 @@ index 0000000..d6d79b9 + +domain_use_interactive_fds(pkcsslotd_t) + ++auth_read_passwd(pkcsslotd_t) + +logging_send_syslog_msg(pkcsslotd_t) diff --git a/pki.fc b/pki.fc @@ -68802,12 +68820,28 @@ index d25301b..d92f567 100644 /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if -index f1140ef..c5bd83a 100644 +index f1140ef..ebc2190 100644 --- a/rsync.if +++ b/rsync.if -@@ -1,16 +1,16 @@ +@@ -1,16 +1,32 @@ -## Fast incremental file transfer for synchronization. +## Fast incremental file transfer for synchronization ++ ++####################################### ++## ++## Sendmail stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sendmail_stub',` ++gen_require(` ++type sendmail_t; ++') ++') ######################################## ## @@ -68827,7 +68861,7 @@ index f1140ef..c5bd83a 100644 interface(`rsync_entry_type',` gen_require(` type rsync_exec_t; -@@ -43,14 +43,13 @@ interface(`rsync_entry_type',` +@@ -43,14 +59,13 @@ interface(`rsync_entry_type',` ## Domain to transition to. ## ## @@ -68844,7 +68878,7 @@ index f1140ef..c5bd83a 100644 ') ######################################## -@@ -77,76 +76,31 @@ interface(`rsync_entry_spec_domtrans',` +@@ -77,76 +92,31 @@ interface(`rsync_entry_spec_domtrans',` ## Domain to transition to. ## ## @@ -68924,7 +68958,7 @@ index f1140ef..c5bd83a 100644 can_exec($1, rsync_exec_t) ') -@@ -165,13 +119,13 @@ interface(`rsync_read_config',` +@@ -165,13 +135,13 @@ interface(`rsync_read_config',` type rsync_etc_t; ') @@ -68940,7 +68974,7 @@ index f1140ef..c5bd83a 100644 ##     ## ## -@@ -179,19 +133,18 @@ interface(`rsync_read_config',` +@@ -179,19 +149,18 @@ interface(`rsync_read_config',` ## ## # @@ -68965,7 +68999,7 @@ index f1140ef..c5bd83a 100644 ##     ## ## -@@ -199,83 +152,54 @@ interface(`rsync_write_config',` +@@ -199,83 +168,54 @@ interface(`rsync_write_config',` ## ## # @@ -73692,7 +73726,7 @@ index d14b6bf..da5d41d 100644 +/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/sendmail.if b/sendmail.if -index 88e753f..ca74cd9 100644 +index 88e753f..e25aecc 100644 --- a/sendmail.if +++ b/sendmail.if @@ -1,4 +1,4 @@ @@ -73701,6 +73735,15 @@ index 88e753f..ca74cd9 100644 ######################################## ## +@@ -10,7 +10,7 @@ + ## + ## + # +-interface(`sendmail_stub',` ++interface(`rsync_stub',` + gen_require(` + type sendmail_t; + ') @@ -18,7 +18,8 @@ interface(`sendmail_stub',` ######################################## @@ -75903,10 +75946,14 @@ index 0000000..92c3638 + +sysnet_dns_name_resolve(smsd_t) diff --git a/snmp.fc b/snmp.fc -index c73fa24..d852517 100644 +index c73fa24..9018dbc 100644 --- a/snmp.fc +++ b/snmp.fc -@@ -13,6 +13,8 @@ +@@ -10,9 +10,12 @@ + + /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) @@ -79007,6 +79054,53 @@ index 0000000..39f1ca1 +libs_exec_ldconfig(swift_t) + +logging_send_syslog_msg(swift_t) +diff --git a/swift_alias.fc b/swift_alias.fc +new file mode 100644 +index 0000000..b7db254 +--- /dev/null ++++ b/swift_alias.fc +@@ -0,0 +1 @@ ++# Empty +diff --git a/swift_alias.if b/swift_alias.if +new file mode 100644 +index 0000000..3fed1a3 +--- /dev/null ++++ b/swift_alias.if +@@ -0,0 +1,2 @@ ++ ++## swift_alias policy module +diff --git a/swift_alias.te b/swift_alias.te +new file mode 100644 +index 0000000..6e39c4f +--- /dev/null ++++ b/swift_alias.te +@@ -0,0 +1,26 @@ ++policy_module(swift_alias, 1.0.0) ++ ++# ++# swift_alias.pp policy replaces swift.pp policy ++# which is a part of openstack-selinux.rpm package ++# ++ ++######################################## ++# ++# Declarations ++# ++ ++#call stub interfaces for basic types ++init_stub_initrc() ++corecmd_stub_bin() ++files_stub_var_run() ++files_stub_var() ++systemd_stub_unit_file() ++ ++typealias initrc_t alias swift_t; ++typealias bin_t alias swift_exec_t; ++typealias var_run_t alias swift_var_run_t; ++typealias systemd_unit_file_t alias swift_unit_file_t; ++typealias var_t alias swift_data_t; ++ ++ diff --git a/sxid.te b/sxid.te index c9824cb..1973f71 100644 --- a/sxid.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 0755c7e..e4e0c82 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 18 2013 Miroslav Grepl 3.12.1-22 +- Allow nagios to manage nagios spool files +- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 +- Add swift_alias.* policy files which contain typealiases for swift types +- Add support for /run/lock/opencryptoki +- Allow pkcsslotd chown capability +- Allow pkcsslotd to read passwd +- Add rsync_stub() interface +- Allow systemd_timedate also manage gnome config homedirs +- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t +- Fix filetrans rules for kdm creates .xsession-errors +- Allow sytemd_tmpfiles to create wtmp file +- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t +- Allow systemd to list all file system directories +- Add some basic stub interfaces which will be used in PRODUCT policies + * Wed Mar 13 2013 Miroslav Grepl 3.12.1-21 - Fix log transition rule for cluster domains - Start to group all cluster log together