diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ac008ee..1159097 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -689,7 +689,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..88519a9 100644 +index 28802c5..fdcb9a7 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -710,7 +710,7 @@ index 28802c5..88519a9 100644 + undefined + enable + disable -+ reload ++ reload } # @@ -5470,7 +5470,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..9455a13 100644 +index 4edc40d..cc71e95 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5723,7 +5723,7 @@ index 4edc40d..9455a13 100644 network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) -+network_port(quantum, tcp,9696,s0) ++network_port(neutron, tcp,9696,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) @@ -5819,7 +5819,7 @@ index 4edc40d..9455a13 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +400,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5846,6 +5846,10 @@ index 4edc40d..9455a13 100644 +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; +allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress }; +allow netlabel_peer_t node_t:node recvfrom; ++ ++typealias neutron_port_t alias quantum_port_t; ++typealias neutron_server_packet_t alias quantum_server_packet_t; ++typealias neutron_client_packet_t alias quantum_client_packet_t; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e168..51ad69a 100644 --- a/policy/modules/kernel/corenetwork.te.m4 @@ -9245,7 +9249,7 @@ index cf04cb5..369ddc2 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..d14e35b 100644 +index c2c6e05..058bb58 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9281,7 +9285,7 @@ index c2c6e05..d14e35b 100644 /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -52,13 +53,16 @@ ifdef(`distro_suse',` +@@ -52,13 +53,17 @@ ifdef(`distro_suse',` /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9300,10 +9304,11 @@ index c2c6e05..d14e35b 100644 +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -70,7 +74,10 @@ ifdef(`distro_suse',` +@@ -70,7 +75,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9315,7 +9320,7 @@ index c2c6e05..d14e35b 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -78,10 +85,6 @@ ifdef(`distro_gentoo', ` +@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -9326,7 +9331,7 @@ index c2c6e05..d14e35b 100644 ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -9335,7 +9340,7 @@ index c2c6e05..d14e35b 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -129,6 +132,8 @@ ifdef(`distro_debian',` +@@ -129,6 +133,8 @@ ifdef(`distro_debian',` /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) @@ -9344,7 +9349,7 @@ index c2c6e05..d14e35b 100644 # # /misc -@@ -150,10 +155,10 @@ ifdef(`distro_debian',` +@@ -150,10 +156,10 @@ ifdef(`distro_debian',` # # /opt # @@ -9357,7 +9362,7 @@ index c2c6e05..d14e35b 100644 # # /proc -@@ -161,6 +166,12 @@ ifdef(`distro_debian',` +@@ -161,6 +167,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -9370,7 +9375,7 @@ index c2c6e05..d14e35b 100644 # # /run # -@@ -169,6 +180,7 @@ ifdef(`distro_debian',` +@@ -169,6 +181,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) @@ -9378,7 +9383,7 @@ index c2c6e05..d14e35b 100644 # # /selinux # -@@ -178,13 +190,14 @@ ifdef(`distro_debian',` +@@ -178,13 +191,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9395,7 +9400,7 @@ index c2c6e05..d14e35b 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +207,10 @@ ifdef(`distro_debian',` +@@ -194,9 +208,10 @@ ifdef(`distro_debian',` # # /usr # @@ -9407,7 +9412,7 @@ index c2c6e05..d14e35b 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +218,9 @@ ifdef(`distro_debian',` +@@ -204,15 +219,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9424,7 +9429,7 @@ index c2c6e05..d14e35b 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +228,6 @@ ifdef(`distro_debian',` +@@ -220,8 +229,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9433,7 +9438,7 @@ index c2c6e05..d14e35b 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +235,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9442,7 +9447,7 @@ index c2c6e05..d14e35b 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +243,24 @@ ifndef(`distro_redhat',` +@@ -237,11 +244,24 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9468,7 +9473,7 @@ index c2c6e05..d14e35b 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +275,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +276,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9483,14 +9488,14 @@ index c2c6e05..d14e35b 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +291,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +292,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..4adeb32 100644 +index 64ff4d7..5a0a4ea 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10398,11 +10403,13 @@ index 64ff4d7..4adeb32 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3701,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3205,6 +3698,62 @@ interface(`files_delete_isid_type_dirs',` - ######################################## - ## -+## Relabelfrom all file opbjects on new filesystems + delete_dirs_pattern($1, file_t, file_t) + ') ++######################################## ++## ++## Execute files on new filesystems +## that have not yet been labeled. +## +## @@ -10411,25 +10418,18 @@ index 64ff4d7..4adeb32 100644 +## +## +# -+interface(`files_relabelfrom_isid_type',` ++interface(`files_exec_isid_files',` + gen_require(` + type file_t; + ') + -+ dontaudit $1 file_t:dir_file_class_set relabelfrom; ++ can_exec($1, file_t) +') + +######################################## +## - ## Create, read, write, and delete directories - ## on new filesystems that have not yet been labeled. - ## -@@ -3455,6 +3967,25 @@ interface(`files_rw_isid_type_blk_files',` - - ######################################## - ## -+## rw any files inherited from another process -+## on new filesystems that have not yet been labeled. ++## Moundon directories on new filesystems ++## that have not yet been labeled. +## +## +## @@ -10437,20 +10437,94 @@ index 64ff4d7..4adeb32 100644 +## +## +# -+interface(`files_rw_inherited_isid_type_files',` ++interface(`files_mounton_isid',` + gen_require(` + type file_t; + ') + -+ allow $1 file_t:file rw_inherited_file_perms; ++ allow $1 file_t:dir mounton; +') + +######################################## +## - ## Create, read, write, and delete block device nodes ++## Relabelfrom all file opbjects on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_isid_type',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ dontaudit $1 file_t:dir_file_class_set relabelfrom; ++') + + ######################################## + ## +@@ -3455,7 +4004,7 @@ interface(`files_rw_isid_type_blk_files',` + + ######################################## + ## +-## Create, read, write, and delete block device nodes ++## rw any files inherited from another process ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4327,38 @@ interface(`files_list_mnt',` + ## +@@ -3464,17 +4013,17 @@ interface(`files_rw_isid_type_blk_files',` + ## + ## + # +-interface(`files_manage_isid_type_blk_files',` ++interface(`files_rw_inherited_isid_type_files',` + gen_require(` + type file_t; + ') + +- allow $1 file_t:blk_file manage_blk_file_perms; ++ allow $1 file_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete character device nodes ++## Create, read, write, and delete block device nodes + ## on new filesystems that have not yet been labeled. + ## + ## +@@ -3483,7 +4032,26 @@ interface(`files_manage_isid_type_blk_files',` + ## + ## + # +-interface(`files_manage_isid_type_chr_files',` ++interface(`files_manage_isid_type_blk_files',` ++ gen_require(` ++ type file_t; ++ ') ++ ++ allow $1 file_t:blk_file manage_blk_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete character device nodes ++## on new filesystems that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_isid_type_chr_files',` + gen_require(` + type file_t; + ') +@@ -3796,20 +4364,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10494,20 +10568,14 @@ index 64ff4d7..4adeb32 100644 ') ######################################## -@@ -4199,14 +4748,178 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4785,171 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') --######################################## +####################################### - ## --## Allow the specified type to associate --## to a filesystem with the type of the --## temporary directory (/tmp). ++## +## Read manageable system configuration files in /etc - ## --## --## ++## +## +## +## Domain allowed access. @@ -10572,6 +10640,7 @@ index 64ff4d7..4adeb32 100644 + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") ++ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") +') @@ -10668,18 +10737,10 @@ index 64ff4d7..4adeb32 100644 + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") +') + -+######################################## -+## -+## Allow the specified type to associate -+## to a filesystem with the type of the -+## temporary directory (/tmp). -+## -+## -+## - ## Type of the file to associate. - ## - ## -@@ -4221,6 +4934,26 @@ interface(`files_associate_tmp',` + ######################################## + ## + ## Allow the specified type to associate +@@ -4221,6 +4972,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -10706,7 +10767,7 @@ index 64ff4d7..4adeb32 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +4967,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +5005,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -10745,7 +10806,7 @@ index 64ff4d7..4adeb32 100644 ## ## # -@@ -4271,6 +5024,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +5062,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -10753,7 +10814,7 @@ index 64ff4d7..4adeb32 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +5061,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +5099,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -10761,7 +10822,7 @@ index 64ff4d7..4adeb32 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +5071,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +5109,7 @@ interface(`files_list_tmp',` ## ## ## @@ -10770,7 +10831,7 @@ index 64ff4d7..4adeb32 100644 ## ## # -@@ -4328,6 +5083,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +5121,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -10796,7 +10857,7 @@ index 64ff4d7..4adeb32 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +5117,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +5155,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -10804,7 +10865,7 @@ index 64ff4d7..4adeb32 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +5159,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +5197,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -10837,7 +10898,7 @@ index 64ff4d7..4adeb32 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4438,6 +5239,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,6 +5277,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -10880,7 +10941,7 @@ index 64ff4d7..4adeb32 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4456,6 +5293,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4456,6 +5331,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -10941,7 +11002,7 @@ index 64ff4d7..4adeb32 100644 ## List all tmp directories. ## ## -@@ -4501,7 +5392,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4501,7 +5430,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -10950,7 +11011,7 @@ index 64ff4d7..4adeb32 100644 ## ## # -@@ -4561,7 +5452,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5490,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -10959,18 +11020,22 @@ index 64ff4d7..4adeb32 100644 ## ## # -@@ -4593,6 +5484,44 @@ interface(`files_read_all_tmp_files',` +@@ -4593,15 +5522,53 @@ interface(`files_read_all_tmp_files',` ######################################## ## +-## Create an object in the tmp directories, with a private +-## type using a type transition. +## Do not audit attempts to read or write +## all leaked tmpfiles files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## + ## + ## +-## +# +interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` @@ -11001,10 +11066,19 @@ index 64ff4d7..4adeb32 100644 + +######################################## +## - ## Create an object in the tmp directories, with a private - ## type using a type transition. - ## -@@ -4646,6 +5575,16 @@ interface(`files_purge_tmp',` ++## Create an object in the tmp directories, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## + ## + ## The type of the object to be created. + ## +@@ -4646,6 +5613,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11021,17 +11095,14 @@ index 64ff4d7..4adeb32 100644 ') ######################################## -@@ -5223,12 +6162,30 @@ interface(`files_list_var',` +@@ -5223,6 +6200,24 @@ interface(`files_list_var',` ######################################## ## --## Create, read, write, and delete directories --## in the /var directory. +## Do not audit listing of the var directory (/var). - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. +## +## @@ -11046,16 +11117,10 @@ index 64ff4d7..4adeb32 100644 + +######################################## +## -+## Create, read, write, and delete directories -+## in the /var directory. -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -5578,6 +6535,25 @@ interface(`files_read_var_lib_symlinks',` + ## Create, read, write, and delete directories + ## in the /var directory. + ## +@@ -5578,6 +6573,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11081,7 +11146,7 @@ index 64ff4d7..4adeb32 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6599,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6637,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11090,7 +11155,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -5631,12 +6607,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6645,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11106,7 +11171,7 @@ index 64ff4d7..4adeb32 100644 ') ######################################## -@@ -5654,6 +6631,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6669,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11114,7 +11179,7 @@ index 64ff4d7..4adeb32 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6658,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6696,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11142,7 +11207,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -5688,13 +6685,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6723,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11159,7 +11224,7 @@ index 64ff4d7..4adeb32 100644 ') ######################################## -@@ -5713,7 +6709,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6747,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11168,7 +11233,7 @@ index 64ff4d7..4adeb32 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6742,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6780,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11176,7 +11241,7 @@ index 64ff4d7..4adeb32 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5761,7 +6756,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5761,7 +6794,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11185,7 +11250,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -5769,13 +6764,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,13 +6802,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11220,7 +11285,7 @@ index 64ff4d7..4adeb32 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6806,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6844,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11238,7 +11303,7 @@ index 64ff4d7..4adeb32 100644 ') ######################################## -@@ -5816,9 +6830,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6868,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11249,7 +11314,7 @@ index 64ff4d7..4adeb32 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6872,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6910,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11259,7 +11324,7 @@ index 64ff4d7..4adeb32 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6894,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6932,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11269,7 +11334,7 @@ index 64ff4d7..4adeb32 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6931,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6969,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11279,7 +11344,7 @@ index 64ff4d7..4adeb32 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +6970,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +7008,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11288,7 +11353,7 @@ index 64ff4d7..4adeb32 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +6990,48 @@ interface(`files_search_pids',` +@@ -5981,10 +7028,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11337,7 +11402,7 @@ index 64ff4d7..4adeb32 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +7054,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +7092,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11363,7 +11428,7 @@ index 64ff4d7..4adeb32 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6021,7 +7087,7 @@ interface(`files_list_pids',` +@@ -6021,7 +7125,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11372,7 +11437,7 @@ index 64ff4d7..4adeb32 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6040,7 +7106,7 @@ interface(`files_read_generic_pids',` +@@ -6040,7 +7144,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11381,7 +11446,7 @@ index 64ff4d7..4adeb32 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7126,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7164,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11390,7 +11455,7 @@ index 64ff4d7..4adeb32 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7188,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7226,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11398,7 +11463,7 @@ index 64ff4d7..4adeb32 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6151,6 +7216,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6151,6 +7254,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11423,7 +11488,7 @@ index 64ff4d7..4adeb32 100644 ## Read and write generic process ID files. ## ## -@@ -6164,7 +7247,7 @@ interface(`files_rw_generic_pids',` +@@ -6164,7 +7285,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11432,7 +11497,7 @@ index 64ff4d7..4adeb32 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,55 +7314,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7352,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11495,7 +11560,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6287,42 +7358,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7396,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -11545,7 +11610,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6330,18 +7394,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7432,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -11569,7 +11634,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6349,37 +7413,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7451,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -11621,7 +11686,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6387,18 +7454,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7492,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -11644,7 +11709,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6406,18 +7472,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7510,18 @@ interface(`files_list_spool',` ## ## # @@ -11668,7 +11733,7 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6425,19 +7491,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6425,19 +7529,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -11693,55 +11758,32 @@ index 64ff4d7..4adeb32 100644 ## ## ## -@@ -6445,45 +7510,312 @@ interface(`files_read_generic_spool',` +@@ -6445,7 +7548,274 @@ interface(`files_read_generic_spool',` ## ## # -interface(`files_manage_generic_spool',` +interface(`files_mounton_all_poly_members',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute polymember; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + allow $1 polymember:dir mounton; - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Delete all process IDs. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## --## --## The name of the object being created. --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_spool_filetrans',` ++# +interface(`files_delete_all_pids',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; + ') @@ -11989,48 +12031,10 @@ index 64ff4d7..4adeb32 100644 +## +# +interface(`files_manage_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create objects in the spool directory -+## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_spool_filetrans',` -+ gen_require(` -+ type var_t, var_spool_t; + gen_require(` + type var_t, var_spool_t; ') - - allow $1 var_t:dir search_dir_perms; -@@ -6562,3 +7894,491 @@ interface(`files_unconfined',` +@@ -6562,3 +7932,491 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12523,7 +12527,7 @@ index 64ff4d7..4adeb32 100644 + allow $1 etc_t:service status; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 148d87a..15e8466 100644 +index 148d87a..ccbcb66 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.17.5) @@ -12572,14 +12576,14 @@ index 148d87a..15e8466 100644 +# created by several domains. +# +type system_conf_t, configfile; -+files_type(system_conf_t) ++files_ro_base_file(system_conf_t) +# compatibility aliases for removed type: +typealias system_conf_t alias iptables_conf_t; + +# system_db_t is a new type of various +# db files. +type system_db_t; -+files_type(system_db_t) ++files_ro_base_file(system_db_t) + # # etc_runtime_t is the type of various @@ -14168,10 +14172,10 @@ index 8416beb..c6cd3eb 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..e0209df 100644 +index 9e603f5..1198b51 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); +@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); @@ -14179,9 +14183,11 @@ index 9e603f5..e0209df 100644 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem -@@ -53,6 +55,7 @@ type anon_inodefs_t; + # types, and label the filesystem itself with the specified context. +@@ -53,6 +56,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -14189,7 +14195,7 @@ index 9e603f5..e0209df 100644 type bdev_t; fs_type(bdev_t) -@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -14208,7 +14214,7 @@ index 9e603f5..e0209df 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -14220,7 +14226,7 @@ index 9e603f5..e0209df 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +110,7 @@ type hugetlbfs_t; +@@ -97,6 +111,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -14228,7 +14234,7 @@ index 9e603f5..e0209df 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -14246,7 +14252,7 @@ index 9e603f5..e0209df 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +164,6 @@ fs_type(spufs_t) +@@ -145,11 +165,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -14258,7 +14264,7 @@ index 9e603f5..e0209df 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +181,8 @@ type vxfs_t; +@@ -167,6 +182,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -14267,7 +14273,7 @@ index 9e603f5..e0209df 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +192,8 @@ fs_type(tmpfs_t) +@@ -176,6 +193,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -14276,7 +14282,7 @@ index 9e603f5..e0209df 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -14285,7 +14291,7 @@ index 9e603f5..e0209df 100644 files_mountpoint(removable_t) # -@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -17221,7 +17227,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..70297bc 100644 +index 5da7870..4f46291 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.3.1) @@ -17296,7 +17302,7 @@ index 5da7870..70297bc 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +82,106 @@ optional_policy(` +@@ -23,11 +82,110 @@ optional_policy(` ') optional_policy(` @@ -17349,6 +17355,10 @@ index 5da7870..70297bc 100644 +') + +optional_policy(` ++ journalctl_role(staff_r, staff_t) ++') ++ ++optional_policy(` + kerneloops_dbus_chat(staff_t) +') + @@ -17404,7 +17414,7 @@ index 5da7870..70297bc 100644 ') optional_policy(` -@@ -35,15 +189,31 @@ optional_policy(` +@@ -35,15 +193,31 @@ optional_policy(` ') optional_policy(` @@ -17438,7 +17448,7 @@ index 5da7870..70297bc 100644 ') optional_policy(` -@@ -52,10 +222,55 @@ optional_policy(` +@@ -52,10 +226,55 @@ optional_policy(` ') optional_policy(` @@ -17494,7 +17504,7 @@ index 5da7870..70297bc 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +280,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +284,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17505,7 +17515,7 @@ index 5da7870..70297bc 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +289,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +293,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -17516,7 +17526,7 @@ index 5da7870..70297bc 100644 ') optional_policy(` -@@ -101,10 +308,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +312,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17527,7 +17537,7 @@ index 5da7870..70297bc 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +328,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +332,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17538,7 +17548,7 @@ index 5da7870..70297bc 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +340,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +344,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17549,7 +17559,7 @@ index 5da7870..70297bc 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +371,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +375,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -17601,7 +17611,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..eea8991 100644 +index 88d0028..f520b74 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) @@ -17965,7 +17975,15 @@ index 88d0028..eea8991 100644 ') optional_policy(` -@@ -319,12 +417,20 @@ optional_policy(` +@@ -312,6 +410,7 @@ optional_policy(` + + optional_policy(` + screen_role_template(sysadm, sysadm_r, sysadm_t) ++ allow sysadm_screen_t self:capability dac_override; + ') + + optional_policy(` +@@ -319,12 +418,20 @@ optional_policy(` ') optional_policy(` @@ -17987,7 +18005,7 @@ index 88d0028..eea8991 100644 ') optional_policy(` -@@ -349,7 +455,18 @@ optional_policy(` +@@ -349,7 +456,18 @@ optional_policy(` ') optional_policy(` @@ -18007,7 +18025,7 @@ index 88d0028..eea8991 100644 ') optional_policy(` -@@ -360,19 +477,15 @@ optional_policy(` +@@ -360,19 +478,15 @@ optional_policy(` ') optional_policy(` @@ -18029,7 +18047,7 @@ index 88d0028..eea8991 100644 ') optional_policy(` -@@ -384,10 +497,6 @@ optional_policy(` +@@ -384,10 +498,6 @@ optional_policy(` ') optional_policy(` @@ -18040,7 +18058,7 @@ index 88d0028..eea8991 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +504,9 @@ optional_policy(` +@@ -395,6 +505,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -18050,7 +18068,7 @@ index 88d0028..eea8991 100644 ') optional_policy(` -@@ -402,31 +514,34 @@ optional_policy(` +@@ -402,31 +515,34 @@ optional_policy(` ') optional_policy(` @@ -18091,7 +18109,7 @@ index 88d0028..eea8991 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +554,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +555,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18102,7 +18120,7 @@ index 88d0028..eea8991 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +574,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +575,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19204,7 +19222,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index cdfddf4..35179f7 100644 +index cdfddf4..ad1f001 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -19220,7 +19238,7 @@ index cdfddf4..35179f7 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,96 @@ role user_r; +@@ -12,12 +19,100 @@ role user_r; userdom_unpriv_user_template(user) @@ -19270,6 +19288,10 @@ index cdfddf4..35179f7 100644 +') + +optional_policy(` ++ journalctl_role(user_r, user_t) ++') ++ ++optional_policy(` + irc_role(user_r, user_t) +') + @@ -19318,7 +19340,7 @@ index cdfddf4..35179f7 100644 ') optional_policy(` -@@ -25,6 +116,18 @@ optional_policy(` +@@ -25,6 +120,18 @@ optional_policy(` ') optional_policy(` @@ -19337,7 +19359,7 @@ index cdfddf4..35179f7 100644 vlock_run(user_t, user_r) ') -@@ -102,10 +205,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +209,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19348,7 +19370,7 @@ index cdfddf4..35179f7 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +227,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +231,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -19356,7 +19378,7 @@ index cdfddf4..35179f7 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +259,15 @@ ifndef(`distro_redhat',` +@@ -161,3 +263,15 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -19942,24 +19964,26 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..f2672ea 100644 +index 76d9f66..5c271ce 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,16 +1,39 @@ +@@ -1,16 +1,41 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) -/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) ++/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) + @@ -19988,7 +20012,7 @@ index 76d9f66..f2672ea 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..225aaa7 100644 +index fe0c682..c0413e8 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -20536,7 +20560,7 @@ index fe0c682..225aaa7 100644 ') ###################################### -@@ -754,3 +873,149 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +873,150 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -20600,6 +20624,7 @@ index fe0c682..225aaa7 100644 + + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") ++ files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh") +') + +######################################## @@ -21479,7 +21504,7 @@ index d1f64a0..9a5dab5 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..7c72b3f 100644 +index 6bf0ecc..5a7e2a4 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -22443,7 +22468,7 @@ index 6bf0ecc..7c72b3f 100644 ') ######################################## -@@ -1284,10 +1659,623 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22999,6 +23024,7 @@ index 6bf0ecc..7c72b3f 100644 + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") @@ -28017,7 +28043,7 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..d145ffc 100644 +index dd3be8d..0996734 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28251,17 +28277,17 @@ index dd3be8d..d145ffc 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +284,204 @@ ifdef(`distro_gentoo',` +@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28437,6 +28463,10 @@ index dd3be8d..d145ffc 100644 +auth_domtrans_chk_passwd(init_t) + +optional_policy(` ++ ipsec_read_config(init_t) ++') ++ ++optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) +') @@ -28474,7 +28504,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -216,7 +489,30 @@ optional_policy(` +@@ -216,7 +493,30 @@ optional_policy(` ') optional_policy(` @@ -28505,7 +28535,7 @@ index dd3be8d..d145ffc 100644 ') ######################################## -@@ -225,8 +521,9 @@ optional_policy(` +@@ -225,8 +525,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28517,7 +28547,7 @@ index dd3be8d..d145ffc 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +554,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28534,7 +28564,7 @@ index dd3be8d..d145ffc 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +579,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28577,7 +28607,7 @@ index dd3be8d..d145ffc 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +616,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28589,7 +28619,7 @@ index dd3be8d..d145ffc 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +628,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28600,7 +28630,7 @@ index dd3be8d..d145ffc 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +639,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28610,7 +28640,7 @@ index dd3be8d..d145ffc 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +648,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28618,7 +28648,7 @@ index dd3be8d..d145ffc 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +655,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28626,7 +28656,7 @@ index dd3be8d..d145ffc 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +663,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28644,7 +28674,7 @@ index dd3be8d..d145ffc 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +681,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28658,7 +28688,7 @@ index dd3be8d..d145ffc 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +696,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28672,7 +28702,7 @@ index dd3be8d..d145ffc 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +709,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28680,7 +28710,7 @@ index dd3be8d..d145ffc 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +721,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28688,7 +28718,7 @@ index dd3be8d..d145ffc 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +740,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28712,7 +28742,7 @@ index dd3be8d..d145ffc 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +773,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28720,7 +28750,7 @@ index dd3be8d..d145ffc 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +807,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28731,7 +28761,7 @@ index dd3be8d..d145ffc 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +831,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +835,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28740,7 +28770,7 @@ index dd3be8d..d145ffc 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +846,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +850,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28748,7 +28778,7 @@ index dd3be8d..d145ffc 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +867,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +871,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28756,7 +28786,7 @@ index dd3be8d..d145ffc 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +877,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +881,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28801,7 +28831,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -558,14 +922,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +926,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28833,7 +28863,7 @@ index dd3be8d..d145ffc 100644 ') ') -@@ -576,6 +957,39 @@ ifdef(`distro_suse',` +@@ -576,6 +961,39 @@ ifdef(`distro_suse',` ') ') @@ -28873,7 +28903,7 @@ index dd3be8d..d145ffc 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1002,8 @@ optional_policy(` +@@ -588,6 +1006,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28882,7 +28912,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -609,6 +1025,7 @@ optional_policy(` +@@ -609,6 +1029,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28890,7 +28920,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -625,6 +1042,17 @@ optional_policy(` +@@ -625,6 +1046,17 @@ optional_policy(` ') optional_policy(` @@ -28908,7 +28938,7 @@ index dd3be8d..d145ffc 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1069,13 @@ optional_policy(` +@@ -641,9 +1073,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28922,7 +28952,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -656,15 +1088,11 @@ optional_policy(` +@@ -656,15 +1092,11 @@ optional_policy(` ') optional_policy(` @@ -28940,7 +28970,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -685,6 +1113,15 @@ optional_policy(` +@@ -685,6 +1117,15 @@ optional_policy(` ') optional_policy(` @@ -28956,7 +28986,7 @@ index dd3be8d..d145ffc 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1162,7 @@ optional_policy(` +@@ -725,6 +1166,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28964,7 +28994,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -742,7 +1180,13 @@ optional_policy(` +@@ -742,7 +1184,13 @@ optional_policy(` ') optional_policy(` @@ -28979,7 +29009,7 @@ index dd3be8d..d145ffc 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1209,10 @@ optional_policy(` +@@ -765,6 +1213,10 @@ optional_policy(` ') optional_policy(` @@ -28990,7 +29020,7 @@ index dd3be8d..d145ffc 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1222,20 @@ optional_policy(` +@@ -774,10 +1226,20 @@ optional_policy(` ') optional_policy(` @@ -29011,7 +29041,7 @@ index dd3be8d..d145ffc 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1244,10 @@ optional_policy(` +@@ -786,6 +1248,10 @@ optional_policy(` ') optional_policy(` @@ -29022,7 +29052,7 @@ index dd3be8d..d145ffc 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1269,6 @@ optional_policy(` +@@ -807,8 +1273,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29031,7 +29061,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -817,6 +1277,10 @@ optional_policy(` +@@ -817,6 +1281,10 @@ optional_policy(` ') optional_policy(` @@ -29042,7 +29072,7 @@ index dd3be8d..d145ffc 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1290,12 @@ optional_policy(` +@@ -826,10 +1294,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29055,7 +29085,7 @@ index dd3be8d..d145ffc 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1322,33 @@ optional_policy(` +@@ -856,12 +1326,33 @@ optional_policy(` ') optional_policy(` @@ -29090,7 +29120,7 @@ index dd3be8d..d145ffc 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1358,18 @@ optional_policy(` +@@ -871,6 +1362,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29109,7 +29139,7 @@ index dd3be8d..d145ffc 100644 ') optional_policy(` -@@ -886,6 +1385,10 @@ optional_policy(` +@@ -886,6 +1389,10 @@ optional_policy(` ') optional_policy(` @@ -29120,7 +29150,7 @@ index dd3be8d..d145ffc 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1399,218 @@ optional_policy(` +@@ -896,3 +1403,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -29581,7 +29611,7 @@ index 0d4c8d3..e6ffda3 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..ecc6d2c 100644 +index 9e54bf9..ceb7f99 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -29616,17 +29646,20 @@ index 9e54bf9..ecc6d2c 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -88,8 +95,8 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) +manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) ++ ++manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t) ++logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log") manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -110,10 +117,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; @@ -29639,7 +29672,7 @@ index 9e54bf9..ecc6d2c 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +135,22 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -29669,7 +29702,7 @@ index 9e54bf9..ecc6d2c 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,24 +166,33 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -29704,7 +29737,7 @@ index 9e54bf9..ecc6d2c 100644 seutil_sigchld_newrole(ipsec_t) ') -@@ -187,10 +205,10 @@ optional_policy(` +@@ -187,10 +208,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -29719,7 +29752,7 @@ index 9e54bf9..ecc6d2c 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -208,12 +226,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -29735,7 +29768,7 @@ index 9e54bf9..ecc6d2c 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +266,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -29752,7 +29785,7 @@ index 9e54bf9..ecc6d2c 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +285,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -29761,7 +29794,7 @@ index 9e54bf9..ecc6d2c 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +310,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -29773,7 +29806,7 @@ index 9e54bf9..ecc6d2c 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +323,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -29797,7 +29830,7 @@ index 9e54bf9..ecc6d2c 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +358,10 @@ optional_policy(` +@@ -322,6 +361,10 @@ optional_policy(` ') optional_policy(` @@ -29808,7 +29841,7 @@ index 9e54bf9..ecc6d2c 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +375,7 @@ optional_policy(` +@@ -335,7 +378,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -29817,7 +29850,7 @@ index 9e54bf9..ecc6d2c 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +410,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -29837,7 +29870,7 @@ index 9e54bf9..ecc6d2c 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +440,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -29850,7 +29883,7 @@ index 9e54bf9..ecc6d2c 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +477,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -32080,7 +32113,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..d2df072 100644 +index e8c59a5..b22837c 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -32308,10 +32341,14 @@ index e8c59a5..d2df072 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +374,26 @@ optional_policy(` +@@ -333,14 +374,30 @@ optional_policy(` ') optional_policy(` ++ docker_rw_sem(lvm_t) ++') ++ ++optional_policy(` + livecd_rw_semaphores(lvm_t) +') + @@ -33856,7 +33893,7 @@ index b263a8a..15576ab 100644 +/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) +/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0) diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te -index cbbda4a..1136c7b 100644 +index cbbda4a..e3c34dc 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) @@ -33873,17 +33910,18 @@ index cbbda4a..1136c7b 100644 ######################################## # # NetLabel Management Tools Local policy -@@ -19,10 +23,20 @@ role system_r types netlabel_mgmt_t; +@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t; allow netlabel_mgmt_t self:capability net_admin; allow netlabel_mgmt_t self:netlink_socket create_socket_perms; +can_exec(netlabel_mgmt_t, netlabel_mgmt_t) + kernel_read_network_state(netlabel_mgmt_t) - ++kernel_read_system_state(netlabel_mgmt_t) ++ +corecmd_exec_bin(netlabel_mgmt_t) +corecmd_exec_shell(netlabel_mgmt_t) -+ + files_read_etc_files(netlabel_mgmt_t) +term_use_all_inherited_terms(netlabel_mgmt_t) @@ -35476,7 +35514,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..b82ccf1 100644 +index 6944526..0bd8d93 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -35751,7 +35789,7 @@ index 6944526..b82ccf1 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -35819,6 +35857,8 @@ index 6944526..b82ccf1 100644 + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") + files_etc_filetrans($1, net_conf_t, file, "hosts.deny") @@ -38619,7 +38659,7 @@ index 0f64692..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a5ec88b..e7663f3 100644 +index a5ec88b..de9d585 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -38778,17 +38818,20 @@ index a5ec88b..e7663f3 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -170,6 +195,9 @@ sysnet_signal_dhcpc(udev_t) +@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t) + sysnet_delete_dhcpc_pid(udev_t) + sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) - sysnet_etc_filetrans_config(udev_t) - +-sysnet_etc_filetrans_config(udev_t) ++sysnet_filetrans_named_content(udev_t) ++#sysnet_etc_filetrans_config(udev_t) ++ +systemd_login_read_pid_files(udev_t) +systemd_getattr_unit_files(udev_t) -+ + userdom_dontaudit_search_user_home_content(udev_t) - ifdef(`distro_gentoo',` -@@ -179,16 +207,9 @@ ifdef(`distro_gentoo',` +@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38807,7 +38850,7 @@ index a5ec88b..e7663f3 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -226,19 +247,34 @@ optional_policy(` +@@ -226,19 +248,34 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -38842,7 +38885,7 @@ index a5ec88b..e7663f3 100644 ') optional_policy(` -@@ -264,6 +300,10 @@ optional_policy(` +@@ -264,6 +301,10 @@ optional_policy(` ') optional_policy(` @@ -38853,7 +38896,7 @@ index a5ec88b..e7663f3 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -278,6 +318,15 @@ optional_policy(` +@@ -278,6 +319,15 @@ optional_policy(` ') optional_policy(` @@ -38869,7 +38912,7 @@ index a5ec88b..e7663f3 100644 unconfined_signal(udev_t) ') -@@ -290,6 +339,7 @@ optional_policy(` +@@ -290,6 +340,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -39701,7 +39744,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..5b93224 100644 +index 3c5dba7..2890de8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42369,7 +42412,7 @@ index 3c5dba7..5b93224 100644 ## ## ## -@@ -3285,36 +4035,37 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -42387,8 +42430,8 @@ index 3c5dba7..5b93224 100644 ######################################## ## -## Read the process state of all user domains. -+## Do not audit attempts to read/write users -+## temporary fifo files. ++## Do not audit attempts to delete users ++## temporary files. ## ## ## @@ -42398,7 +42441,7 @@ index 3c5dba7..5b93224 100644 ## # -interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` ++interface(`userdom_dontaudit_delete_user_tmp_files',` gen_require(` - attribute userdomain; + type user_tmp_t; @@ -42406,39 +42449,57 @@ index 3c5dba7..5b93224 100644 - read_files_pattern($1, userdomain, userdomain) - kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 user_tmp_t:file delete_file_perms; ') ######################################## ## -## Get the attributes of all user domains. -+## Allow domain to read/write inherited users -+## fifo files. ++## Do not audit attempts to read/write users ++## temporary fifo files. ## ## ## -@@ -3322,21 +4073,77 @@ interface(`userdom_read_all_users_state',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`userdom_getattr_all_users',` -+interface(`userdom_rw_inherited_user_pipes',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` gen_require(` - attribute userdomain; - ') - -- allow $1 userdomain:process getattr; +- attribute userdomain; ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Allow domain to read/write inherited users ++## fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_pipes',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains ++') ++ ++######################################## ++## +## Do not audit attempts to use user ttys. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. +## +## @@ -42484,22 +42545,10 @@ index 3c5dba7..5b93224 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process getattr; -+') -+ -+######################################## -+## -+## Inherit the file descriptors from all user domains -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -3385,6 +4192,42 @@ interface(`userdom_signal_all_users',` + ') + + allow $1 userdomain:process getattr; +@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -42542,7 +42591,7 @@ index 3c5dba7..5b93224 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4248,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -42567,7 +42616,7 @@ index 3c5dba7..5b93224 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4299,1630 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -42769,7 +42818,7 @@ index 3c5dba7..5b93224 100644 + ') + + allow $1 unpriv_userdomain:sem rw_sem_perms; -+') + ') + +######################################## +## @@ -42788,7 +42837,7 @@ index 3c5dba7..5b93224 100644 + ') + + allow $1 unpriv_userdomain:unix_dgram_socket sendto; - ') ++') + +###################################### +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f11fea6..3f17d3b 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -520,7 +520,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..097a770 100644 +index cc43d25..924daba 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -685,7 +685,7 @@ index cc43d25..097a770 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; -+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + @@ -2728,7 +2728,7 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..784557c +index 0000000..8ba9c95 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,274 @@ @@ -2825,7 +2825,7 @@ index 0000000..784557c +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } ) + -+allow antivirus_domain antivirus_log_t:dir setattr_dir_perms; ++manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir }) @@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..d0d7c0b 100644 +index 1a82e29..bfe87eb 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -6417,7 +6417,7 @@ index 1a82e29..d0d7c0b 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1333,104 @@ optional_policy(` +@@ -1077,172 +1333,106 @@ optional_policy(` ') ') @@ -6437,13 +6437,13 @@ index 1a82e29..d0d7c0b 100644 -allow httpd_script_domains self:fifo_file rw_file_perms; -allow httpd_script_domains self:unix_stream_socket connectto; -+allow httpd_sys_script_t self:process getsched; - +- -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6451,29 +6451,30 @@ index 1a82e29..d0d7c0b 100644 -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) -corenet_tcp_sendrecv_generic_node(httpd_script_domains) -- --corecmd_exec_all_executables(httpd_script_domains) +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; +-corecmd_exec_all_executables(httpd_script_domains) ++dontaudit httpd_sys_script_t httpd_config_t:dir search; + -dev_read_rand(httpd_script_domains) -dev_read_urand(httpd_script_domains) -+dontaudit httpd_sys_script_t httpd_config_t:dir search; ++allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; -files_exec_etc_files(httpd_script_domains) -files_read_etc_files(httpd_script_domains) -files_search_home(httpd_script_domains) -+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - --libs_exec_ld_so(httpd_script_domains) --libs_exec_lib_files(httpd_script_domains) +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) +read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) --logging_search_logs(httpd_script_domains) +-libs_exec_ld_so(httpd_script_domains) +-libs_exec_lib_files(httpd_script_domains) +kernel_read_kernel_sysctls(httpd_sys_script_t) +-logging_search_logs(httpd_script_domains) ++dev_list_sysfs(httpd_sys_script_t) + -miscfiles_read_fonts(httpd_script_domains) -miscfiles_read_public_files(httpd_script_domains) +files_read_var_symlinks(httpd_sys_script_t) @@ -6653,7 +6654,7 @@ index 1a82e29..d0d7c0b 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6750,7 +6751,7 @@ index 1a82e29..d0d7c0b 100644 ######################################## # -@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6767,7 +6768,7 @@ index 1a82e29..d0d7c0b 100644 ') ######################################## -@@ -1324,49 +1529,38 @@ optional_policy(` +@@ -1324,49 +1531,38 @@ optional_policy(` # User content local policy # @@ -6832,7 +6833,7 @@ index 1a82e29..d0d7c0b 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -21394,15 +21395,19 @@ index 41c3f67..653a1ec 100644 ## ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te -index c947c2c..441d3f4 100644 +index c947c2c..8d4d843 100644 --- a/dmidecode.te +++ b/dmidecode.te -@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t) +@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t) locallogin_use_fds(dmidecode_t) -userdom_use_user_terminals(dmidecode_t) +userdom_use_inherited_user_terminals(dmidecode_t) ++ ++optional_policy(` ++ rhsmcertd_rw_inherited_lock_files(dmidecode_t) ++') diff --git a/dnsmasq.fc b/dnsmasq.fc index 23ab808..4a801b5 100644 --- a/dnsmasq.fc @@ -22127,10 +22132,10 @@ index 0000000..097c75c +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..939365d +index 0000000..1229d66 --- /dev/null +++ b/docker.te -@@ -0,0 +1,130 @@ +@@ -0,0 +1,133 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -22212,6 +22217,7 @@ index 0000000..939365d +mount_domtrans(docker_t) + +sysnet_dns_name_resolve(docker_t) ++sysnet_exec_ifconfig(docker_t) + +optional_policy(` + fstools_domtrans(docker_t) @@ -22226,7 +22232,7 @@ index 0000000..939365d +# + +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; -+allow docker_t self:process setsched; ++allow docker_t self:process { setsched signal_perms }; +allow docker_t self:netlink_route_socket nlmsg_write; +allow docker_t self:unix_dgram_socket create_socket_perms; + @@ -22236,6 +22242,8 @@ index 0000000..939365d + +dev_getattr_all_blk_files(docker_t) +dev_read_urand(docker_t) ++dev_read_lvm_control(docker_t) ++dev_read_sysfs(docker_t) + +files_manage_isid_type_dirs(docker_t) +files_manage_isid_type_files(docker_t) @@ -22255,12 +22263,12 @@ index 0000000..939365d +term_use_ptmx(docker_t) +term_getattr_pty_fs(docker_t) + -+dev_read_lvm_control(docker_t) ++modutils_domtrans_insmod(docker_t) + -+gen_require(` -+type lvm_t; ++optional_policy(` ++ virt_read_config(docker_t) ++ virt_exec(docker_t) +') -+docker_rw_sem(lvm_t) diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc @@ -23429,7 +23437,7 @@ index 18f2452..a446210 100644 + ') diff --git a/dspam.te b/dspam.te -index 266cb8f..c736297 100644 +index 266cb8f..b619351 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -23442,17 +23450,20 @@ index 266cb8f..c736297 100644 allow dspam_t self:fifo_file rw_fifo_file_perms; allow dspam_t self:unix_stream_socket { accept listen }; -@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t) +@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t) + corenet_tcp_bind_spamd_port(dspam_t) corenet_tcp_connect_spamd_port(dspam_t) corenet_tcp_sendrecv_spamd_port(dspam_t) - ++corenet_tcp_bind_lmtp_port(dspam_t) ++corenet_tcp_connect_lmtp_port(dspam_t) ++ +kernel_read_system_state(dspam_t) + +corecmd_exec_shell(dspam_t) -+ + files_search_spool(dspam_t) - auth_use_nsswitch(dspam_t) +@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) @@ -23489,7 +23500,7 @@ index 266cb8f..c736297 100644 ') optional_policy(` -@@ -87,3 +112,12 @@ optional_policy(` +@@ -87,3 +114,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') @@ -32392,6 +32403,145 @@ index d59ec10..dec1b3b 100644 modutils_read_module_config(jockey_t) + modutils_list_module_config(jockey_t) ') +diff --git a/journalctl.fc b/journalctl.fc +new file mode 100644 +index 0000000..f270652 +--- /dev/null ++++ b/journalctl.fc +@@ -0,0 +1 @@ ++/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0) +diff --git a/journalctl.if b/journalctl.if +new file mode 100644 +index 0000000..9d32f23 +--- /dev/null ++++ b/journalctl.if +@@ -0,0 +1,76 @@ ++ ++## policy for journalctl ++ ++######################################## ++## ++## Execute TEMPLATE in the journalctl domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`journalctl_domtrans',` ++ gen_require(` ++ type journalctl_t, journalctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, journalctl_exec_t, journalctl_t) ++') ++ ++######################################## ++## ++## Execute journalctl in the journalctl domain, and ++## allow the specified role the journalctl domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the journalctl domain. ++## ++## ++# ++interface(`journalctl_run',` ++ gen_require(` ++ type journalctl_t; ++ attribute_role journalctl_roles; ++ ') ++ ++ journalctl_domtrans($1) ++ roleattribute $2 journalctl_roles; ++') ++ ++######################################## ++## ++## Role access for journalctl ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`journalctl_role',` ++ gen_require(` ++ type journalctl_t; ++ attribute_role journalctl_roles; ++ ') ++ ++ roleattribute $1 journalctl_roles; ++ ++ journalctl_domtrans($2) ++ ++ ps_process_pattern($2, journalctl_t) ++ allow $2 journalctl_t:process { signull signal sigkill }; ++') +diff --git a/journalctl.te b/journalctl.te +new file mode 100644 +index 0000000..5de3229 +--- /dev/null ++++ b/journalctl.te +@@ -0,0 +1,44 @@ ++policy_module(journalctl, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute_role journalctl_roles; ++roleattribute system_r journalctl_roles; ++ ++type journalctl_t; ++type journalctl_exec_t; ++application_domain(journalctl_t, journalctl_exec_t) ++ ++role journalctl_roles types journalctl_t; ++ ++######################################## ++# ++# journalctl local policy ++# ++allow journalctl_t self:process { fork signal_perms }; ++ ++allow journalctl_t self:fifo_file manage_fifo_file_perms; ++allow journalctl_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_system_state(journalctl_t) ++ ++corecmd_exec_bin(journalctl_t) ++ ++domain_use_interactive_fds(journalctl_t) ++ ++files_read_etc_files(journalctl_t) ++ ++fs_getattr_all_fs(journalctl_t) ++ ++userdom_list_user_home_dirs(journalctl_t) ++userdom_read_user_home_content_files(journalctl_t) ++userdom_use_inherited_user_ptys(journalctl_t) ++userdom_write_inherited_user_tmp_files(journalctl_t) ++userdom_rw_inherited_user_tmpfs_files(journalctl_t) ++userdom_rw_inherited_user_home_content_files(journalctl_t) ++ ++miscfiles_read_localization(journalctl_t) ++logging_read_generic_logs(journalctl_t) diff --git a/kde.fc b/kde.fc new file mode 100644 index 0000000..25e4b68 @@ -32965,17 +33115,25 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..1a8d69e 100644 +index e7f5c81..8c75bc8 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -1,4 +1,4 @@ +@@ -1,83 +1,92 @@ -policy_module(kdumpgui, 1.1.4) +policy_module(kdumpgui, 1.1.0) ######################################## # -@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4) + # Declarations + # ++## ++##

++## Allow s-c-kdump to run bootloader in bootloader_t. ++##

++## ++gen_tunable(kdumpgui_run_bootloader, false) ++ type kdumpgui_t; type kdumpgui_exec_t; -init_system_domain(kdumpgui_t, kdumpgui_exec_t) @@ -33054,8 +33212,14 @@ index e7f5c81..1a8d69e 100644 optional_policy(` - consoletype_exec(kdumpgui_t) -+ bootloader_exec(kdumpgui_t) -+ bootloader_manage_config(kdumpgui_t) ++ tunable_policy(`kdumpgui_run_bootloader',` ++ bootloader_domtrans(kdumpgui_t) ++ #if s-c-kdump is involved ++ bootloader_manage_config(kdumpgui_t) ++ ',` ++ bootloader_exec(kdumpgui_t) ++ bootloader_manage_config(kdumpgui_t) ++ ') ') optional_policy(` @@ -33067,7 +33231,7 @@ index e7f5c81..1a8d69e 100644 ') optional_policy(` -@@ -87,4 +83,10 @@ optional_policy(` +@@ -87,4 +96,10 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -43460,7 +43624,7 @@ index ed81cac..566684a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..79fe381 100644 +index afd2fad..09ebbbe 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -43490,7 +43654,7 @@ index afd2fad..79fe381 100644 type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -43,178 +43,78 @@ role system_r types system_mail_t; +@@ -43,178 +43,79 @@ role system_r types system_mail_t; mta_base_mail_template(user) typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; @@ -43624,11 +43788,12 @@ index afd2fad..79fe381 100644 +# newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; - +- -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) - -read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) -- ++dontaudit system_mail_t self:capability net_admin; + allow system_mail_t mail_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") @@ -43705,7 +43870,7 @@ index afd2fad..79fe381 100644 ') optional_policy(` -@@ -223,18 +123,18 @@ optional_policy(` +@@ -223,18 +124,18 @@ optional_policy(` ') optional_policy(` @@ -43727,7 +43892,7 @@ index afd2fad..79fe381 100644 courier_manage_spool_dirs(system_mail_t) courier_manage_spool_files(system_mail_t) courier_rw_spool_pipes(system_mail_t) -@@ -245,13 +145,8 @@ optional_policy(` +@@ -245,13 +146,8 @@ optional_policy(` ') optional_policy(` @@ -43742,7 +43907,7 @@ index afd2fad..79fe381 100644 fail2ban_rw_inherited_tmp_files(system_mail_t) ') -@@ -264,10 +159,15 @@ optional_policy(` +@@ -264,10 +160,15 @@ optional_policy(` ') optional_policy(` @@ -43758,7 +43923,7 @@ index afd2fad..79fe381 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -278,6 +178,15 @@ optional_policy(` +@@ -278,6 +179,15 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -43774,7 +43939,7 @@ index afd2fad..79fe381 100644 ') optional_policy(` -@@ -293,42 +202,36 @@ optional_policy(` +@@ -293,42 +203,36 @@ optional_policy(` ') optional_policy(` @@ -43827,7 +43992,7 @@ index afd2fad..79fe381 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -43876,7 +44041,7 @@ index afd2fad..79fe381 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +276,173 @@ optional_policy(` +@@ -387,24 +277,173 @@ optional_policy(` ######################################## # @@ -45201,7 +45366,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..cc14cbc 100644 +index 9f6179e..4383f87 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -45412,7 +45577,7 @@ index 9f6179e..cc14cbc 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -183,21 +185,26 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -45427,6 +45592,7 @@ index 9f6179e..cc14cbc 100644 -files_dontaudit_getattr_all_dirs(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) ++files_dontaudit_write_root_dirs(mysqld_safe_t) +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -45445,7 +45611,7 @@ index 9f6179e..cc14cbc 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +212,7 @@ optional_policy(` +@@ -205,7 +213,7 @@ optional_policy(` ######################################## # @@ -45454,7 +45620,7 @@ index 9f6179e..cc14cbc 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +221,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -45472,7 +45638,7 @@ index 9f6179e..cc14cbc 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +234,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -55084,7 +55250,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..c1e0a6f 100644 +index 7bcf327..c19ce47 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -55108,7 +55274,7 @@ index 7bcf327..c1e0a6f 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,262 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,266 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -55242,6 +55408,10 @@ index 7bcf327..c1e0a6f 100644 + realmd_dbus_chat(pegasus_openlmi_services_t) +') + ++optional_policy(` ++ sssd_stream_connect(pegasus_openlmi_services_t) ++') ++ +###################################### +# +# pegasus openlmi system (networking) local policy @@ -55376,7 +55546,7 @@ index 7bcf327..c1e0a6f 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +295,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -55407,7 +55577,7 @@ index 7bcf327..c1e0a6f 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +321,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -55440,7 +55610,7 @@ index 7bcf327..c1e0a6f 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +349,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -55448,7 +55618,7 @@ index 7bcf327..c1e0a6f 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +364,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -55480,7 +55650,7 @@ index 7bcf327..c1e0a6f 100644 ') optional_policy(` -@@ -151,16 +394,24 @@ optional_policy(` +@@ -151,16 +398,24 @@ optional_policy(` ') optional_policy(` @@ -55509,7 +55679,7 @@ index 7bcf327..c1e0a6f 100644 ') optional_policy(` -@@ -168,7 +419,7 @@ optional_policy(` +@@ -168,7 +423,7 @@ optional_policy(` ') optional_policy(` @@ -67640,7 +67810,7 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..801835e 100644 +index 769d1fd..acee489 100644 --- a/quantum.te +++ b/quantum.te @@ -1,96 +1,109 @@ @@ -67661,7 +67831,7 @@ index 769d1fd..801835e 100644 -type quantum_initrc_exec_t; -init_script_file(quantum_initrc_exec_t) -+type neutron_initrc_exec_t alias qauntum_initrc_exec_t; ++type neutron_initrc_exec_t alias quantum_initrc_exec_t; +init_script_file(neutron_initrc_exec_t) -type quantum_log_t; @@ -67751,7 +67921,7 @@ index 769d1fd..801835e 100644 -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -+corenet_tcp_bind_quantum_port(neutron_t) ++corenet_tcp_bind_neutron_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) +corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) @@ -72821,7 +72991,7 @@ index 0000000..0e965c3 + rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905..d803796 100644 +index 6dbc905..78746ef 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -72917,26 +73087,47 @@ index 6dbc905..d803796 100644 ## ## ## -@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',` +@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',` + allow $1 rhsmcertd_var_run_t:file read_file_perms; + ') - #################################### +-#################################### ++######################################## ## -## Connect to rhsmcertd with a -## unix domain stream socket. -+## Connect to rhsmcertd over a unix domain -+## stream socket. ++## Read/wirte inherited lock files. ## ## --## --## Domain allowed access. --## + ## +@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',` + ## + ## + # ++interface(`rhsmcertd_rw_inherited_lock_files',` ++ gen_require(` ++ type rhsmcertd_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms; ++') ++ ++#################################### ++## ++## Connect to rhsmcertd over a unix domain ++## stream socket. ++## ++## +## +## Domain allowed access. +## - ## - # ++## ++# interface(`rhsmcertd_stream_connect',` -@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',` + gen_require(` + type rhsmcertd_t, rhsmcertd_var_run_t; +@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',` ###################################### ## @@ -72980,7 +73171,7 @@ index 6dbc905..d803796 100644 ## ## ## -@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` +@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` ## ## ## @@ -73012,24 +73203,24 @@ index 6dbc905..d803796 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') -+ + +- logging_search_logs($1) +- admin_pattern($1, rhsmcertd_log_t) + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; -- logging_search_logs($1) -- admin_pattern($1, rhsmcertd_log_t) -+ logging_search_logs($1) -+ admin_pattern($1, rhsmcertd_log_t) - - files_search_var_lib($1) - admin_pattern($1, rhsmcertd_var_lib_t) -+ files_search_var_lib($1) -+ admin_pattern($1, rhsmcertd_var_lib_t) ++ logging_search_logs($1) ++ admin_pattern($1, rhsmcertd_log_t) - files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) ++ files_search_var_lib($1) ++ admin_pattern($1, rhsmcertd_var_lib_t) ++ + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) + @@ -73040,10 +73231,10 @@ index 6dbc905..d803796 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 1cedd70..6508b1e 100644 +index 1cedd70..0369e30 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te -@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t) +@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) # allow rhsmcertd_t self:capability sys_nice; @@ -73053,7 +73244,15 @@ index 1cedd70..6508b1e 100644 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; -@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) + manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) ++manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) + + manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) + files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) +@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -73071,6 +73270,7 @@ index 1cedd70..6508b1e 100644 -files_read_etc_files(rhsmcertd_t) -files_read_usr_files(rhsmcertd_t) +files_manage_generic_locks(rhsmcertd_t) ++files_manage_system_conf_files(rhsmcertd_t) + +auth_read_passwd(rhsmcertd_t) @@ -73080,7 +73280,8 @@ index 1cedd70..6508b1e 100644 + +logging_send_syslog_msg(rhsmcertd_t) + -+miscfiles_read_certs(rhsmcertd_t) ++miscfiles_manage_cert_files(rhsmcertd_t) ++miscfiles_manage_cert_dirs(rhsmcertd_t) sysnet_dns_name_resolve(rhsmcertd_t) @@ -80752,6 +80953,21 @@ index a63b875..1c9e41b 100644 ') optional_policy(` +diff --git a/sblim.fc b/sblim.fc +index 68a550d..e976fc6 100644 +--- a/sblim.fc ++++ b/sblim.fc +@@ -1,6 +1,10 @@ + /etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) + + /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) + /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) ++/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0) ++ ++/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0) + + /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if index 98c9e0a..df51942 100644 --- a/sblim.if @@ -80854,10 +81070,10 @@ index 98c9e0a..df51942 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..d90604c 100644 +index 4a23d84..fcd1610 100644 --- a/sblim.te +++ b/sblim.te -@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3) +@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3) attribute sblim_domain; @@ -80870,12 +81086,38 @@ index 4a23d84..d90604c 100644 -type sblim_reposd_exec_t; -init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) +sblim_domain_template(reposd) ++ ++sblim_domain_template(sfcbd) type sblim_initrc_exec_t; init_script_file(sblim_initrc_exec_t) -@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) +@@ -21,6 +19,12 @@ init_script_file(sblim_initrc_exec_t) + type sblim_var_run_t; + files_pid_file(sblim_var_run_t) + ++type sblim_var_lib_t; ++files_type(sblim_var_lib_t) ++ ++type sblim_tmp_t; ++files_tmp_file(sblim_tmp_t) ++ + ###################################### + # + # Common sblim domain local policy +@@ -32,11 +36,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) ++manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) ++manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t) ++files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) ++manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) ++manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) ++files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file}) ++ kernel_read_network_state(sblim_domain) -kernel_read_system_state(sblim_domain) @@ -80884,7 +81126,7 @@ index 4a23d84..d90604c 100644 corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain) -@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) +@@ -44,19 +55,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) dev_read_sysfs(sblim_domain) @@ -80907,7 +81149,7 @@ index 4a23d84..d90604c 100644 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; -@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) +@@ -84,6 +91,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t) @@ -80916,7 +81158,7 @@ index 4a23d84..d90604c 100644 sysnet_dns_name_resolve(sblim_gatherd_t) term_getattr_pty_fs(sblim_gatherd_t) -@@ -103,8 +94,9 @@ optional_policy(` +@@ -103,8 +112,9 @@ optional_policy(` ') optional_policy(` @@ -80927,7 +81169,7 @@ index 4a23d84..d90604c 100644 ') optional_policy(` -@@ -117,6 +109,10 @@ optional_policy(` +@@ -117,6 +127,25 @@ optional_policy(` # Reposd local policy # @@ -80939,6 +81181,21 @@ index 4a23d84..d90604c 100644 + +logging_send_syslog_msg(sblim_reposd_t) + ++####################################### ++# ++# Sfcbd local policy ++# ++ ++allow sblim_sfcbd_t self:capability { sys_ptrace setgid }; ++allow sblim_sfcbd_t self:process signal; ++ ++auth_use_nsswitch(sblim_sfcbd_t) ++ ++corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) ++ ++domain_read_all_domains_state(sblim_sfcbd_t) ++domain_use_interactive_fds(sblim_sfcbd_t) ++ diff --git a/screen.fc b/screen.fc index ac04d27..b73334e 100644 --- a/screen.fc @@ -85923,7 +86180,7 @@ index dbb005a..45291bb 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..54c5c1f 100644 +index a240455..02ad8a9 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -86051,7 +86308,9 @@ index a240455..54c5c1f 100644 + gen_require(` + type sssd_conf_t; + ') -+ + +- files_search_etc($1) +- write_files_pattern($1, sssd_conf_t, sssd_conf_t) + files_search_etc($1) + write_files_pattern($1, sssd_conf_t, sssd_conf_t) +') @@ -86070,9 +86329,7 @@ index a240455..54c5c1f 100644 + gen_require(` + type sssd_conf_t; + ') - -- files_search_etc($1) -- write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ + files_search_etc($1) + create_files_pattern($1, sssd_conf_t, sssd_conf_t) ') @@ -86168,7 +86425,32 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -297,8 +333,7 @@ interface(`sssd_dbus_chat',` +@@ -235,6 +271,24 @@ interface(`sssd_dontaudit_search_lib',` + + ######################################## + ## ++## Do not audit attempts to read sssd lib files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sssd_dontaudit_read_lib',` ++ gen_require(` ++ type sssd_var_lib_t; ++ ') ++ ++ dontaudit $1 sssd_var_lib_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Read sssd lib files. + ## + ## +@@ -297,8 +351,7 @@ interface(`sssd_dbus_chat',` ######################################## ## @@ -86178,7 +86460,7 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -317,8 +352,27 @@ interface(`sssd_stream_connect',` +@@ -317,8 +370,27 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -86198,7 +86480,7 @@ index a240455..54c5c1f 100644 + ') + + dontaudit $1 sssd_t:unix_stream_socket connectto; -+ dontaudit $1 sssd_var_lib_t:sock_file write; ++ dontaudit $1 sssd_var_lib_t:sock_file { read write }; +') + +######################################## @@ -86208,7 +86490,7 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -327,7 +381,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +399,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -86217,7 +86499,7 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -335,27 +389,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +407,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -89493,10 +89775,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..1a7c61d +index 0000000..b57cc3c --- /dev/null +++ b/thumb.te -@@ -0,0 +1,148 @@ +@@ -0,0 +1,149 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -89596,7 +89878,8 @@ index 0000000..1a7c61d +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) +userdom_exec_user_home_content_files(thumb_t) -+userdom_write_user_tmp_files(thumb_t) ++userdom_dontaudit_write_user_tmp_files(thumb_t) ++userdom_dontaudit_delete_user_tmp_files(thumb_t) +userdom_read_home_audio_files(thumb_t) +userdom_home_reader(thumb_t) + @@ -93995,7 +94278,7 @@ index 9dec06c..73549fd 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..a77dab1 100644 +index 1f22fba..62390bf 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,167 @@ @@ -94239,7 +94522,7 @@ index 1f22fba..a77dab1 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +170,140 @@ ifdef(`enable_mls',` +@@ -150,295 +170,141 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -94497,6 +94780,7 @@ index 1f22fba..a77dab1 100644 optional_policy(` - xen_rw_image_files(virt_domain) + sssd_dontaudit_stream_connect(svirt_t) ++ sssd_dontaudit_read_lib(svirt_t) ') -######################################## @@ -94619,7 +94903,7 @@ index 1f22fba..a77dab1 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +313,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +314,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -94666,7 +94950,7 @@ index 1f22fba..a77dab1 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +348,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +349,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -94688,7 +94972,7 @@ index 1f22fba..a77dab1 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +361,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +362,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -94696,7 +94980,7 @@ index 1f22fba..a77dab1 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +369,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +370,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -94724,7 +95008,7 @@ index 1f22fba..a77dab1 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +389,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +390,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -94757,7 +95041,7 @@ index 1f22fba..a77dab1 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +440,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +441,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -94777,7 +95061,7 @@ index 1f22fba..a77dab1 100644 selinux_validate_context(virtd_t) -@@ -613,18 +462,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +463,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -94814,7 +95098,7 @@ index 1f22fba..a77dab1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +490,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +491,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -94823,7 +95107,7 @@ index 1f22fba..a77dab1 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +515,12 @@ optional_policy(` +@@ -658,20 +516,12 @@ optional_policy(` ') optional_policy(` @@ -94844,7 +95128,7 @@ index 1f22fba..a77dab1 100644 ') optional_policy(` -@@ -684,14 +533,20 @@ optional_policy(` +@@ -684,14 +534,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -94867,7 +95151,7 @@ index 1f22fba..a77dab1 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +559,13 @@ optional_policy(` +@@ -704,11 +560,13 @@ optional_policy(` ') optional_policy(` @@ -94881,7 +95165,7 @@ index 1f22fba..a77dab1 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +576,18 @@ optional_policy(` +@@ -719,10 +577,18 @@ optional_policy(` ') optional_policy(` @@ -94900,7 +95184,7 @@ index 1f22fba..a77dab1 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +602,264 @@ optional_policy(` +@@ -737,44 +603,264 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -95187,7 +95471,7 @@ index 1f22fba..a77dab1 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +871,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -95214,7 +95498,7 @@ index 1f22fba..a77dab1 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +891,23 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -95247,7 +95531,7 @@ index 1f22fba..a77dab1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +925,20 @@ optional_policy(` +@@ -847,14 +926,20 @@ optional_policy(` ') optional_policy(` @@ -95269,7 +95553,7 @@ index 1f22fba..a77dab1 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +963,65 @@ optional_policy(` +@@ -879,49 +964,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -95353,7 +95637,7 @@ index 1f22fba..a77dab1 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1034,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -95373,7 +95657,7 @@ index 1f22fba..a77dab1 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1055,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -95397,7 +95681,7 @@ index 1f22fba..a77dab1 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1080,238 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -95772,7 +96056,7 @@ index 1f22fba..a77dab1 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1324,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -95787,7 +96071,7 @@ index 1f22fba..a77dab1 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1341,8 @@ optional_policy(` +@@ -1183,9 +1342,8 @@ optional_policy(` ######################################## # @@ -95798,7 +96082,7 @@ index 1f22fba..a77dab1 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1356,194 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -95891,7 +96175,7 @@ index 1f22fba..a77dab1 100644 +# + +optional_policy(` -+ type virt_qemu_ga_unconfined_t, virt_domain; ++ type virt_qemu_ga_unconfined_t; + domain_type(virt_qemu_ga_unconfined_t) + + domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) @@ -96416,13 +96700,40 @@ index 9329eae..824e86f 100644 -optional_policy(` - seutil_use_newrole_fds(vpnc_t) -') +diff --git a/watchdog.fc b/watchdog.fc +index eecd0e0..50248a7 100644 +--- a/watchdog.fc ++++ b/watchdog.fc +@@ -2,6 +2,8 @@ + + /usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) + ++/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0) ++ + /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) + + /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.te b/watchdog.te -index 29f79e8..9e403ee 100644 +index 29f79e8..1d43690 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms; +@@ -12,6 +12,9 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) + type watchdog_initrc_exec_t; + init_script_file(watchdog_initrc_exec_t) + ++type watchdog_cache_t; ++files_type(watchdog_cache_t) ++ + type watchdog_log_t; + logging_log_file(watchdog_log_t) + +@@ -29,8 +32,12 @@ allow watchdog_t self:process { setsched signal_perms }; + allow watchdog_t self:fifo_file rw_fifo_file_perms; allow watchdog_t self:tcp_socket { accept listen }; ++manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) ++manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) ++ allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) +manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) @@ -96430,7 +96741,7 @@ index 29f79e8..9e403ee 100644 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) -@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t) +@@ -63,7 +70,6 @@ domain_signull_all_domains(watchdog_t) domain_signal_all_domains(watchdog_t) domain_kill_all_domains(watchdog_t) @@ -96438,7 +96749,7 @@ index 29f79e8..9e403ee 100644 files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) -@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t) +@@ -75,8 +81,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 4602c3a..f948afb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 96%{?dist} +Release: 97%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -573,6 +573,44 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Nov 6 2013 Miroslav Grepl 3.12.1-97 +- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. +- Label /etc/yum.repos.d as system_conf_t +- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t +- Allow dac_override for sysadm_screen_t +- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. +- Allow netlabel-config to read meminfo +- Add interface to allow docker to mounton file_t +- Add new interface to exec unlabeled files +- Allow lvm to use docker semaphores +- Setup transitons for .xsessions-errors.old +- Change labels of files in /var/lib/*/.ssh to transition properly +- Allow staff_t and user_t to look at logs using journalctl +- pluto wants to manage own log file +- Allow pluto running as ipsec_t to create pluto.log +- Fix alias decl in corenetwork.te.in +- Add support for fuse.glusterfs +- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd +- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. +- Additional access for docker +- Added more rules to sblim policy +- Fix kdumpgui_run_bootloader boolean +- Allow dspam to connect to lmtp port +- Included sfcbd service into sblim policy +- rhsmcertd wants to manaage /etc/pki/consumer dir +- Add kdumpgui_run_bootloader boolean +- Add support for /var/cache/watchdog +- Remove virt_domain attribute for virt_qemu_ga_unconfined_t +- Fixes for handling libvirt containes +- Dontaudit attempts by mysql_safe to write content into / +- Dontaudit attempts by system_mail to modify network config +- Allow dspam to bind to lmtp ports +- Add new policy to allow staff_t and user_t to look at logs using journalctl +- Allow apache cgi scripts to list sysfs +- Dontaudit attempts to write/delete user_tmp_t files +- Allow all antivirus domains to manage also own log dirs +- Allow pegasus_openlmi_services_t to stream connect to sssd_t + * Fri Nov 1 2013 Miroslav Grepl 3.12.1-96 - Add missing permission checks for nscd