diff --git a/policy-rawhide.patch b/policy-rawhide.patch index d885a84..70a2712 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -112385,7 +112385,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..62de080 100644 +index db981df..e2c87b3 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -112605,7 +112605,7 @@ index db981df..62de080 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,6 +319,10 @@ ifdef(`distro_gentoo',` +@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -112616,7 +112616,12 @@ index db981df..62de080 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -289,16 +341,21 @@ ifdef(`distro_gentoo',` + /usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/gitolite3/commands(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) +@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -112640,7 +112645,7 @@ index db981df..62de080 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +371,12 @@ ifdef(`distro_redhat', ` +@@ -314,8 +372,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -112653,7 +112658,7 @@ index db981df..62de080 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +386,11 @@ ifdef(`distro_redhat', ` +@@ -325,9 +387,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112665,7 +112670,7 @@ index db981df..62de080 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +439,14 @@ ifdef(`distro_suse', ` +@@ -376,11 +440,15 @@ ifdef(`distro_suse', ` # # /var # @@ -112677,11 +112682,12 @@ index db981df..62de080 100644 /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +456,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +458,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -114348,7 +114354,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..651978f 100644 +index fe2ee5e..5a58a39 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0) @@ -114401,7 +114407,15 @@ index fe2ee5e..651978f 100644 type client_packet_t, packet_type, client_packet_type; # -@@ -59,6 +75,12 @@ sid port gen_context(system_u:object_r:port_t,s0) +@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type; + # + type netlabel_peer_t; + sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) ++mcs_untrusted_proc(netlabel_peer_t) + + # + # port_t is the default type of INET port numbers. +@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0) type unreserved_port_t, port_type, unreserved_port_type; # @@ -114414,7 +114428,7 @@ index fe2ee5e..651978f 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -74,30 +96,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -114455,7 +114469,7 @@ index fe2ee5e..651978f 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -108,14 +139,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -114479,7 +114493,7 @@ index fe2ee5e..651978f 100644 network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) -@@ -123,104 +163,139 @@ network_port(hadoop_datanode, tcp,50010,s0) +@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0) network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) @@ -114488,7 +114502,7 @@ index fe2ee5e..651978f 100644 -network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy +network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) +network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port -+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy ++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) @@ -114522,7 +114536,8 @@ index fe2ee5e..651978f 100644 +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) - network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) +-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) ++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0) network_port(lirc, tcp,8765,s0) +network_port(luci, tcp,8084,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) @@ -114562,7 +114577,7 @@ index fe2ee5e..651978f 100644 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) +network_port(piranha, tcp,3636,s0) -+network_port(pki_ca, tcp, 7389, s0, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) ++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0) @@ -114638,7 +114653,7 @@ index fe2ee5e..651978f 100644 network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) network_port(utcpserver) # no defined portcon -@@ -228,9 +303,12 @@ network_port(uucpd, tcp,540,s0) +@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -114652,7 +114667,7 @@ index fe2ee5e..651978f 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -242,17 +320,22 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -114677,7 +114692,7 @@ index fe2ee5e..651978f 100644 ######################################## # -@@ -297,9 +380,22 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -114702,6 +114717,8 @@ index fe2ee5e..651978f 100644 + +allow netlabel_peer_type netlabel_peer_t:peer recv; +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; ++allow netlabel_peer_t netif_t:netif ingress; ++allow netlabel_peer_t node_t:node recvfrom; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e168..51ad69a 100644 --- a/policy/modules/kernel/corenetwork.te.m4 @@ -117015,7 +117032,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..dde12bc 100644 +index cf04cb5..09a61e6 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -117141,7 +117158,7 @@ index cf04cb5..dde12bc 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,274 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -117255,6 +117272,10 @@ index cf04cb5..dde12bc 100644 +') + +optional_policy(` ++ prelink_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + pulseaudio_filetrans_home_content(unconfined_domain_type) + pulseaudio_filetrans_admin_home_content(unconfined_domain_type) +') @@ -117642,7 +117663,7 @@ index 8796ca3..c2055b3 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..74f20a1 100644 +index e1e814d..d042988 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -117662,15 +117683,12 @@ index e1e814d..74f20a1 100644 allow $1 non_security_file_type:file mounton; ') -@@ -618,6 +619,64 @@ interface(`files_dontaudit_getattr_non_security_files',` - dontaudit $1 non_security_file_type:file getattr; - ') +@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',` -+ -+######################################## -+## -+## Do not audit attempts to search -+## of non security dirs. + ######################################## + ## ++## Do not audit attempts to search ++## non security dirs. +## +## +## @@ -117724,10 +117742,12 @@ index e1e814d..74f20a1 100644 + dontaudit $1 non_security_file_type:dir setattr; +') + - ######################################## - ## ++######################################## ++## ## Read all files. -@@ -683,12 +742,82 @@ interface(`files_read_non_security_files',` + ## + ## +@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -117810,7 +117830,7 @@ index e1e814d..74f20a1 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ## -@@ -953,6 +1082,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -117836,7 +117856,7 @@ index e1e814d..74f20a1 100644 ## Get the attributes of all named sockets. ## ## -@@ -1073,10 +1221,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -117849,7 +117869,7 @@ index e1e814d..74f20a1 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1655,6 +1801,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -117874,7 +117894,7 @@ index e1e814d..74f20a1 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1673,6 +1837,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -117899,7 +117919,7 @@ index e1e814d..74f20a1 100644 ## List the contents of the root directory. ## ## -@@ -1856,6 +2038,42 @@ interface(`files_delete_root_dir_entry',` +@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -117942,7 +117962,7 @@ index e1e814d..74f20a1 100644 ## Unmount a rootfs filesystem. ## ## -@@ -1874,6 +2092,24 @@ interface(`files_unmount_rootfs',` +@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -117967,7 +117987,7 @@ index e1e814d..74f20a1 100644 ## Get attributes of the /boot directory. ## ## -@@ -2573,6 +2809,24 @@ interface(`files_rw_etc_dirs',` +@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -117992,7 +118012,7 @@ index e1e814d..74f20a1 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2644,6 +2898,7 @@ interface(`files_read_etc_files',` +@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -118000,7 +118020,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -2652,7 +2907,7 @@ interface(`files_read_etc_files',` +@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -118009,7 +118029,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -2708,6 +2963,25 @@ interface(`files_manage_etc_files',` +@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -118035,7 +118055,7 @@ index e1e814d..74f20a1 100644 ## Delete system configuration files in /etc. ## ## -@@ -2726,6 +3000,24 @@ interface(`files_delete_etc_files',` +@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -118060,7 +118080,7 @@ index e1e814d..74f20a1 100644 ## Execute generic files in /etc. ## ## -@@ -2891,24 +3183,6 @@ interface(`files_delete_boot_flag',` +@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -118085,7 +118105,7 @@ index e1e814d..74f20a1 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2949,9 +3223,7 @@ interface(`files_read_etc_runtime_files',` +@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -118096,7 +118116,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -2959,12 +3231,50 @@ interface(`files_read_etc_runtime_files',` +@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -118149,7 +118169,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -2986,6 +3296,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -118157,7 +118177,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -3007,6 +3318,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -118165,7 +118185,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -3135,6 +3447,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -118191,7 +118211,7 @@ index e1e814d..74f20a1 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3382,6 +3713,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -118217,7 +118237,7 @@ index e1e814d..74f20a1 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3723,20 +4073,38 @@ interface(`files_list_mnt',` +@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -118261,7 +118281,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -4126,6 +4494,127 @@ interface(`files_read_world_readable_sockets',` +@@ -4126,6 +4493,127 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -118389,7 +118409,7 @@ index e1e814d..74f20a1 100644 ######################################## ## ## Allow the specified type to associate -@@ -4148,6 +4637,26 @@ interface(`files_associate_tmp',` +@@ -4148,6 +4636,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -118416,7 +118436,7 @@ index e1e814d..74f20a1 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4161,6 +4670,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4161,6 +4669,7 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -118424,7 +118444,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir getattr; ') -@@ -4171,7 +4681,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4171,7 +4680,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -118433,7 +118453,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4198,6 +4708,7 @@ interface(`files_search_tmp',` +@@ -4198,6 +4707,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -118441,7 +118461,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4234,6 +4745,7 @@ interface(`files_list_tmp',` +@@ -4234,6 +4744,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -118449,7 +118469,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4243,7 +4755,7 @@ interface(`files_list_tmp',` +@@ -4243,7 +4754,7 @@ interface(`files_list_tmp',` ## ## ## @@ -118458,7 +118478,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4255,6 +4767,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4255,6 +4766,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -118484,7 +118504,7 @@ index e1e814d..74f20a1 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4270,6 +4801,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4270,6 +4800,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -118492,7 +118512,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4311,6 +4843,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4311,6 +4842,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -118525,7 +118545,7 @@ index e1e814d..74f20a1 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4365,6 +4923,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4365,6 +4922,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -118568,7 +118588,7 @@ index e1e814d..74f20a1 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4383,6 +4977,42 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4383,6 +4976,42 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -118611,7 +118631,7 @@ index e1e814d..74f20a1 100644 ## List all tmp directories. ## ## -@@ -4428,7 +5058,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4428,7 +5057,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -118620,7 +118640,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4488,7 +5118,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4488,7 +5117,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -118629,7 +118649,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4573,6 +5203,16 @@ interface(`files_purge_tmp',` +@@ -4573,6 +5202,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -118646,7 +118666,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5150,12 +5790,30 @@ interface(`files_list_var',` +@@ -5150,12 +5789,30 @@ interface(`files_list_var',` ######################################## ## @@ -118680,7 +118700,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -5505,6 +6163,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5505,6 +6162,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -118706,7 +118726,7 @@ index e1e814d..74f20a1 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,7 +6227,7 @@ interface(`files_manage_mounttab',` +@@ -5550,7 +6226,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -118715,7 +118735,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -5558,12 +6235,13 @@ interface(`files_manage_mounttab',` +@@ -5558,12 +6234,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -118731,7 +118751,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5581,6 +6259,7 @@ interface(`files_search_locks',` +@@ -5581,6 +6258,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -118739,7 +118759,7 @@ index e1e814d..74f20a1 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5607,7 +6286,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5607,7 +6285,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -118767,7 +118787,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -5615,13 +6313,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5615,13 +6312,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -118784,7 +118804,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5640,7 +6337,7 @@ interface(`files_rw_lock_dirs',` +@@ -5640,7 +6336,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -118793,7 +118813,7 @@ index e1e814d..74f20a1 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5673,7 +6370,6 @@ interface(`files_create_lock_dirs',` +@@ -5673,7 +6369,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -118801,7 +118821,7 @@ index e1e814d..74f20a1 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5701,8 +6397,7 @@ interface(`files_getattr_generic_locks',` +@@ -5701,8 +6396,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -118811,7 +118831,7 @@ index e1e814d..74f20a1 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5718,13 +6413,12 @@ interface(`files_getattr_generic_locks',` +@@ -5718,13 +6412,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -118829,7 +118849,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5743,8 +6437,7 @@ interface(`files_manage_generic_locks',` +@@ -5743,8 +6436,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -118839,7 +118859,7 @@ index e1e814d..74f20a1 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5786,8 +6479,7 @@ interface(`files_read_all_locks',` +@@ -5786,8 +6478,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -118849,7 +118869,7 @@ index e1e814d..74f20a1 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6501,7 @@ interface(`files_manage_all_locks',` +@@ -5809,8 +6500,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -118859,7 +118879,7 @@ index e1e814d..74f20a1 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5847,8 +6538,7 @@ interface(`files_lock_filetrans',` +@@ -5847,8 +6537,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -118869,7 +118889,7 @@ index e1e814d..74f20a1 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5911,6 +6601,43 @@ interface(`files_search_pids',` +@@ -5911,6 +6600,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -118913,7 +118933,7 @@ index e1e814d..74f20a1 100644 ######################################## ## ## Do not audit attempts to search -@@ -5933,6 +6660,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5933,6 +6659,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -118939,7 +118959,7 @@ index e1e814d..74f20a1 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6048,7 +6794,6 @@ interface(`files_pid_filetrans',` +@@ -6048,7 +6793,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -118947,7 +118967,7 @@ index e1e814d..74f20a1 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6157,30 +6902,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6157,30 +6901,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -118982,7 +119002,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6188,43 +6928,35 @@ interface(`files_read_all_pids',` +@@ -6188,43 +6927,35 @@ interface(`files_read_all_pids',` ## ## # @@ -119033,7 +119053,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6232,21 +6964,17 @@ interface(`files_delete_all_pids',` +@@ -6232,21 +6963,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -119058,7 +119078,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6254,56 +6982,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -6254,56 +6981,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -119134,7 +119154,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6311,18 +7042,17 @@ interface(`files_list_spool',` +@@ -6311,18 +7041,17 @@ interface(`files_list_spool',` ## ## # @@ -119157,7 +119177,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6330,19 +7060,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6330,19 +7059,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -119182,7 +119202,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6350,55 +7079,62 @@ interface(`files_read_generic_spool',` +@@ -6350,55 +7078,62 @@ interface(`files_read_generic_spool',` ## ## # @@ -119269,7 +119289,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6406,25 +7142,283 @@ interface(`files_spool_filetrans',` +@@ -6406,25 +7141,283 @@ interface(`files_spool_filetrans',` ## ## # @@ -119568,7 +119588,7 @@ index e1e814d..74f20a1 100644 # is remounted for polyinstantiation aware programs (like gdm) allow $1 polyparent:dir { getattr mounton }; -@@ -6467,3 +7461,457 @@ interface(`files_unconfined',` +@@ -6467,3 +7460,457 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -120027,7 +120047,7 @@ index e1e814d..74f20a1 100644 +') + diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 52ef84e..932cc01 100644 +index 52ef84e..45cb0bc 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.17.0) @@ -120090,17 +120110,15 @@ index 52ef84e..932cc01 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -79,8 +95,7 @@ typealias etc_runtime_t alias firstboot_rw_t; - # assigned an extended attribute (EA) value (when using a filesystem - # that supports EAs). +@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t; # --type file_t; --files_mountpoint(file_t) -+type file_t, security_file_type, mountpoint; + type file_t; + files_mountpoint(file_t) ++files_base_file(file_t) kernel_rootfs_mountpoint(file_t) sid file gen_context(system_u:object_r:file_t,s0) -@@ -89,6 +104,7 @@ sid file gen_context(system_u:object_r:file_t,s0) +@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0) # are created # type home_root_t; @@ -120108,7 +120126,7 @@ index 52ef84e..932cc01 100644 files_mountpoint(home_root_t) files_poly_parent(home_root_t) -@@ -96,12 +112,13 @@ files_poly_parent(home_root_t) +@@ -96,12 +114,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; @@ -120123,7 +120141,7 @@ index 52ef84e..932cc01 100644 files_mountpoint(mnt_t) # -@@ -123,6 +140,7 @@ files_type(readable_t) +@@ -123,6 +142,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; @@ -120131,7 +120149,7 @@ index 52ef84e..932cc01 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,52 +151,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -120195,7 +120213,7 @@ index 52ef84e..932cc01 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -186,7 +215,9 @@ files_mountpoint(var_run_t) +@@ -186,7 +217,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -120205,7 +120223,7 @@ index 52ef84e..932cc01 100644 ######################################## # -@@ -225,10 +256,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile) # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; @@ -125894,7 +125912,7 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..614f929 +index 0000000..d609f53 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,387 @@ @@ -125941,7 +125959,7 @@ index 0000000..614f929 +userdom_manage_home_role(unconfined_r, unconfined_t) +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_unpriv_type(unconfined_r, unconfined_t) ++userdom_unpriv_type(unconfined_t) + +type unconfined_exec_t; +init_system_domain(unconfined_t, unconfined_exec_t) @@ -126477,10 +126495,18 @@ index 9f6d4c3..23a78b4 100644 + ') +') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index a26f84f..4e52843 100644 +index a26f84f..d3cc612 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc -@@ -28,9 +28,9 @@ ifdef(`distro_redhat', ` +@@ -10,6 +10,7 @@ + # + /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) + + /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) +@@ -28,9 +29,9 @@ ifdef(`distro_redhat', ` # /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) @@ -126492,7 +126518,7 @@ index a26f84f..4e52843 100644 /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) -@@ -45,4 +45,4 @@ ifdef(`distro_redhat', ` +@@ -45,4 +46,4 @@ ifdef(`distro_redhat', ` /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) @@ -126811,10 +126837,10 @@ index 4318f73..e4d0b31 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..84ad865 100644 +index 078bcd7..613a47e 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,9 +1,22 @@ +@@ -1,9 +1,23 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + @@ -126824,6 +126850,7 @@ index 078bcd7..84ad865 100644 +/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) @@ -126837,7 +126864,7 @@ index 078bcd7..84ad865 100644 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) -@@ -14,3 +27,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -14,3 +28,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -129535,7 +129562,7 @@ index 130ced9..a75282a 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..6080063 100644 +index d40f750..6a1f890 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -130214,7 +130241,7 @@ index d40f750..6080063 100644 ') optional_policy(` -@@ -514,12 +740,74 @@ optional_policy(` +@@ -514,12 +740,71 @@ optional_policy(` ') optional_policy(` @@ -130223,6 +130250,7 @@ index d40f750..6080063 100644 + dbus_system_bus_client(xdm_dbusd_t) + dbus_system_bus_client(xdm_t) + ++ application_dontaudit_exec(xdm_dbusd_t) + #fixes for xfce4-notifyd + allow xdm_dbusd_t self:unix_stream_socket connectto; + allow xdm_dbusd_t xserver_t:unix_stream_socket connectto; @@ -130260,10 +130288,6 @@ index d40f750..6080063 100644 + optional_policy(` + networkmanager_dbus_chat(xdm_t) + ') -+ -+ optional_policy(` -+ telepathy_exec(xdm_dbusd_t) -+ ') +') + +optional_policy(` @@ -130289,7 +130313,7 @@ index d40f750..6080063 100644 hostname_exec(xdm_t) ') -@@ -537,28 +825,74 @@ optional_policy(` +@@ -537,28 +822,74 @@ optional_policy(` ') optional_policy(` @@ -130373,7 +130397,7 @@ index d40f750..6080063 100644 ') optional_policy(` -@@ -570,6 +904,14 @@ optional_policy(` +@@ -570,6 +901,14 @@ optional_policy(` ') optional_policy(` @@ -130388,7 +130412,7 @@ index d40f750..6080063 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +936,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -130401,7 +130425,7 @@ index d40f750..6080063 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +953,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -130417,7 +130441,7 @@ index d40f750..6080063 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +980,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -130439,7 +130463,7 @@ index d40f750..6080063 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1000,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -130453,7 +130477,7 @@ index d40f750..6080063 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1026,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1023,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -130485,7 +130509,7 @@ index d40f750..6080063 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1055,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -130499,7 +130523,7 @@ index d40f750..6080063 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1077,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1074,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -130523,7 +130547,7 @@ index d40f750..6080063 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1142,40 @@ optional_policy(` +@@ -775,16 +1139,40 @@ optional_policy(` ') optional_policy(` @@ -130565,7 +130589,7 @@ index d40f750..6080063 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1184,10 @@ optional_policy(` +@@ -793,6 +1181,10 @@ optional_policy(` ') optional_policy(` @@ -130576,7 +130600,7 @@ index d40f750..6080063 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1203,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -130590,7 +130614,7 @@ index d40f750..6080063 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1214,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -130599,7 +130623,7 @@ index d40f750..6080063 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1227,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1224,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -130634,7 +130658,7 @@ index d40f750..6080063 100644 ') optional_policy(` -@@ -859,6 +1249,10 @@ optional_policy(` +@@ -859,6 +1246,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -130645,7 +130669,7 @@ index d40f750..6080063 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1296,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1293,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -130654,7 +130678,7 @@ index d40f750..6080063 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1350,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1347,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -130686,7 +130710,7 @@ index d40f750..6080063 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1396,44 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1393,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -130747,7 +130771,7 @@ index d40f750..6080063 100644 + unconfined_domain(xdm_unconfined_t) +') diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..219acba 100644 +index 1b6619e..be02b96 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -43,6 +43,27 @@ interface(`application_executable_file',` @@ -130778,7 +130802,7 @@ index 1b6619e..219acba 100644 ######################################## ## ## Execute application executables in the caller domain. -@@ -76,7 +97,6 @@ interface(`application_exec_all',` +@@ -76,13 +97,30 @@ interface(`application_exec_all',` corecmd_dontaudit_exec_all_executables($1) corecmd_exec_bin($1) corecmd_exec_shell($1) @@ -130786,7 +130810,31 @@ index 1b6619e..219acba 100644 application_exec($1) ') -@@ -189,6 +209,24 @@ interface(`application_dontaudit_signal',` + + ######################################## + ## ++## Dontaudit execute all executable files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`application_dontaudit_exec',` ++ gen_require(` ++ attribute application_exec_type; ++ ') ++ ++ dontaudit $1 application_exec_type:file execute; ++') ++ ++######################################## ++## + ## Create a domain for applications. + ## + ## +@@ -189,6 +227,24 @@ interface(`application_dontaudit_signal',` ######################################## ## @@ -130811,7 +130859,7 @@ index 1b6619e..219acba 100644 ## Do not audit attempts to send kill signals ## to all application domains. ## -@@ -205,3 +243,21 @@ interface(`application_dontaudit_sigkill',` +@@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',` dontaudit $1 application_domain_type:process sigkill; ') @@ -130834,10 +130882,10 @@ index 1b6619e..219acba 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..0118d30 100644 +index c6fdab7..c59902a 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te -@@ -6,6 +6,28 @@ attribute application_domain_type; +@@ -6,6 +6,30 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -130846,6 +130894,8 @@ index c6fdab7..0118d30 100644 +userdom_inherit_append_user_home_content_files(application_domain_type) +userdom_inherit_append_admin_home_files(application_domain_type) +userdom_inherit_append_user_tmp_files(application_domain_type) ++userdom_rw_inherited_user_tmp_files(application_domain_type) ++userdom_rw_inherited_user_pipes(application_domain_type) +logging_inherit_append_all_logs(application_domain_type) + +files_dontaudit_search_non_security_dirs(application_domain_type) @@ -136487,7 +136537,7 @@ index 02f4c97..70248c6 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..0c0933b 100644 +index 321bb13..3638d50 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -136508,7 +136558,7 @@ index 321bb13..0c0933b 100644 ## ## ## -@@ -496,6 +496,63 @@ interface(`logging_log_filetrans',` +@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',` filetrans_pattern($1, var_log_t, $2, $3, $4) ') @@ -136558,6 +136608,11 @@ index 321bb13..0c0933b 100644 +## The object class of the object being created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +## +# +interface(`logging_log_named_filetrans',` @@ -136572,24 +136627,17 @@ index 321bb13..0c0933b 100644 ######################################## ## ## Send system log messages. -@@ -530,22 +587,85 @@ interface(`logging_log_filetrans',` +@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` - type syslogd_t, devlog_t; + attribute syslog_client_type; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + typeattribute $1 syslog_client_type; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Connect to the syslog control unix stream socket. @@ -136604,11 +136652,7 @@ index 321bb13..0c0933b 100644 + gen_require(` + type devlog_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, sock_file) + init_pid_filetrans($1, devlog_t, sock_file, "syslog") @@ -136645,11 +136689,18 @@ index 321bb13..0c0933b 100644 +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` + type devlog_t; -+ ') -+ + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Connect to the syslog control unix stream socket. @@ -136664,13 +136715,17 @@ index 321bb13..0c0933b 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## -@@ -739,7 +859,25 @@ interface(`logging_append_all_logs',` +@@ -739,7 +864,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -136697,7 +136752,7 @@ index 321bb13..0c0933b 100644 ') ######################################## -@@ -822,7 +960,7 @@ interface(`logging_manage_all_logs',` +@@ -822,7 +965,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -136706,7 +136761,7 @@ index 321bb13..0c0933b 100644 ') ######################################## -@@ -848,6 +986,44 @@ interface(`logging_read_generic_logs',` +@@ -848,6 +991,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -136751,7 +136806,7 @@ index 321bb13..0c0933b 100644 ## Write generic log files. ## ## -@@ -868,6 +1044,24 @@ interface(`logging_write_generic_logs',` +@@ -868,6 +1049,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -136776,7 +136831,7 @@ index 321bb13..0c0933b 100644 ## Dontaudit Write generic log files. ## ## -@@ -947,11 +1141,16 @@ interface(`logging_admin_audit',` +@@ -947,11 +1146,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -136794,7 +136849,7 @@ index 321bb13..0c0933b 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -967,6 +1166,33 @@ interface(`logging_admin_audit',` +@@ -967,6 +1171,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -136828,7 +136883,7 @@ index 321bb13..0c0933b 100644 ') ######################################## -@@ -995,10 +1221,15 @@ interface(`logging_admin_syslog',` +@@ -995,10 +1226,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -136846,7 +136901,7 @@ index 321bb13..0c0933b 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1020,6 +1251,8 @@ interface(`logging_admin_syslog',` +@@ -1020,6 +1256,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -136855,7 +136910,7 @@ index 321bb13..0c0933b 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1048,3 +1281,29 @@ interface(`logging_admin',` +@@ -1048,3 +1286,29 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -142193,10 +142248,10 @@ index 0000000..5d53f08 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..538bb15 +index 0000000..9537426 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,449 @@ +@@ -0,0 +1,450 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -142383,7 +142438,7 @@ index 0000000..538bb15 + # we label /run/user/$USER/dconf as config_home_t + gnome_manage_home_config_dirs(systemd_logind_t) + gnome_manage_home_config(systemd_logind_t) -+ gnome_list_gkeyringd_tmp_dirs(systemd_logind_t) ++ gnome_manage_gkeyringd_tmp_dirs(systemd_logind_t) + gnome_manage_gstreamer_home_dirs(systemd_logind_t) +') + @@ -142525,6 +142580,7 @@ index 0000000..538bb15 +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) +miscfiles_relabel_man_pages(systemd_tmpfiles_t) ++miscfiles_delete_man_pages(systemd_tmpfiles_t) + +seutil_read_config(systemd_tmpfiles_t) +seutil_read_file_contexts(systemd_tmpfiles_t) @@ -143995,7 +144051,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..89e714c 100644 +index e720dcd..53ea674 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -146510,7 +146566,7 @@ index e720dcd..89e714c 100644 ## ## ## -@@ -3142,54 +3888,54 @@ interface(`userdom_write_user_tmp_files',` +@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -146553,44 +146609,66 @@ index e720dcd..89e714c 100644 ######################################## ## -## Get the attributes of all user domains. -+## Do not audit attempts to use user ttys. ++## Allow domain to read/write inherited users ++## fifo files. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',` ## ## # -interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_rw_inherited_user_pipes',` gen_require(` -- attribute userdomain; -+ type user_tty_device_t; + attribute userdomain; ') - allow $1 userdomain:process getattr; -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## -## Inherit the file descriptors from all user domains -+## Read the process state of all user domains. ++## Do not audit attempts to use user ttys. ## ## ## -@@ -3197,12 +3943,50 @@ interface(`userdom_getattr_all_users',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`userdom_use_all_users_fds',` -+interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_use_user_ttys',` gen_require(` - attribute userdomain; +- attribute userdomain; ++ type user_tty_device_t; ') - allow $1 userdomain:fd use; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to inherit the file +-## descriptors from any user domains. ++## Read the process state of all user domains. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_all_users_state',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ + read_files_pattern($1, userdomain, userdomain) + read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) @@ -146630,10 +146708,20 @@ index e720dcd..89e714c 100644 + ') + + allow $1 userdomain:fd use; - ') - - ######################################## -@@ -3242,6 +4026,42 @@ interface(`userdom_signal_all_users',` ++') ++ ++######################################## ++## ++## Do not audit attempts to inherit the file ++## descriptors from any user domains. ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -146676,7 +146764,7 @@ index e720dcd..89e714c 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4082,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -146701,7 +146789,7 @@ index e720dcd..89e714c 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4134,1361 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -146757,12 +146845,6 @@ index e720dcd..89e714c 100644 +## +## Define this type as a Allow apps to set rlimits on userdomain +## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## +## +## +## Domain allowed access. @@ -146773,11 +146855,11 @@ index e720dcd..89e714c 100644 + gen_require(` + attribute unpriv_userdomain, userdomain; + ') -+ typeattribute $2 unpriv_userdomain; -+ typeattribute $2 userdomain; ++ typeattribute $1 unpriv_userdomain; ++ typeattribute $1 userdomain; + -+ auth_use_nsswitch($2) -+ ubac_constrained($2) ++ auth_use_nsswitch($1) ++ ubac_constrained($1) +') + +######################################## @@ -147117,6 +147199,11 @@ index e720dcd..89e714c 100644 +## The class of the object to be created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`userdom_admin_home_dir_filetrans',` + gen_require(` @@ -148055,6 +148142,11 @@ index e720dcd..89e714c 100644 +## The name of the object being created. +## +## ++## ++## ++## The name of the object being created. ++## ++## +# +interface(`userdom_tmpfs_filetrans_to',` + gen_require(` @@ -148064,7 +148156,7 @@ index e720dcd..89e714c 100644 + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 6a4bd85..a8337e2 100644 +index 6a4bd85..4f23ca8 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0) @@ -148150,7 +148242,7 @@ index 6a4bd85..a8337e2 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +81,121 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -148205,6 +148297,7 @@ index 6a4bd85..a8337e2 100644 +') + +allow userdomain userdomain:process signull; ++allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms; + +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 6c2d5c9..8f424d4 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -908,7 +908,7 @@ index c0f858d..4a3dab6 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 1632f10..5fe3889 100644 +index 1632f10..074ebc9 100644 --- a/accountsd.te +++ b/accountsd.te @@ -1,5 +1,9 @@ @@ -921,7 +921,7 @@ index 1632f10..5fe3889 100644 ######################################## # # Declarations -@@ -7,37 +11,46 @@ policy_module(accountsd, 1.0.0) +@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0) type accountsd_t; type accountsd_exec_t; @@ -966,13 +966,14 @@ index 1632f10..5fe3889 100644 auth_use_nsswitch(accountsd_t) auth_read_shadow(accountsd_t) -- --miscfiles_read_localization(accountsd_t) +auth_read_login_records(accountsd_t) +-miscfiles_read_localization(accountsd_t) ++init_dbus_chat(accountsd_t) + logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) -@@ -50,8 +63,20 @@ usermanage_domtrans_passwd(accountsd_t) +@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t) optional_policy(` consolekit_read_log(accountsd_t) @@ -2316,10 +2317,10 @@ index fd9fa07..12398f6 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 6480167..f319eaf 100644 +index 6480167..7b2ad39 100644 --- a/apache.if +++ b/apache.if -@@ -13,62 +13,48 @@ +@@ -13,68 +13,55 @@ # template(`apache_content_template',` gen_require(` @@ -2397,7 +2398,14 @@ index 6480167..f319eaf 100644 can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; -@@ -86,40 +72,6 @@ template(`apache_content_template',` + allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + + allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; +@@ -86,40 +73,6 @@ template(`apache_content_template',` manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -2438,7 +2446,7 @@ index 6480167..f319eaf 100644 # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` -@@ -128,68 +80,25 @@ template(`apache_content_template',` +@@ -128,68 +81,26 @@ template(`apache_content_template',` manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -2446,6 +2454,7 @@ index 6480167..f319eaf 100644 + allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - allow httpd_t httpd_$1_content_t:dir list_dir_perms; @@ -2512,7 +2521,7 @@ index 6480167..f319eaf 100644 ') ') -@@ -211,9 +120,8 @@ template(`apache_content_template',` +@@ -211,9 +122,8 @@ template(`apache_content_template',` interface(`apache_role',` gen_require(` attribute httpdcontent; @@ -2524,7 +2533,7 @@ index 6480167..f319eaf 100644 ') role $1 types httpd_user_script_t; -@@ -234,6 +142,13 @@ interface(`apache_role',` +@@ -234,6 +144,13 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -2538,7 +2547,7 @@ index 6480167..f319eaf 100644 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -248,6 +163,9 @@ interface(`apache_role',` +@@ -248,6 +165,9 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) @@ -2548,7 +2557,7 @@ index 6480167..f319eaf 100644 tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) -@@ -317,6 +235,25 @@ interface(`apache_domtrans',` +@@ -317,6 +237,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -2574,7 +2583,7 @@ index 6480167..f319eaf 100644 ####################################### ## ## Send a generic signal to apache. -@@ -405,7 +342,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -2583,7 +2592,7 @@ index 6480167..f319eaf 100644 ') ######################################## -@@ -487,7 +424,7 @@ interface(`apache_setattr_cache_dirs',` +@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',` type httpd_cache_t; ') @@ -2592,7 +2601,7 @@ index 6480167..f319eaf 100644 ') ######################################## -@@ -531,6 +468,25 @@ interface(`apache_rw_cache_files',` +@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -2618,7 +2627,7 @@ index 6480167..f319eaf 100644 ## Apache cache. ## ## -@@ -549,6 +505,26 @@ interface(`apache_delete_cache_files',` +@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -2645,7 +2654,35 @@ index 6480167..f319eaf 100644 ## Allow the specified domain to read ## apache configuration files. ## -@@ -683,6 +659,25 @@ interface(`apache_append_log',` +@@ -641,6 +619,27 @@ interface(`apache_run_helper',` + + ######################################## + ## ++## dontaudit attempts to read ++## apache log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_dontaudit_read_log',` ++ gen_require(` ++ type httpd_log_t; ++ ') ++ ++ dontaudit $1 httpd_log_t:file read_file_perms; ++ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## + ## Allow the specified domain to read + ## apache log files. + ## +@@ -683,6 +682,25 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -2671,7 +2708,7 @@ index 6480167..f319eaf 100644 ######################################## ## ## Do not audit attempts to append to the -@@ -699,7 +694,7 @@ interface(`apache_dontaudit_append_log',` +@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') @@ -2680,7 +2717,7 @@ index 6480167..f319eaf 100644 ') ######################################## -@@ -745,6 +740,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -2706,7 +2743,7 @@ index 6480167..f319eaf 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -761,6 +775,7 @@ interface(`apache_list_modules',` +@@ -761,6 +798,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -2714,7 +2751,7 @@ index 6480167..f319eaf 100644 ') ######################################## -@@ -802,6 +817,43 @@ interface(`apache_domtrans_rotatelogs',` +@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',` domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') @@ -2758,7 +2795,7 @@ index 6480167..f319eaf 100644 ######################################## ## ## Allow the specified domain to list -@@ -819,6 +871,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -2766,7 +2803,7 @@ index 6480167..f319eaf 100644 files_search_var($1) ') -@@ -846,6 +899,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +922,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -2841,7 +2878,7 @@ index 6480167..f319eaf 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +983,12 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1006,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -2855,7 +2892,7 @@ index 6480167..f319eaf 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1047,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -2867,7 +2904,7 @@ index 6480167..f319eaf 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1077,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -2876,7 +2913,7 @@ index 6480167..f319eaf 100644 ') ######################################## -@@ -1091,6 +1218,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -2902,7 +2939,7 @@ index 6480167..f319eaf 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1253,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -2911,7 +2948,7 @@ index 6480167..f319eaf 100644 ') ######################################## -@@ -1148,14 +1294,31 @@ interface(`apache_cgi_domain',` +@@ -1148,14 +1317,31 @@ interface(`apache_cgi_domain',` ######################################## ## @@ -2947,7 +2984,7 @@ index 6480167..f319eaf 100644 ## ## ## Domain allowed access. -@@ -1170,19 +1333,21 @@ interface(`apache_cgi_domain',` +@@ -1170,19 +1356,21 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -2976,7 +3013,7 @@ index 6480167..f319eaf 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 httpd_initrc_exec_t system_r; -@@ -1191,10 +1356,10 @@ interface(`apache_admin',` +@@ -1191,10 +1379,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -2989,7 +3026,7 @@ index 6480167..f319eaf 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1370,106 @@ interface(`apache_admin',` +@@ -1205,14 +1393,106 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -3102,7 +3139,7 @@ index 6480167..f319eaf 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..ba4ab9e 100644 +index 0833afb..2032414 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3453,7 +3490,15 @@ index 0833afb..ba4ab9e 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -336,8 +514,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms; + files_lock_filetrans(httpd_t, httpd_lock_t, file) + + allow httpd_t httpd_log_t:dir setattr; ++create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) + create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -3465,7 +3510,7 @@ index 0833afb..ba4ab9e 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +526,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -3476,7 +3521,7 @@ index 0833afb..ba4ab9e 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +543,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3487,7 +3532,7 @@ index 0833afb..ba4ab9e 100644 corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +554,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -3508,7 +3553,7 @@ index 0833afb..ba4ab9e 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +575,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3523,7 +3568,7 @@ index 0833afb..ba4ab9e 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +591,112 @@ domain_use_interactive_fds(httpd_t) +@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3644,7 +3689,7 @@ index 0833afb..ba4ab9e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +707,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3708,7 +3753,7 @@ index 0833afb..ba4ab9e 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +771,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3731,7 +3776,7 @@ index 0833afb..ba4ab9e 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +806,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3752,7 +3797,7 @@ index 0833afb..ba4ab9e 100644 ') optional_policy(` -@@ -525,6 +830,9 @@ optional_policy(` +@@ -525,6 +831,9 @@ optional_policy(` ') optional_policy(` @@ -3762,7 +3807,7 @@ index 0833afb..ba4ab9e 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +848,24 @@ optional_policy(` +@@ -540,6 +849,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3787,7 +3832,7 @@ index 0833afb..ba4ab9e 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +875,24 @@ optional_policy(` +@@ -549,13 +876,24 @@ optional_policy(` ') optional_policy(` @@ -3813,7 +3858,7 @@ index 0833afb..ba4ab9e 100644 ') optional_policy(` -@@ -573,7 +910,21 @@ optional_policy(` +@@ -573,7 +911,21 @@ optional_policy(` ') optional_policy(` @@ -3835,7 +3880,7 @@ index 0833afb..ba4ab9e 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +935,7 @@ optional_policy(` +@@ -584,6 +936,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3843,12 +3888,13 @@ index 0833afb..ba4ab9e 100644 ') optional_policy(` -@@ -594,6 +946,41 @@ optional_policy(` +@@ -594,6 +947,42 @@ optional_policy(` ') optional_policy(` + openshift_search_lib(httpd_t) + openshift_initrc_signull(httpd_t) ++ openshift_initrc_signal(httpd_t) +') + +optional_policy(` @@ -3885,7 +3931,7 @@ index 0833afb..ba4ab9e 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +995,11 @@ optional_policy(` +@@ -608,6 +997,11 @@ optional_policy(` ') optional_policy(` @@ -3897,7 +3943,7 @@ index 0833afb..ba4ab9e 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +1012,12 @@ optional_policy(` +@@ -620,6 +1014,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3910,7 +3956,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1031,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1033,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3954,7 +4000,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # -@@ -671,28 +1104,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1106,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3998,7 +4044,7 @@ index 0833afb..ba4ab9e 100644 ') ######################################## -@@ -702,6 +1137,7 @@ optional_policy(` +@@ -702,6 +1139,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -4006,7 +4052,7 @@ index 0833afb..ba4ab9e 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1152,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1154,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4035,7 +4081,7 @@ index 0833afb..ba4ab9e 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1182,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1184,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -4053,7 +4099,7 @@ index 0833afb..ba4ab9e 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1200,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1202,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -4086,7 +4132,7 @@ index 0833afb..ba4ab9e 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1247,25 @@ optional_policy(` +@@ -786,6 +1249,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4112,7 +4158,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1286,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1288,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4130,7 +4176,7 @@ index 0833afb..ba4ab9e 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1305,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1307,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4189,7 +4235,7 @@ index 0833afb..ba4ab9e 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1356,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1358,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4230,7 +4276,7 @@ index 0833afb..ba4ab9e 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -859,10 +1401,20 @@ optional_policy(` +@@ -859,10 +1403,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -4251,7 +4297,7 @@ index 0833afb..ba4ab9e 100644 ') ######################################## -@@ -878,11 +1430,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1432,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4263,7 +4309,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # -@@ -908,11 +1458,138 @@ optional_policy(` +@@ -908,11 +1460,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -11588,10 +11634,10 @@ index 0000000..8424fdb +') diff --git a/condor.te b/condor.te new file mode 100644 -index 0000000..328eafe +index 0000000..c2bc300 --- /dev/null +++ b/condor.te -@@ -0,0 +1,225 @@ +@@ -0,0 +1,240 @@ +policy_module(condor, 1.0.0) + +######################################## @@ -11618,6 +11664,9 @@ index 0000000..328eafe +condor_domain_template(startd) +condor_domain_template(procd) + ++type condor_master_tmp_t; ++files_tmp_file(condor_master_tmp_t) ++ +type condor_schedd_tmp_t; +files_tmp_file(condor_schedd_tmp_t) + @@ -11710,7 +11759,11 @@ index 0000000..328eafe + +allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; + -+allow condor_master_t condor_domain:process signal; ++allow condor_master_t condor_domain:process { sigkill signal }; ++ ++manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) ++manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) ++files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) + +corenet_tcp_bind_condor_port(condor_master_t) +corenet_udp_bind_condor_port(condor_master_t) @@ -11718,6 +11771,11 @@ index 0000000..328eafe + +domain_read_all_domains_state(condor_master_t) + ++optional_policy(` ++ mta_send_mail(condor_master_t) ++ mta_read_config(condor_master_t) ++') ++ +###################################### +# +# condor collector local policy @@ -11747,6 +11805,9 @@ index 0000000..328eafe + +allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace }; + ++allow condor_procd_t self:capability kill; ++allow condor_procd_t condor_startd_t:process sigkill; ++ +domain_read_all_domains_state(condor_procd_t) + +####################################### @@ -19992,10 +20053,10 @@ index 0000000..a446210 +') diff --git a/dspam.te b/dspam.te new file mode 100644 -index 0000000..be45ad6 +index 0000000..2b91a78 --- /dev/null +++ b/dspam.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,92 @@ + +policy_module(dspam, 1.0.0) + @@ -20050,11 +20111,13 @@ index 0000000..be45ad6 +manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t) +files_tmp_filetrans(dspam_t, dspam_tmp_t, { sock_file }) + -+# need to add the port tcp/10026 to corenetwork.te.in -+#allow dspam_t port_t:tcp_socket name_connect; ++corenet_tcp_connect_spamd_port(dspam_t) ++corenet_tcp_bind_spamd_port(dspam_t) + +auth_use_nsswitch(dspam_t) + ++files_search_spool(dspam_t) ++ +# for RHEL5 +libs_use_ld_so(dspam_t) +libs_use_shared_libs(dspam_t) @@ -21134,10 +21197,10 @@ index 0000000..c4c7510 +') diff --git a/firewalld.te b/firewalld.te new file mode 100644 -index 0000000..a172e15 +index 0000000..a7fcf3c --- /dev/null +++ b/firewalld.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,94 @@ + +policy_module(firewalld,1.0.0) + @@ -21213,6 +21276,10 @@ index 0000000..a172e15 + dbus_system_domain(firewalld_t, firewalld_exec_t) + + optional_policy(` ++ devicekit_dbus_chat_power(firewalld_t) ++ ') ++ ++ optional_policy(` + policykit_dbus_chat(firewalld_t) + ') + @@ -22208,7 +22275,7 @@ index 13e72a7..a4dc0b9 100644 /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/git.if b/git.if -index b0242d9..a9e6842 100644 +index b0242d9..407e79d 100644 --- a/git.if +++ b/git.if @@ -15,9 +15,9 @@ @@ -22223,7 +22290,7 @@ index b0242d9..a9e6842 100644 ') ######################################## -@@ -32,19 +32,494 @@ template(`git_role',` +@@ -32,19 +32,495 @@ template(`git_role',` # Policy # @@ -22610,6 +22677,7 @@ index b0242d9..a9e6842 100644 + + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) + read_files_pattern($1, git_sys_content_t, git_sys_content_t) ++ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` @@ -23383,10 +23451,10 @@ index 00a19e3..5a2dbfd 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..3105569 100644 +index f5afe78..6d054a2 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,44 +1,1028 @@ +@@ -1,44 +1,1047 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -24075,7 +24143,7 @@ index f5afe78..3105569 100644 + type gconf_home_t; + ') + -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2) ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) +') + +######################################## @@ -24237,6 +24305,25 @@ index f5afe78..3105569 100644 + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + ++####################################### ++## ++## Manage gkeyringd temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++') ++ +######################################## +## +## search gconf homedir (.local) @@ -24433,7 +24520,7 @@ index f5afe78..3105569 100644 ## ## ## -@@ -46,37 +1030,91 @@ interface(`gnome_role',` +@@ -46,37 +1049,91 @@ interface(`gnome_role',` ## ## # @@ -24536,7 +24623,7 @@ index f5afe78..3105569 100644 ## ## ## -@@ -84,37 +1122,107 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +1141,107 @@ template(`gnome_read_gconf_config',` ## ## # @@ -24655,7 +24742,7 @@ index f5afe78..3105569 100644 ## ## ## -@@ -122,17 +1230,36 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1249,36 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -24696,7 +24783,7 @@ index f5afe78..3105569 100644 ## ## ## -@@ -140,51 +1267,279 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1286,279 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -29244,7 +29331,7 @@ index 604f67b..138e1e2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") +') diff --git a/kerberos.te b/kerberos.te -index 6a95faf..69502c9 100644 +index 6a95faf..6127834 100644 --- a/kerberos.te +++ b/kerberos.te @@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) @@ -29354,7 +29441,7 @@ index 6a95faf..69502c9 100644 seutil_read_file_contexts(kadmind_t) sysnet_read_config(kadmind_t) -@@ -164,6 +173,10 @@ optional_policy(` +@@ -164,10 +173,18 @@ optional_policy(` ') optional_policy(` @@ -29365,7 +29452,15 @@ index 6a95faf..69502c9 100644 nis_use_ypbind(kadmind_t) ') -@@ -182,6 +195,7 @@ optional_policy(` + optional_policy(` ++ sssd_read_public_files(kadmind_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(kadmind_t) + ') + +@@ -182,6 +199,7 @@ optional_policy(` # Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; @@ -29373,7 +29468,7 @@ index 6a95faf..69502c9 100644 dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -@@ -197,13 +211,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) +@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -29389,7 +29484,7 @@ index 6a95faf..69502c9 100644 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -221,7 +234,6 @@ kernel_search_network_sysctl(krb5kdc_t) +@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t) corecmd_exec_bin(krb5kdc_t) @@ -29397,7 +29492,7 @@ index 6a95faf..69502c9 100644 corenet_all_recvfrom_netlabel(krb5kdc_t) corenet_tcp_sendrecv_generic_if(krb5kdc_t) corenet_udp_sendrecv_generic_if(krb5kdc_t) -@@ -242,6 +254,7 @@ dev_read_urand(krb5kdc_t) +@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t) fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) @@ -29405,7 +29500,7 @@ index 6a95faf..69502c9 100644 domain_use_interactive_fds(krb5kdc_t) -@@ -253,7 +266,7 @@ selinux_validate_context(krb5kdc_t) +@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) @@ -29414,7 +29509,7 @@ index 6a95faf..69502c9 100644 seutil_read_file_contexts(krb5kdc_t) -@@ -268,6 +281,10 @@ optional_policy(` +@@ -268,6 +285,10 @@ optional_policy(` ') optional_policy(` @@ -29425,7 +29520,18 @@ index 6a95faf..69502c9 100644 nis_use_ypbind(krb5kdc_t) ') -@@ -308,7 +325,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -276,6 +297,10 @@ optional_policy(` + ') + + optional_policy(` ++ sssd_read_public_files(krb5kdc_t) ++') ++ ++optional_policy(` + udev_read_db(krb5kdc_t) + ') + +@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -29433,7 +29539,7 @@ index 6a95faf..69502c9 100644 corenet_tcp_sendrecv_generic_if(kpropd_t) corenet_tcp_sendrecv_generic_node(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) -@@ -324,8 +340,6 @@ selinux_validate_context(kpropd_t) +@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t) logging_send_syslog_msg(kpropd_t) @@ -31694,7 +31800,7 @@ index a4f32f5..628b63c 100644 ## in the caller domain. ## diff --git a/lpd.te b/lpd.te -index a03b63a..330ee1d 100644 +index a03b63a..99e8d96 100644 --- a/lpd.te +++ b/lpd.te @@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -31797,11 +31903,12 @@ index a03b63a..330ee1d 100644 # for test print files_read_usr_files(lpr_t) #Added to cover read_content macro -@@ -271,23 +266,24 @@ term_use_generic_ptys(lpr_t) +@@ -271,23 +266,25 @@ term_use_generic_ptys(lpr_t) auth_use_nsswitch(lpr_t) -miscfiles_read_localization(lpr_t) ++miscfiles_read_fonts(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -31828,7 +31935,7 @@ index a03b63a..330ee1d 100644 # Send SIGHUP to lpd. allow lpr_t lpd_t:process signal; -@@ -305,17 +301,7 @@ tunable_policy(`use_lpd_server',` +@@ -305,17 +302,7 @@ tunable_policy(`use_lpd_server',` read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') @@ -31847,7 +31954,7 @@ index a03b63a..330ee1d 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +310,13 @@ optional_policy(` +@@ -324,5 +311,13 @@ optional_policy(` ') optional_policy(` @@ -33201,7 +33308,7 @@ index ee72cbe..bdf319a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 26101cb..efd51a0 100644 +index 26101cb..64c2969 100644 --- a/milter.te +++ b/milter.te @@ -9,6 +9,13 @@ policy_module(milter, 1.4.0) @@ -33218,7 +33325,7 @@ index 26101cb..efd51a0 100644 # currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) -@@ -20,6 +27,24 @@ milter_template(spamass) +@@ -20,6 +27,26 @@ milter_template(spamass) type spamass_milter_state_t; files_type(spamass_milter_state_t) @@ -33234,6 +33341,8 @@ index 26101cb..efd51a0 100644 + +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + ++kernel_read_kernel_sysctls(dkim_milter_t) ++ +auth_use_nsswitch(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) @@ -33243,7 +33352,7 @@ index 26101cb..efd51a0 100644 ######################################## # # milter-greylist local policy -@@ -33,11 +58,25 @@ files_type(spamass_milter_state_t) +@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t) allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; @@ -33269,7 +33378,7 @@ index 26101cb..efd51a0 100644 # Allow the milter to read a GeoIP database in /usr/share files_read_usr_files(greylist_milter_t) # The milter runs from /var/lib/milter-greylist and maintains files there -@@ -49,6 +88,14 @@ auth_use_nsswitch(greylist_milter_t) +@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t) # Config is in /etc/mail/greylist.conf mta_read_config(greylist_milter_t) @@ -33284,7 +33393,7 @@ index 26101cb..efd51a0 100644 ######################################## # # milter-regex local policy -@@ -88,6 +135,8 @@ corecmd_exec_shell(spamass_milter_t) +@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t) corecmd_read_bin_symlinks(spamass_milter_t) corecmd_search_bin(spamass_milter_t) @@ -34406,7 +34515,7 @@ index b397fde..c7c031d 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..0efc1df 100644 +index d4fcb75..bb729e7 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -34763,7 +34872,7 @@ index d4fcb75..0efc1df 100644 - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) +tunable_policy(`mozilla_plugin_can_network_connect',` -+ corenet_tcp_connect_unreserved_ports(mozilla_plugin_t) ++ corenet_tcp_connect_all_ports(mozilla_plugin_t) ') optional_policy(` @@ -36564,10 +36673,21 @@ index 84a7d66..c58f1e7 100644 + clamav_stream_connect(mta_user_agent) +') diff --git a/munin.fc b/munin.fc -index fd71d69..5987e1c 100644 +index fd71d69..5b771ef 100644 --- a/munin.fc +++ b/munin.fc -@@ -41,6 +41,9 @@ +@@ -4,7 +4,9 @@ + /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +-/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) ++ ++# label all plugins as unconfined_munin_plugin_exec_t ++/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) + + # disk plugins + /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +@@ -41,6 +43,9 @@ /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) @@ -36577,7 +36697,7 @@ index fd71d69..5987e1c 100644 # system plugins /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -51,6 +54,7 @@ +@@ -51,6 +56,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -36585,7 +36705,7 @@ index fd71d69..5987e1c 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -58,11 +62,13 @@ +@@ -58,11 +64,13 @@ /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -36718,7 +36838,7 @@ index c358d8f..1cc176c 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..dad742b 100644 +index f17583b..4188970 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -36925,11 +37045,15 @@ index f17583b..dad742b 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +317,14 @@ optional_policy(` +@@ -286,6 +317,18 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') +optional_policy(` ++ sssd_stream_connect(services_munin_plugin_t) ++') ++ ++optional_policy(` + varnishd_read_lib_files(services_munin_plugin_t) +') + @@ -36940,7 +37064,7 @@ index f17583b..dad742b 100644 ################################## # # local policy for system plugins -@@ -295,12 +334,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,12 +338,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -36956,7 +37080,7 @@ index f17583b..dad742b 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +350,45 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +354,45 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -40816,10 +40940,10 @@ index ded9fb6..6b11681 100644 userdom_dontaudit_use_unpriv_user_fds(ntop_t) diff --git a/ntp.fc b/ntp.fc -index e79dccc..e8d3e38 100644 +index e79dccc..2a3c6af 100644 --- a/ntp.fc +++ b/ntp.fc -@@ -10,6 +10,8 @@ +@@ -10,10 +10,14 @@ /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) @@ -40827,7 +40951,13 @@ index e79dccc..e8d3e38 100644 + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) ++/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + + /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) + /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/ntp.if b/ntp.if index e80f8c0..0044e73 100644 --- a/ntp.if @@ -40936,7 +41066,7 @@ index e80f8c0..0044e73 100644 + allow $1 ntpd_unit_file_t:service all_service_perms; ') diff --git a/ntp.te b/ntp.te -index c61adc8..374883b 100644 +index c61adc8..cb20a9d 100644 --- a/ntp.te +++ b/ntp.te @@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) @@ -40949,7 +41079,15 @@ index c61adc8..374883b 100644 type ntpd_key_t; files_type(ntpd_key_t) -@@ -78,7 +81,6 @@ kernel_read_system_state(ntpd_t) +@@ -50,6 +53,7 @@ allow ntpd_t self:unix_stream_socket create_socket_perms; + allow ntpd_t self:tcp_socket create_stream_socket_perms; + allow ntpd_t self:udp_socket create_socket_perms; + ++manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + + can_exec(ntpd_t, ntpd_exec_t) +@@ -78,7 +82,6 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -40957,7 +41095,7 @@ index c61adc8..374883b 100644 corenet_all_recvfrom_netlabel(ntpd_t) corenet_tcp_sendrecv_generic_if(ntpd_t) corenet_udp_sendrecv_generic_if(ntpd_t) -@@ -96,11 +98,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) +@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP dev_read_urand(ntpd_t) @@ -40973,7 +41111,7 @@ index c61adc8..374883b 100644 auth_use_nsswitch(ntpd_t) -@@ -110,7 +116,6 @@ corecmd_exec_shell(ntpd_t) +@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t) domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) @@ -40981,7 +41119,7 @@ index c61adc8..374883b 100644 files_read_etc_runtime_files(ntpd_t) files_read_usr_files(ntpd_t) files_list_var_lib(ntpd_t) -@@ -119,7 +124,6 @@ init_exec_script_files(ntpd_t) +@@ -119,7 +125,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -42063,10 +42201,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..bf37353 +index 0000000..6e20e72 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,608 @@ +@@ -0,0 +1,644 @@ + +## policy for openshift + @@ -42107,6 +42245,42 @@ index 0000000..bf37353 + allow $1 openshift_initrc_t:process signull; +') + ++####################################### ++## ++## Send a signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signal',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signal; ++') ++ ++######################################## ++## ++## Send a signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signl',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signal; ++') ++ +######################################## +## +## Search openshift cache directories. @@ -42677,10 +42851,10 @@ index 0000000..bf37353 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..8ddece6 +index 0000000..a33452e --- /dev/null +++ b/openshift.te -@@ -0,0 +1,378 @@ +@@ -0,0 +1,379 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -42935,6 +43109,7 @@ index 0000000..8ddece6 + apache_read_sys_content(openshift_domain) + apache_exec_sys_script(openshift_domain) + apache_entrypoint(openshift_domain) ++ apache_dontaudit_read_log(openshift_domain) +') + +optional_policy(` @@ -43227,10 +43402,10 @@ index 0000000..baf8d21 +/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) diff --git a/openvswitch.if b/openvswitch.if new file mode 100644 -index 0000000..e2c300a +index 0000000..14f29e4 --- /dev/null +++ b/openvswitch.if -@@ -0,0 +1,247 @@ +@@ -0,0 +1,242 @@ + +## policy for openvswitch + @@ -43442,11 +43617,6 @@ index 0000000..e2c300a +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`openvswitch_admin',` @@ -43969,10 +44139,10 @@ index b246bdd..3cbcc49 100644 sysnet_dns_name_resolve(pads_t) diff --git a/passenger.fc b/passenger.fc -index 545518d..16638ac 100644 +index 545518d..677ac68 100644 --- a/passenger.fc +++ b/passenger.fc -@@ -1,7 +1,7 @@ +@@ -1,11 +1,10 @@ -/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) @@ -43984,6 +44154,11 @@ index 545518d..16638ac 100644 /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) +-/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) +-/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) ++/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) + + /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/passenger.if b/passenger.if index f68b573..8fb9cd3 100644 --- a/passenger.if @@ -45853,10 +46028,10 @@ index 0000000..83c13cf + diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..9b7b637 +index 0000000..dfebbd9 --- /dev/null +++ b/pki.te -@@ -0,0 +1,288 @@ +@@ -0,0 +1,289 @@ +policy_module(pki,10.0.11) + +######################################## @@ -45973,6 +46148,7 @@ index 0000000..9b7b637 +corenet_tcp_connect_ldap_port(pki_tomcat_t) +corenet_tcp_connect_smtp_port(pki_tomcat_t) +corenet_tcp_connect_pki_ca_port(pki_tomcat_t) ++corenet_tcp_connect_ldap_port(pki_tomcat_t) + +selinux_get_enforce_mode(pki_tomcat_t) + @@ -48196,7 +48372,7 @@ index 46bee12..8ef270f 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index a1e0f60..22a3efd 100644 +index a1e0f60..85b12af 100644 --- a/postfix.te +++ b/postfix.te @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0) @@ -48204,9 +48380,9 @@ index a1e0f60..22a3efd 100644 # +## -+##

-+## Allow postfix_local domain full write access to mail_spool directories -+##

++##

++## Allow postfix_local domain full write access to mail_spool directories ++##

+## +gen_tunable(postfix_local_write_mail_spool, true) + @@ -48357,6 +48533,15 @@ index a1e0f60..22a3efd 100644 mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +@@ -195,7 +216,7 @@ optional_policy(` + ') + + optional_policy(` +-# for postalias ++# for postalias + mailman_manage_data_files(postfix_master_t) + ') + @@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; @@ -48621,7 +48806,7 @@ index a1e0f60..22a3efd 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -48629,15 +48814,16 @@ index a1e0f60..22a3efd 100644 + +# for spampd +corenet_tcp_connect_spamd_port(postfix_master_t) ++corenet_tcp_bind_spamd_port(postfix_master_t) + files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +660,14 @@ optional_policy(` +@@ -565,6 +661,14 @@ optional_policy(` ') optional_policy(` -+ dovecot_stream_connect(postfix_smtp_t) ++ dovecot_stream_connect(postfix_smtp_t) +') + +optional_policy(` @@ -48648,7 +48834,7 @@ index a1e0f60..22a3efd 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -48675,7 +48861,7 @@ index a1e0f60..22a3efd 100644 ') optional_policy(` -@@ -599,6 +710,11 @@ optional_policy(` +@@ -599,6 +711,11 @@ optional_policy(` ') optional_policy(` @@ -48687,7 +48873,7 @@ index a1e0f60..22a3efd 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +727,6 @@ optional_policy(` +@@ -611,7 +728,6 @@ optional_policy(` # Postfix virtual local policy # @@ -48695,7 +48881,7 @@ index a1e0f60..22a3efd 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } +@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) @@ -48703,7 +48889,7 @@ index a1e0f60..22a3efd 100644 files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) -@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -49095,7 +49281,7 @@ index de4bdb7..a4cad0b 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..c4607d4 100644 +index bcbf9ac..5a550bb 100644 --- a/ppp.te +++ b/ppp.te @@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) @@ -49141,7 +49327,7 @@ index bcbf9ac..c4607d4 100644 # -allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; -+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override }; ++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched signal }; +allow pppd_t self:process { getsched setsched signal }; @@ -49325,6 +49511,32 @@ index ec0e76a..62af9a4 100644 /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +diff --git a/prelink.if b/prelink.if +index 93ec175..e6605c1 100644 +--- a/prelink.if ++++ b/prelink.if +@@ -202,3 +202,21 @@ interface(`prelink_relabel_lib',` + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + ') ++ ++######################################## ++## ++## Transition to prelink named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prelink_filetrans_named_content',` ++ gen_require(` ++ type prelink_cache_t; ++ ') ++ ++ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") ++') diff --git a/prelink.te b/prelink.te index af55369..9f1d1b5 100644 --- a/prelink.te @@ -55157,16 +55369,17 @@ index 93c896a..8aa7362 100644 +') diff --git a/rhev.fc b/rhev.fc new file mode 100644 -index 0000000..48beae9 +index 0000000..3edbd2e --- /dev/null +++ b/rhev.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,9 @@ +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + +/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) + +/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) ++/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) + +/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) diff --git a/rhev.if b/rhev.if @@ -55640,7 +55853,7 @@ index 137605a..fd40b90 100644 + ') ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 783f678..414434d 100644 +index 783f678..14193ca 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t) @@ -55653,7 +55866,7 @@ index 783f678..414434d 100644 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; -@@ -43,17 +46,35 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) @@ -55668,6 +55881,7 @@ index 783f678..414434d 100644 +dev_read_rand(rhsmcertd_t) dev_read_urand(rhsmcertd_t) ++dev_read_sysfs(rhsmcertd_t) files_read_etc_files(rhsmcertd_t) files_read_usr_files(rhsmcertd_t) @@ -58569,7 +58783,7 @@ index 82cb169..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 905883f..7339ebc 100644 +index 905883f..7e70344 100644 --- a/samba.te +++ b/samba.te @@ -12,7 +12,7 @@ policy_module(samba, 1.15.0) @@ -58616,7 +58830,11 @@ index 905883f..7339ebc 100644 type winbind_var_run_t; files_pid_file(winbind_var_run_t) -@@ -184,8 +192,8 @@ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) +@@ -181,11 +189,12 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) + manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) + manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) ++files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") kernel_read_proc_symlinks(samba_net_t) kernel_read_system_state(samba_net_t) @@ -58626,7 +58844,7 @@ index 905883f..7339ebc 100644 corenet_all_recvfrom_netlabel(samba_net_t) corenet_tcp_sendrecv_generic_if(samba_net_t) corenet_udp_sendrecv_generic_if(samba_net_t) -@@ -203,7 +211,6 @@ dev_read_urand(samba_net_t) +@@ -203,7 +212,6 @@ dev_read_urand(samba_net_t) domain_use_interactive_fds(samba_net_t) @@ -58634,7 +58852,7 @@ index 905883f..7339ebc 100644 files_read_usr_symlinks(samba_net_t) auth_use_nsswitch(samba_net_t) -@@ -211,15 +218,16 @@ auth_manage_cache(samba_net_t) +@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -58655,7 +58873,7 @@ index 905883f..7339ebc 100644 ') optional_policy(` -@@ -228,13 +236,15 @@ optional_policy(` +@@ -228,13 +237,15 @@ optional_policy(` optional_policy(` kerberos_use(samba_net_t) @@ -58672,7 +58890,7 @@ index 905883f..7339ebc 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -244,6 +254,7 @@ allow smbd_t self:msg { send receive }; +@@ -244,6 +255,7 @@ allow smbd_t self:msg { send receive }; allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; @@ -58680,7 +58898,7 @@ index 905883f..7339ebc 100644 allow smbd_t self:sock_file read_sock_file_perms; allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; -@@ -253,6 +264,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; allow smbd_t nmbd_var_run_t:file rw_file_perms; @@ -58688,7 +58906,7 @@ index 905883f..7339ebc 100644 allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -267,12 +279,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -58699,11 +58917,11 @@ index 905883f..7339ebc 100644 manage_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) -+files_var_filetrans(smbd_t, samba_var_t, dir) ++files_var_filetrans(smbd_t, samba_var_t, dir, "samba") allow smbd_t smbcontrol_t:process { signal signull }; -@@ -283,7 +296,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -58712,7 +58930,7 @@ index 905883f..7339ebc 100644 allow smbd_t swat_t:process signal; -@@ -302,7 +315,6 @@ kernel_read_system_state(smbd_t) +@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t) corecmd_exec_shell(smbd_t) corecmd_exec_bin(smbd_t) @@ -58720,7 +58938,7 @@ index 905883f..7339ebc 100644 corenet_all_recvfrom_netlabel(smbd_t) corenet_tcp_sendrecv_generic_if(smbd_t) corenet_udp_sendrecv_generic_if(smbd_t) -@@ -320,6 +332,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -58728,7 +58946,7 @@ index 905883f..7339ebc 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -327,26 +340,29 @@ dev_getattr_all_blk_files(smbd_t) +@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -58759,7 +58977,7 @@ index 905883f..7339ebc 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -355,9 +371,10 @@ init_rw_utmp(smbd_t) +@@ -355,9 +372,10 @@ init_rw_utmp(smbd_t) logging_search_logs(smbd_t) logging_send_syslog_msg(smbd_t) @@ -58771,7 +58989,7 @@ index 905883f..7339ebc 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -372,8 +389,13 @@ ifdef(`hide_broken_symptoms', ` +@@ -372,8 +390,13 @@ ifdef(`hide_broken_symptoms', ` fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') @@ -58786,7 +59004,7 @@ index 905883f..7339ebc 100644 ') tunable_policy(`samba_domain_controller',` -@@ -389,12 +411,7 @@ tunable_policy(`samba_domain_controller',` +@@ -389,12 +412,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -58800,7 +59018,7 @@ index 905883f..7339ebc 100644 ') # Support Samba sharing of NFS mount points -@@ -415,6 +432,15 @@ tunable_policy(`samba_share_fusefs',` +@@ -415,6 +433,15 @@ tunable_policy(`samba_share_fusefs',` ') optional_policy(` @@ -58816,7 +59034,7 @@ index 905883f..7339ebc 100644 cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -426,6 +452,7 @@ optional_policy(` +@@ -426,6 +453,7 @@ optional_policy(` optional_policy(` ldap_stream_connect(smbd_t) @@ -58824,7 +59042,7 @@ index 905883f..7339ebc 100644 ') optional_policy(` -@@ -452,26 +479,26 @@ optional_policy(` +@@ -452,26 +480,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -58863,7 +59081,7 @@ index 905883f..7339ebc 100644 ######################################## # # nmbd Local policy -@@ -491,8 +518,11 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -491,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -58876,14 +59094,14 @@ index 905883f..7339ebc 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -501,11 +531,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) +@@ -501,11 +532,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) -+files_var_filetrans(nmbd_t, samba_var_t, dir) ++files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") allow nmbd_t smbcontrol_t:process signal; @@ -58892,7 +59110,7 @@ index 905883f..7339ebc 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -513,7 +545,6 @@ kernel_read_network_state(nmbd_t) +@@ -513,7 +546,6 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -58900,7 +59118,7 @@ index 905883f..7339ebc 100644 corenet_all_recvfrom_netlabel(nmbd_t) corenet_tcp_sendrecv_generic_if(nmbd_t) corenet_udp_sendrecv_generic_if(nmbd_t) -@@ -536,7 +567,6 @@ fs_search_auto_mountpoints(nmbd_t) +@@ -536,7 +568,6 @@ fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) @@ -58908,7 +59126,7 @@ index 905883f..7339ebc 100644 files_list_var_lib(nmbd_t) auth_use_nsswitch(nmbd_t) -@@ -544,12 +574,14 @@ auth_use_nsswitch(nmbd_t) +@@ -544,12 +575,14 @@ auth_use_nsswitch(nmbd_t) logging_search_logs(nmbd_t) logging_send_syslog_msg(nmbd_t) @@ -58925,7 +59143,7 @@ index 905883f..7339ebc 100644 seutil_sigchld_newrole(nmbd_t) ') -@@ -562,18 +594,21 @@ optional_policy(` +@@ -562,18 +595,21 @@ optional_policy(` # smbcontrol local policy # @@ -58951,7 +59169,7 @@ index 905883f..7339ebc 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -581,11 +616,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -581,11 +617,19 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -58959,22 +59177,22 @@ index 905883f..7339ebc 100644 +dev_read_urand(smbcontrol_t) + +files_read_usr_files(smbcontrol_t) ++ ++term_use_console(smbcontrol_t) ++ ++sysnet_use_ldap(smbcontrol_t) -miscfiles_read_localization(smbcontrol_t) -+term_use_console(smbcontrol_t) ++userdom_use_inherited_user_terminals(smbcontrol_t) -userdom_use_user_terminals(smbcontrol_t) -+sysnet_use_ldap(smbcontrol_t) -+ -+userdom_use_inherited_user_terminals(smbcontrol_t) -+ +optional_policy(` + ctdbd_stream_connect(smbcontrol_t) +') ######################################## # -@@ -604,7 +647,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; +@@ -604,18 +648,20 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) @@ -58983,7 +59201,13 @@ index 905883f..7339ebc 100644 allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -615,7 +658,6 @@ files_list_var_lib(smbmount_t) + ++manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t) + manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) ++files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") ++ + files_list_var_lib(smbmount_t) kernel_read_system_state(smbmount_t) @@ -58991,7 +59215,7 @@ index 905883f..7339ebc 100644 corenet_all_recvfrom_netlabel(smbmount_t) corenet_tcp_sendrecv_generic_if(smbmount_t) corenet_raw_sendrecv_generic_if(smbmount_t) -@@ -645,31 +687,32 @@ files_list_mnt(smbmount_t) +@@ -645,31 +691,32 @@ files_list_mnt(smbmount_t) files_mounton_mnt(smbmount_t) files_manage_etc_runtime_files(smbmount_t) files_etc_filetrans_etc_runtime(smbmount_t, file) @@ -59029,7 +59253,7 @@ index 905883f..7339ebc 100644 allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -684,7 +727,8 @@ samba_domtrans_nmbd(swat_t) +@@ -684,7 +731,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -59039,10 +59263,13 @@ index 905883f..7339ebc 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -699,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -698,13 +746,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) + manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) ++manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) ++files_var_filetrans(swat_t, samba_var_t, dir, "samba") +files_list_var_lib(swat_t) allow swat_t smbd_exec_t:file mmap_file_perms ; @@ -59054,7 +59281,7 @@ index 905883f..7339ebc 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -717,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -717,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -59062,7 +59289,7 @@ index 905883f..7339ebc 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -726,7 +773,6 @@ kernel_read_network_state(swat_t) +@@ -726,7 +779,6 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -59070,7 +59297,7 @@ index 905883f..7339ebc 100644 corenet_all_recvfrom_netlabel(swat_t) corenet_tcp_sendrecv_generic_if(swat_t) corenet_udp_sendrecv_generic_if(swat_t) -@@ -744,7 +790,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) +@@ -744,7 +796,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) dev_read_urand(swat_t) files_list_var_lib(swat_t) @@ -59078,7 +59305,7 @@ index 905883f..7339ebc 100644 files_search_home(swat_t) files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) -@@ -759,7 +804,10 @@ logging_send_syslog_msg(swat_t) +@@ -759,7 +810,10 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -59090,7 +59317,7 @@ index 905883f..7339ebc 100644 optional_policy(` cups_read_rw_config(swat_t) -@@ -790,7 +838,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -790,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -59100,7 +59327,16 @@ index 905883f..7339ebc 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -813,21 +862,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,6 +861,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) + manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) + manage_files_pattern(winbind_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) ++manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) ++files_var_filetrans(winbind_t, samba_var_t, dir, "samba") + files_list_var_lib(winbind_t) + + rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -813,21 +870,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -59134,7 +59370,7 @@ index 905883f..7339ebc 100644 corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) corenet_udp_sendrecv_generic_if(winbind_t) -@@ -840,12 +894,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -840,12 +902,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -59150,7 +59386,7 @@ index 905883f..7339ebc 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -855,12 +912,14 @@ auth_manage_cache(winbind_t) +@@ -855,12 +920,14 @@ auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) @@ -59167,7 +59403,7 @@ index 905883f..7339ebc 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -871,6 +930,15 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -871,6 +938,15 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -59183,7 +59419,7 @@ index 905883f..7339ebc 100644 kerberos_use(winbind_t) ') -@@ -909,9 +977,7 @@ auth_use_nsswitch(winbind_helper_t) +@@ -909,9 +985,7 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -59194,7 +59430,7 @@ index 905883f..7339ebc 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -929,19 +995,34 @@ optional_policy(` +@@ -929,19 +1003,34 @@ optional_policy(` # optional_policy(` @@ -61317,7 +61553,7 @@ index 7e94c7c..ca74cd9 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/sendmail.te b/sendmail.te -index 22dac1f..8bc4eff 100644 +index 22dac1f..a536819 100644 --- a/sendmail.te +++ b/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -61360,7 +61596,7 @@ index 22dac1f..8bc4eff 100644 auth_use_nsswitch(sendmail_t) -@@ -100,10 +99,9 @@ logging_send_syslog_msg(sendmail_t) +@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t) logging_dontaudit_write_generic_logs(sendmail_t) miscfiles_read_generic_certs(sendmail_t) @@ -61369,10 +61605,11 @@ index 22dac1f..8bc4eff 100644 userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -userdom_dontaudit_search_user_home_dirs(sendmail_t) +userdom_read_user_home_content_files(sendmail_t) ++userdom_dontaudit_list_user_home_dirs(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -115,6 +113,10 @@ mta_manage_spool(sendmail_t) +@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t) mta_sendmail_exec(sendmail_t) optional_policy(` @@ -61383,7 +61620,7 @@ index 22dac1f..8bc4eff 100644 cron_read_pipes(sendmail_t) ') -@@ -128,7 +130,14 @@ optional_policy(` +@@ -128,7 +131,14 @@ optional_policy(` ') optional_policy(` @@ -61398,7 +61635,7 @@ index 22dac1f..8bc4eff 100644 ') optional_policy(` -@@ -149,7 +158,14 @@ optional_policy(` +@@ -149,7 +159,14 @@ optional_policy(` ') optional_policy(` @@ -61413,7 +61650,7 @@ index 22dac1f..8bc4eff 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +184,13 @@ optional_policy(` +@@ -168,20 +185,13 @@ optional_policy(` ') optional_policy(` @@ -61642,7 +61879,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..3ec58d6 100644 +index 086cd5f..08ef0c7 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -61767,13 +62004,15 @@ index 086cd5f..3ec58d6 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,10 +176,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t) + corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) - ++corecmd_getattr_all_executables(setroubleshoot_fixit_t) ++ +dev_read_sysfs(setroubleshoot_fixit_t) +dev_read_urand(setroubleshoot_fixit_t) -+ + seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) +seutil_read_module_store(setroubleshoot_fixit_t) @@ -61783,7 +62022,7 @@ index 086cd5f..3ec58d6 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -162,7 +191,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -67975,10 +68214,24 @@ index 904f13e..5801347 100644 + ') ') diff --git a/tor.te b/tor.te -index c842cad..a0c42c1 100644 +index c842cad..a655e4c 100644 --- a/tor.te +++ b/tor.te -@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t) +@@ -13,6 +13,13 @@ policy_module(tor, 1.8.0) + ## + gen_tunable(tor_bind_all_unreserved_ports, false) + ++## ++##

++## Allow tor to act as a relay ++##

++## ++gen_tunable(tor_can_network_relay, false) ++ + type tor_t; + type tor_exec_t; + init_daemon_domain(tor_t, tor_exec_t) +@@ -36,12 +43,16 @@ logging_log_file(tor_var_log_t) type tor_var_run_t; files_pid_file(tor_var_run_t) @@ -67995,18 +68248,19 @@ index c842cad..a0c42c1 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -73,9 +77,9 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) +@@ -73,9 +84,10 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) kernel_read_system_state(tor_t) +kernel_read_net_sysctls(tor_t) ++kernel_read_kernel_sysctls(tor_t) # networking basics -corenet_all_recvfrom_unlabeled(tor_t) corenet_all_recvfrom_netlabel(tor_t) corenet_tcp_sendrecv_generic_if(tor_t) corenet_udp_sendrecv_generic_if(tor_t) -@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) +@@ -87,6 +99,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) corenet_tcp_bind_tor_port(tor_t) @@ -68014,7 +68268,7 @@ index c842cad..a0c42c1 100644 corenet_udp_bind_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_sendrecv_dns_server_packets(tor_t) -@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,13 +108,14 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -68030,7 +68284,7 @@ index c842cad..a0c42c1 100644 files_read_etc_runtime_files(tor_t) files_read_usr_files(tor_t) -@@ -109,8 +115,6 @@ auth_use_nsswitch(tor_t) +@@ -109,12 +123,16 @@ auth_use_nsswitch(tor_t) logging_send_syslog_msg(tor_t) @@ -68039,6 +68293,16 @@ index c842cad..a0c42c1 100644 tunable_policy(`tor_bind_all_unreserved_ports', ` corenet_tcp_bind_all_unreserved_ports(tor_t) ') + ++tunable_policy(`tor_can_network_relay',` ++ # allow httpd to work as a relay ++ corenet_tcp_connect_all_ephemeral_ports(tor_t) ++ corenet_tcp_bind_http_port(tor_t) ++') ++ + optional_policy(` + seutil_sigchld_newrole(tor_t) + ') diff --git a/transproxy.te b/transproxy.te index 95cf0c0..f191f8a 100644 --- a/transproxy.te @@ -68163,7 +68427,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..8843888 100644 +index db9d2a5..0c1d7e7 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -68179,7 +68443,7 @@ index db9d2a5..8843888 100644 type tuned_log_t; logging_log_file(tuned_log_t) -@@ -22,42 +28,73 @@ files_pid_file(tuned_var_run_t) +@@ -22,43 +28,84 @@ files_pid_file(tuned_var_run_t) # # tuned local policy # @@ -68191,8 +68455,10 @@ index db9d2a5..8843888 100644 +allow tuned_t self:udp_socket create_socket_perms; + +read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) ++exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) + +manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) ++files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -68229,14 +68495,17 @@ index db9d2a5..8843888 100644 files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) +files_list_tmp(tuned_t) - --logging_send_syslog_msg(tuned_t) ++ +fs_getattr_all_fs(tuned_t) ++ ++auth_use_nsswitch(tuned_t) + + logging_send_syslog_msg(tuned_t) -miscfiles_read_localization(tuned_t) -+auth_use_nsswitch(tuned_t) ++mount_read_pid_files(tuned_t) + -+logging_send_syslog_msg(tuned_t) ++udev_read_pid_files(tuned_t) userdom_dontaudit_search_user_home_dirs(tuned_t) @@ -68261,6 +68530,11 @@ index db9d2a5..8843888 100644 # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) + ') ++ ++optional_policy(` ++ unconfined_dbus_send(tuned_t) ++') diff --git a/tvtime.te b/tvtime.te index 531b1f1..7455f78 100644 --- a/tvtime.te @@ -69635,7 +69909,7 @@ index 2124b6a..e55e393 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..490101e 100644 +index 6f0736b..2e6c056 100644 --- a/virt.if +++ b/virt.if @@ -13,67 +13,30 @@ @@ -69669,16 +69943,16 @@ index 6f0736b..490101e 100644 - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) -- ++ auth_read_passwd($1_t) + - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) -+ auth_use_nsswitch($1_t) ++ logging_send_syslog_msg($1_t) - type $1_var_run_t; - files_pid_file($1_var_run_t) -+ logging_send_syslog_msg($1_t) - +- - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) @@ -70457,7 +70731,7 @@ index 6f0736b..490101e 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..5dec493 100644 +index 947bbc6..08c7bcb 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) @@ -71051,7 +71325,7 @@ index 947bbc6..5dec493 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -402,35 +567,84 @@ optional_policy(` +@@ -402,35 +567,85 @@ optional_policy(` # # virtual domains common policy # @@ -71090,6 +71364,7 @@ index 947bbc6..5dec493 100644 + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) +manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t) ++manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -71145,7 +71420,7 @@ index 947bbc6..5dec493 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +652,593 @@ dev_write_sound(virt_domain) +@@ -438,34 +653,593 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -72765,7 +73040,7 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 07033bb..5e3cb73 100644 +index 07033bb..8358a63 100644 --- a/xen.te +++ b/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.12.0) @@ -72854,7 +73129,7 @@ index 07033bb..5e3cb73 100644 -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; -dontaudit xend_t self:capability { sys_ptrace }; -+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; ++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; allow xend_t self:process { signal sigkill }; -dontaudit xend_t self:process ptrace; + @@ -72896,17 +73171,21 @@ index 07033bb..5e3cb73 100644 files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) -@@ -309,7 +312,9 @@ files_etc_filetrans_etc_runtime(xend_t, file) +@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) files_read_default_symlinks(xend_t) ++fs_read_removable_blk_files(xend_t) ++ ++storage_read_scsi_generic(xend_t) ++ +term_setattr_generic_ptys(xend_t) term_getattr_all_ptys(xend_t) +term_setattr_all_ptys(xend_t) term_use_generic_ptys(xend_t) term_use_ptmx(xend_t) term_getattr_pty_fs(xend_t) -@@ -320,13 +325,10 @@ locallogin_dontaudit_use_fds(xend_t) +@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -72921,7 +73200,7 @@ index 07033bb..5e3cb73 100644 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) sysnet_domtrans_ifconfig(xend_t) -@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -72930,7 +73209,7 @@ index 07033bb..5e3cb73 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +349,28 @@ optional_policy(` +@@ -349,6 +353,28 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -72959,7 +73238,7 @@ index 07033bb..5e3cb73 100644 ######################################## # # Xen console local policy -@@ -359,7 +381,7 @@ allow xenconsoled_t self:process setrlimit; +@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; @@ -72968,7 +73247,7 @@ index 07033bb..5e3cb73 100644 # pid file manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -@@ -374,8 +396,6 @@ dev_rw_xen(xenconsoled_t) +@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -72977,7 +73256,7 @@ index 07033bb..5e3cb73 100644 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) -@@ -390,7 +410,7 @@ term_use_console(xenconsoled_t) +@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t) init_use_fds(xenconsoled_t) init_use_script_ptys(xenconsoled_t) @@ -72986,7 +73265,7 @@ index 07033bb..5e3cb73 100644 xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) -@@ -413,9 +433,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -72998,7 +73277,7 @@ index 07033bb..5e3cb73 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,111 +463,24 @@ files_read_etc_files(xenstored_t) +@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -73112,7 +73391,7 @@ index 07033bb..5e3cb73 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +493,4 @@ optional_policy(` +@@ -559,8 +497,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index f6775d8..733c489 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 59.1%{?dist} +Release: 61%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -27,7 +27,6 @@ patch: policy-rawhide.patch patch1: policy_contrib-rawhide.patch patch2: policy_contrib-rawhide-roleattribute.patch patch3: policy-rawhide-roleattribute.patch -patch4: mcs_net.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -526,8 +525,61 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon Dec 4 2012 Dan Walsh 3.11.1-59 -- Add MCS Network Constraints +* Mon Dec 10 2012 Miroslav Grepl 3.11.1-61 +- Label /var/lib/pgsql/.ssh as ssh_home_t +- Add labeling for /usr/bin/pg_ctl +- Allow systemd-logind to manage keyring user tmp dirs +- Add support for 7389/tcp port +- gems seems to be placed in lots of places +- Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus +- Add back tcp/8123 port as http_cache port +- Add ovirt-guest-agent\.pid labeling +- Allow xend to run scsi_id +- Allow rhsmcertd-worker to read "physical_package_id" +- Allow pki_tomcat to connect to ldap port +- Allow lpr to read /usr/share/fonts +- Allow open file from CD/DVD drive on domU +- Allow munin services plugins to talk to SSSD +- Allow all samba domains to create samba directory in var_t directories +- Take away svirt_t ability to use nsswitch +- Dontaudit attempts by openshift to read apache logs +- Allow apache to create as well as append _ra_content_t +- Dontaudit sendmail_t reading a leaked file descriptor +- Add interface to have admin transition /etc/prelink.cache to the proper label +- Add sntp support to ntp policy +- Allow firewalld to dbus chat with devicekit_power +- Allow tuned to call lsblk +- Allow tor to read /proc/sys/kernel/random/uuid +- Add tor_can_network_relay boolean + +* Wed Dec 5 2012 Miroslav Grepl 3.11.1-60 +- Add openshift_initrc_signal() interface +- Fix typos +- dspam port is treat as spamd_port_t +- Allow setroubleshoot to getattr on all executables +- Allow tuned to execute profiles scripts in /etc/tuned +- Allow apache to create directories to store its log files +- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t +- Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 +- Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM +- Add filename transition for /etc/tuned/active_profile +- Allow condor_master to send mails +- Allow condor_master to read submit.cf +- Allow condor_master to create /tmp files/dirs +- Allow condor_mater to send sigkill to other condor domains +- Allow condor_procd sigkill capability +- tuned-adm wants to talk with tuned daemon +- Allow kadmind and krb5kdc to also list sssd_public_t +- Allow accountsd to dbus chat with init +- Fix git_read_generic_system_content_files() interface +- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" +- Fix mozilla_plugin_can_network_connect to allow to connect to all ports +- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t +- dspam wants to search /var/spool for opendkim data +- Revert "Add support for tcp/10026 port as dspam_port_t" +- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 +- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain +- Allow systemd_tmpfiles_t to setattr on mandb_cache_t * Sat Dec 1 2012 Miroslav Grepl 3.11.1-59 - consolekit.pp was not removed from the postinstall script