diff --git a/policy-F16.patch b/policy-F16.patch index 8c28a80..d891175 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -8580,10 +8580,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..88efdca +index 0000000..104b919 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,479 @@ +@@ -0,0 +1,481 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8778,6 +8778,7 @@ index 0000000..88efdca +manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); ++dontaudit sandbox_x_domain sandbox_file_t:dir mounton; + +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + @@ -9019,6 +9020,7 @@ index 0000000..88efdca +') + +optional_policy(` ++ nsplugin_manage_rw(sandbox_web_type) + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) +') @@ -10342,7 +10344,7 @@ index 223ad43..d400ef6 100644 # Reading dotfiles... # cjp: ? diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..d0c0d02 100644 +index 34c9d01..0d54b2c 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -10395,7 +10397,7 @@ index 34c9d01..d0c0d02 100644 # # /usr # -@@ -196,47 +195,49 @@ ifdef(`distro_gentoo',` +@@ -196,47 +195,50 @@ ifdef(`distro_gentoo',` /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) @@ -10441,6 +10443,7 @@ index 34c9d01..d0c0d02 100644 - -/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -10486,7 +10489,7 @@ index 34c9d01..d0c0d02 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -244,9 +245,13 @@ ifdef(`distro_gentoo',` +@@ -244,9 +246,13 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -10501,7 +10504,7 @@ index 34c9d01..d0c0d02 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -283,6 +288,7 @@ ifdef(`distro_gentoo',` +@@ -283,6 +289,7 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -10509,7 +10512,7 @@ index 34c9d01..d0c0d02 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -291,7 +297,7 @@ ifdef(`distro_gentoo',` +@@ -291,7 +298,7 @@ ifdef(`distro_gentoo',` /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -10518,7 +10521,7 @@ index 34c9d01..d0c0d02 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -304,9 +310,8 @@ ifdef(`distro_redhat', ` +@@ -304,9 +311,8 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -10529,7 +10532,7 @@ index 34c9d01..d0c0d02 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -316,9 +321,11 @@ ifdef(`distro_redhat', ` +@@ -316,9 +322,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -10541,7 +10544,7 @@ index 34c9d01..d0c0d02 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -360,7 +367,7 @@ ifdef(`distro_redhat', ` +@@ -360,7 +368,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -10550,7 +10553,7 @@ index 34c9d01..d0c0d02 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -373,7 +380,6 @@ ifdef(`distro_suse', ` +@@ -373,7 +381,6 @@ ifdef(`distro_suse', ` /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -10957,7 +10960,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..255c5bb 100644 +index e9313fb..6db0863 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11112,6 +11115,15 @@ index e9313fb..255c5bb 100644 ') ######################################## +@@ -920,7 +975,7 @@ interface(`dev_filetrans',` + type device_t; + ') + +- filetrans_pattern($1, device_t, $2, $3) ++ filetrans_pattern($1, device_t, $2, $3, $4) + + dev_associate($2) + files_associate_tmp($2) @@ -1178,6 +1233,42 @@ interface(`dev_create_all_chr_files',` ######################################## @@ -11299,7 +11311,7 @@ index e9313fb..255c5bb 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4874,22 @@ interface(`dev_unconfined',` +@@ -4748,3 +4874,751 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -11322,6 +11334,735 @@ index e9313fb..255c5bb 100644 + + dontaudit $1 { device_t device_node }:dir_file_class_set getattr; +') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_all_named_dev',` ++ ++gen_require(` ++ type device_t; ++ type usb_device_t; ++ type xserver_misc_device_t; ++ type sound_device_t; ++ type apm_bios_t; ++ type mouse_device_t; ++ type autofs_device_t; ++ type lvm_control_t; ++ type crash_device_t; ++ type dlm_control_device_t; ++ type clock_device_t; ++ type v4l_device_t; ++ type event_device_t; ++ type xen_device_t; ++ type framebuf_device_t; ++ type null_device_t; ++ type random_device_t; ++ type dri_device_t; ++ type ipmi_device_t; ++ type printer_device_t; ++ type memory_device_t; ++ type kmsg_device_t; ++ type qemu_device_t; ++ type ksm_device_t; ++ type kvm_device_t; ++ type lirc_device_t; ++ type cpu_device_t; ++ type scanner_device_t; ++ type modem_device_t; ++ type vhost_device_t; ++ type netcontrol_device_t; ++ type nvram_device_t; ++ type power_device_t; ++ type wireless_device_t; ++ type tpm_device_t; ++ type userio_device_t; ++ type urandom_device_t; ++ type usbmon_device_t; ++ type vmware_device_t; ++ type watchdog_device_t; ++ type crypt_device_t; ++ type zero_device_t; ++ type smartcard_device_t; ++ type mtrr_device_t; ++') ++ ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, 3dfx) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer9) ++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, apm_bios) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, atibm) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio9) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs0) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs1) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs2) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs3) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs4) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs5) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs6) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs7) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs8) ++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, beep) ++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, btrfs-control) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, controlD64) ++ filetrans_pattern($1, device_t, crash_device_t, chr_file, crash) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm0) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm1) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm2) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm3) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm4) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm5) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm6) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm7) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm8) ++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmfm) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp9) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, efirtc) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, e2201) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83000) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83001) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83002) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83003) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83004) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83005) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83006) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83007) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83008) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83009) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event0) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event1) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event2) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event3) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event4) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event5) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event6) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event7) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event8) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, event9) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, evtchn) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb0) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb1) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb2) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb3) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb4) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb5) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb6) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb7) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb8) ++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb9) ++ filetrans_pattern($1, device_t, null_device_t, chr_file, full) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw0) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw1) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw2) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw3) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw4) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw5) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw6) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw7) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw8) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw9) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, gfx) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, graphics) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc0) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc1) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc2) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc3) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc4) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc5) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc6) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc7) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc8) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, hfmodem) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev0) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev1) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev2) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev3) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev4) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev5) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev6) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev7) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev8) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev9) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw0) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw1) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw2) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw3) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw4) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw5) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw6) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw7) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw8) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw9) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, hpet) ++ filetrans_pattern($1, device_t, random_device_t, chr_file, hw_random) ++ filetrans_pattern($1, device_t, random_device_t, chr_file, hwrng) ++ filetrans_pattern($1, device_t, dri_device_t, chr_file, i915) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, inportbm) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi0) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi1) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi2) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi3) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi4) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi5) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi6) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi7) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi8) ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi9) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt0) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt1) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt2) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt3) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt4) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt5) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt6) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt7) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt8) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, jbm) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js0) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js1) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js2) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js3) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js4) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js5) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js6) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js7) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js8) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js9) ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, kmem) ++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, kmsg) ++ filetrans_pattern($1, device_t, qemu_device_t, chr_file, kqemu) ++ filetrans_pattern($1, device_t, ksm_device_t, chr_file, ksm) ++ filetrans_pattern($1, device_t, kvm_device_t, chr_file, kvm) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik0) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik1) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik2) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik3) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik4) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik5) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik6) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik7) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik8) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik9) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc0) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc1) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc2) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc3) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc4) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc5) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc6) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc7) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc8) ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, lircm) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, logibm) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp0) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp1) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp2) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp3) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp4) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp5) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp6) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp7) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp8) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp9) ++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, mcelog) ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, mem) ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, mergemem) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid0) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid1) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid2) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid3) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid4) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid5) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid6) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid7) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid8) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mice) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, microcode) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer9) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mmetfgrab) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, modem) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4010) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4011) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4012) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4013) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4014) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4015) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4016) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4017) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4018) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4019) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr0) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr1) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr2) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr3) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr4) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr5) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr6) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr7) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr8) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr9) ++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, vhost) ++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, network_latency) ++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, network_throughput) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz0) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz1) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz2) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz3) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz4) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz5) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz6) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz7) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz8) ++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz9) ++ filetrans_pattern($1, device_t, null_device_t, chr_file, null) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia0) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia1) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia2) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia3) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia4) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia5) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia6) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia7) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia8) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia9) ++ filetrans_pattern($1, device_t, nvram_device_t, chr_file, nvram) ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, oldmem) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, opengl) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par0) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par1) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par2) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par3) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par4) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par5) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par6) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par7) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par8) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, pc110pad) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock0) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock1) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock2) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock3) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock4) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock5) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock6) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock7) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock8) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock9) ++ filetrans_pattern($1, device_t, power_device_t, chr_file, pmu) ++ filetrans_pattern($1, device_t, memory_device_t, chr_file, port) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps0) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps1) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps2) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps3) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps4) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps5) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps6) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps7) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps8) ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps9) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi9) ++ filetrans_pattern($1, device_t, dri_device_t, chr_file, radeon) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio0) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio1) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio2) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio3) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio4) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio5) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio6) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio7) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio8) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio9) ++ filetrans_pattern($1, device_t, random_device_t, chr_file, random) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13940) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13941) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13942) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13943) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13944) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13945) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13946) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13947) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13948) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13949) ++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, rfkill) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, sequencer) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, sequencer2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte7) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte8) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte9) ++ filetrans_pattern($1, device_t, power_device_t, chr_file, smu) ++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, snapshot) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, sndstat) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, sonypi) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm0) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm1) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm2) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm3) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm4) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm5) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm6) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm7) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm8) ++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm9) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, uinput) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio0) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio1) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio2) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio3) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio4) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio5) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio6) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio7) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio8) ++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio9) ++ filetrans_pattern($1, device_t, urandom_device_t, chr_file, urandom) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb0) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb1) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb2) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb3) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb4) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb5) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb6) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb7) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb8) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp0) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp1) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp2) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp3) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp4) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp5) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp6) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp7) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp8) ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp9) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon0) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon1) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon2) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon3) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon4) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon5) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon6) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon7) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon8) ++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon9) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, usbscanner) ++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, vhost-net) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi0) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi1) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi2) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi3) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi4) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi5) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi6) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi7) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi8) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi9) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox0) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox1) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox2) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox3) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox4) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox5) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox6) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox7) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox8) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox9) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vga_arbiter) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmmon) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet0) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet1) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet2) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet3) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet4) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet5) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet6) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet7) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet8) ++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet9) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video0) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video1) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video2) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video3) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video4) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video5) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video6) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video7) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video8) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, vrtpanel) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vttuner) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx0) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx1) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx2) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx3) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx4) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx5) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx6) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx7) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx8) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx9) ++ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, watchdog) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio0) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio1) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio2) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio3) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio4) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio5) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio6) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio7) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio8) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio9) ++ filetrans_pattern($1, device_t, crypt_device_t, chr_file, z90crypt) ++ filetrans_pattern($1, device_t, zero_device_t, chr_file, zero) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card0) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card1) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card2) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card3) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card4) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card5) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card6) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card7) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card8) ++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card9) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx0) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx1) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx2) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx3) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx4) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx5) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx6) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx7) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx8) ++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx9) ++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, cpu_dma_latency) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu0) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu1) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu2) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu3) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu4) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu5) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu6) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu7) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu8) ++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu9) ++ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, mtrr) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor0) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor1) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor2) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor3) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor4) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor5) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor6) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor7) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor8) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m0) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m1) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m2) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m3) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m4) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m5) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m6) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m7) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m8) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m9) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard0) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard1) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard2) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard3) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard4) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard5) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard6) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard7) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard8) ++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard9) ++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, control) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, ucb1x00) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mk712) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx0) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx1) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx2) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx3) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx4) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx5) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx6) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx7) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx8) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx9) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8000) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8001) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8002) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8003) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8004) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8005) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8006) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8007) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8008) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8009) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner0) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner1) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner2) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner3) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner4) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner5) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner6) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner7) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner8) ++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner9) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap0) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap1) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap2) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap3) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap4) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap5) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap6) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap7) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap8) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap9) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, gntdev) ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, gntalloc) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, patmgr0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, patmgr1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd0) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd1) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd2) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd3) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd4) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd5) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd6) ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd7) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk0) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk1) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk2) ++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk3) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, uba) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, ubb) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, ubc) ++') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 3ff4f60..89ffda6 100644 --- a/policy/modules/kernel/devices.te @@ -14109,7 +14850,7 @@ index 069d36c..78a81b3 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5001b89..160976e 100644 +index 5001b89..fef153d 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -14129,7 +14870,17 @@ index 5001b89..160976e 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -254,7 +257,8 @@ fs_unmount_all_fs(kernel_t) +@@ -246,6 +249,9 @@ dev_delete_generic_blk_files(kernel_t) + dev_create_generic_chr_files(kernel_t) + dev_delete_generic_chr_files(kernel_t) + dev_mounton(kernel_t) ++dev_filetrans_all_named_dev(kernel_t) ++storage_filetrans_all_named_dev(kernel_t) ++term_filetrans_all_named_dev(kernel_t) + + # Mount root file system. Used when loading a policy + # from initrd, then mounting the root filesystem +@@ -254,7 +260,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -14139,7 +14890,7 @@ index 5001b89..160976e 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -268,19 +272,28 @@ files_list_root(kernel_t) +@@ -268,19 +275,28 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -14168,7 +14919,7 @@ index 5001b89..160976e 100644 optional_policy(` hotplug_search_config(kernel_t) ') -@@ -296,6 +309,11 @@ optional_policy(` +@@ -296,6 +312,11 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -14180,7 +14931,7 @@ index 5001b89..160976e 100644 ') optional_policy(` -@@ -357,6 +375,10 @@ optional_policy(` +@@ -357,6 +378,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -14364,7 +15115,7 @@ index a9b8982..57c4a6a 100644 +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 3723150..d6d1dbe 100644 +index 3723150..aa1ba6a 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -14387,6 +15138,272 @@ index 3723150..d6d1dbe 100644 dev_add_entry_generic_dirs($1) ') +@@ -807,3 +812,265 @@ interface(`storage_unconfined',` + + typeattribute $1 storage_unconfined_type; + ') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_filetrans_all_named_dev',` ++ ++gen_require(` ++ type tape_device_t; ++ type fixed_disk_device_t; ++ type removable_device_t; ++ type scsi_generic_device_t; ++ type fuse_device_t; ++') ++ ++ dev_filetrans($1, tape_device_t, chr_file, ht00) ++ dev_filetrans($1, tape_device_t, chr_file, ht01) ++ dev_filetrans($1, tape_device_t, chr_file, ht02) ++ dev_filetrans($1, tape_device_t, chr_file, ht03) ++ dev_filetrans($1, tape_device_t, chr_file, ht04) ++ dev_filetrans($1, tape_device_t, chr_file, ht05) ++ dev_filetrans($1, tape_device_t, chr_file, ht06) ++ dev_filetrans($1, tape_device_t, chr_file, ht07) ++ dev_filetrans($1, tape_device_t, chr_file, ht08) ++ dev_filetrans($1, tape_device_t, chr_file, ht09) ++ dev_filetrans($1, tape_device_t, chr_file, st00) ++ dev_filetrans($1, tape_device_t, chr_file, st01) ++ dev_filetrans($1, tape_device_t, chr_file, st02) ++ dev_filetrans($1, tape_device_t, chr_file, st03) ++ dev_filetrans($1, tape_device_t, chr_file, st04) ++ dev_filetrans($1, tape_device_t, chr_file, st05) ++ dev_filetrans($1, tape_device_t, chr_file, st06) ++ dev_filetrans($1, tape_device_t, chr_file, st07) ++ dev_filetrans($1, tape_device_t, chr_file, st08) ++ dev_filetrans($1, tape_device_t, chr_file, st09) ++ dev_filetrans($1, tape_device_t, chr_file, qft0) ++ dev_filetrans($1, tape_device_t, chr_file, qft1) ++ dev_filetrans($1, tape_device_t, chr_file, qft2) ++ dev_filetrans($1, tape_device_t, chr_file, qft3) ++ dev_filetrans($1, tape_device_t, chr_file, osst00) ++ dev_filetrans($1, tape_device_t, chr_file, osst01) ++ dev_filetrans($1, tape_device_t, chr_file, osst02) ++ dev_filetrans($1, tape_device_t, chr_file, osst03) ++ dev_filetrans($1, tape_device_t, chr_file, osst04) ++ dev_filetrans($1, tape_device_t, chr_file, osst05) ++ dev_filetrans($1, tape_device_t, chr_file, osst06) ++ dev_filetrans($1, tape_device_t, chr_file, osst07) ++ dev_filetrans($1, tape_device_t, chr_file, osst08) ++ dev_filetrans($1, tape_device_t, chr_file, osst09) ++ dev_filetrans($1, tape_device_t, chr_file, pt0) ++ dev_filetrans($1, tape_device_t, chr_file, pt1) ++ dev_filetrans($1, tape_device_t, chr_file, pt2) ++ dev_filetrans($1, tape_device_t, chr_file, pt3) ++ dev_filetrans($1, tape_device_t, chr_file, pt4) ++ dev_filetrans($1, tape_device_t, chr_file, pt5) ++ dev_filetrans($1, tape_device_t, chr_file, pt6) ++ dev_filetrans($1, tape_device_t, chr_file, pt7) ++ dev_filetrans($1, tape_device_t, chr_file, pt8) ++ dev_filetrans($1, tape_device_t, chr_file, pt9) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic0) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic1) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic2) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic3) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic4) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic5) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic6) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic7) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic8) ++ dev_filetrans($1, tape_device_t, chr_file, tpqic9) ++ dev_filetrans($1, removable_device_t, blk_file, aztcd) ++ dev_filetrans($1, removable_device_t, blk_file, bpcd) ++ dev_filetrans($1, removable_device_t, blk_file, cdu0) ++ dev_filetrans($1, removable_device_t, blk_file, cdu1) ++ dev_filetrans($1, removable_device_t, blk_file, cdu2) ++ dev_filetrans($1, removable_device_t, blk_file, cdu3) ++ dev_filetrans($1, removable_device_t, blk_file, cdu4) ++ dev_filetrans($1, removable_device_t, blk_file, cdu5) ++ dev_filetrans($1, removable_device_t, blk_file, cdu6) ++ dev_filetrans($1, removable_device_t, blk_file, cdu7) ++ dev_filetrans($1, removable_device_t, blk_file, cdu8) ++ dev_filetrans($1, removable_device_t, blk_file, cdu9) ++ dev_filetrans($1, removable_device_t, blk_file, cm200) ++ dev_filetrans($1, removable_device_t, blk_file, cm201) ++ dev_filetrans($1, removable_device_t, blk_file, cm202) ++ dev_filetrans($1, removable_device_t, blk_file, cm203) ++ dev_filetrans($1, removable_device_t, blk_file, cm204) ++ dev_filetrans($1, removable_device_t, blk_file, cm205) ++ dev_filetrans($1, removable_device_t, blk_file, cm206) ++ dev_filetrans($1, removable_device_t, blk_file, cm207) ++ dev_filetrans($1, removable_device_t, blk_file, cm208) ++ dev_filetrans($1, removable_device_t, blk_file, cm209) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-9) ++ dev_filetrans($1, removable_device_t, blk_file, gscd) ++ dev_filetrans($1, removable_device_t, blk_file, hitcd) ++ dev_filetrans($1, tape_device_t, blk_file, ht0) ++ dev_filetrans($1, tape_device_t, blk_file, ht1) ++ dev_filetrans($1, removable_device_t, blk_file, hwcdrom) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, initrd) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, jsfd) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, jsflash) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop9) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, lvm) ++ dev_filetrans($1, removable_device_t, blk_file, mcd) ++ dev_filetrans($1, removable_device_t, blk_file, mcdx) ++ dev_filetrans($1, removable_device_t, chr_file, megadev0) ++ dev_filetrans($1, removable_device_t, chr_file, megadev1) ++ dev_filetrans($1, removable_device_t, chr_file, megadev2) ++ dev_filetrans($1, removable_device_t, chr_file, megadev3) ++ dev_filetrans($1, removable_device_t, chr_file, megadev4) ++ dev_filetrans($1, removable_device_t, chr_file, megadev5) ++ dev_filetrans($1, removable_device_t, chr_file, megadev6) ++ dev_filetrans($1, removable_device_t, chr_file, megadev7) ++ dev_filetrans($1, removable_device_t, chr_file, megadev8) ++ dev_filetrans($1, removable_device_t, chr_file, megadev9) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk0) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk1) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk2) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk3) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk4) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk5) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk6) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk7) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk8) ++ dev_filetrans($1, removable_device_t, blk_file, mmcblk9) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk0) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk1) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk2) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk3) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk4) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk5) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk6) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk7) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk8) ++ dev_filetrans($1, removable_device_t, blk_file, mspblk9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd9) ++ dev_filetrans($1, removable_device_t, blk_file, optcd) ++ dev_filetrans($1, removable_device_t, blk_file, pf0) ++ dev_filetrans($1, removable_device_t, blk_file, pf1) ++ dev_filetrans($1, removable_device_t, blk_file, pf2) ++ dev_filetrans($1, removable_device_t, blk_file, pf3) ++ dev_filetrans($1, removable_device_t, blk_file, pg0) ++ dev_filetrans($1, removable_device_t, blk_file, pg1) ++ dev_filetrans($1, removable_device_t, blk_file, pg2) ++ dev_filetrans($1, removable_device_t, blk_file, pg3) ++ dev_filetrans($1, removable_device_t, blk_file, pcd0) ++ dev_filetrans($1, removable_device_t, blk_file, pcd1) ++ dev_filetrans($1, removable_device_t, blk_file, pcd2) ++ dev_filetrans($1, removable_device_t, blk_file, pcd3) ++ dev_filetrans($1, removable_device_t, chr_file, pg0) ++ dev_filetrans($1, removable_device_t, chr_file, pg1) ++ dev_filetrans($1, removable_device_t, chr_file, pg2) ++ dev_filetrans($1, removable_device_t, chr_file, pg3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, root) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd0) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd1) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd2) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd3) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd4) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd5) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd6) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd7) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd8) ++ dev_filetrans($1, removable_device_t, blk_file, sbpcd9) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg0) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg1) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg2) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg3) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg4) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg5) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg6) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg7) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg8) ++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg9) ++ dev_filetrans($1, removable_device_t, blk_file, sjcd) ++ dev_filetrans($1, removable_device_t, blk_file, sonycd) ++ dev_filetrans($1, tape_device_t, chr_file, tape0) ++ dev_filetrans($1, tape_device_t, chr_file, tape1) ++ dev_filetrans($1, tape_device_t, chr_file, tape2) ++ dev_filetrans($1, tape_device_t, chr_file, tape3) ++ dev_filetrans($1, tape_device_t, chr_file, tape4) ++ dev_filetrans($1, tape_device_t, chr_file, tape5) ++ dev_filetrans($1, tape_device_t, chr_file, tape6) ++ dev_filetrans($1, tape_device_t, chr_file, tape7) ++ dev_filetrans($1, tape_device_t, chr_file, tape8) ++ dev_filetrans($1, tape_device_t, chr_file, tape9) ++ dev_filetrans($1, fuse_device_t, chr_file, fuse) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, device-mapper) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw0) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw1) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw2) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw3) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw4) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw5) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw6) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw7) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw8) ++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw9) ++ dev_filetrans($1, removable_device_t, chr_file, rio500) ++') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 3994e57..a1923fe 100644 --- a/policy/modules/kernel/terminal.fc @@ -14414,7 +15431,7 @@ index 3994e57..a1923fe 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f3acfee..f54d681 100644 +index f3acfee..0082923 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -14654,7 +15671,7 @@ index f3acfee..f54d681 100644 ') ######################################## -@@ -1475,3 +1578,22 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -14677,6 +15694,366 @@ index f3acfee..f54d681 100644 + dev_list_all_dev_nodes($1) + allow $1 virtio_device_t:chr_file rw_chr_file_perms; +') ++ ++######################################## ++## ++## Create all named term devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_filetrans_all_named_dev',` ++ ++gen_require(` ++ type tty_device_t; ++ type bsdpty_device_t; ++ type console_device_t; ++ type ptmx_t; ++ type devtty_t; ++ type virtio_device_t; ++ type devpts_t; ++ type usbtty_device_t; ++') ++ ++ dev_filetrans($1, devtty_t, chr_file, tty) ++ dev_filetrans($1, tty_device_t, chr_file, tty0) ++ dev_filetrans($1, tty_device_t, chr_file, tty1) ++ dev_filetrans($1, tty_device_t, chr_file, tty2) ++ dev_filetrans($1, tty_device_t, chr_file, tty3) ++ dev_filetrans($1, tty_device_t, chr_file, tty4) ++ dev_filetrans($1, tty_device_t, chr_file, tty5) ++ dev_filetrans($1, tty_device_t, chr_file, tty6) ++ dev_filetrans($1, tty_device_t, chr_file, tty7) ++ dev_filetrans($1, tty_device_t, chr_file, tty8) ++ dev_filetrans($1, tty_device_t, chr_file, tty9) ++ dev_filetrans($1, tty_device_t, chr_file, tty10) ++ dev_filetrans($1, tty_device_t, chr_file, tty11) ++ dev_filetrans($1, tty_device_t, chr_file, tty12) ++ dev_filetrans($1, tty_device_t, chr_file, tty13) ++ dev_filetrans($1, tty_device_t, chr_file, tty14) ++ dev_filetrans($1, tty_device_t, chr_file, tty15) ++ dev_filetrans($1, tty_device_t, chr_file, tty16) ++ dev_filetrans($1, tty_device_t, chr_file, tty17) ++ dev_filetrans($1, tty_device_t, chr_file, tty18) ++ dev_filetrans($1, tty_device_t, chr_file, tty19) ++ dev_filetrans($1, tty_device_t, chr_file, tty20) ++ dev_filetrans($1, tty_device_t, chr_file, tty21) ++ dev_filetrans($1, tty_device_t, chr_file, tty22) ++ dev_filetrans($1, tty_device_t, chr_file, tty23) ++ dev_filetrans($1, tty_device_t, chr_file, tty24) ++ dev_filetrans($1, tty_device_t, chr_file, tty25) ++ dev_filetrans($1, tty_device_t, chr_file, tty26) ++ dev_filetrans($1, tty_device_t, chr_file, tty27) ++ dev_filetrans($1, tty_device_t, chr_file, tty28) ++ dev_filetrans($1, tty_device_t, chr_file, tty29) ++ dev_filetrans($1, tty_device_t, chr_file, tty30) ++ dev_filetrans($1, tty_device_t, chr_file, tty31) ++ dev_filetrans($1, tty_device_t, chr_file, tty32) ++ dev_filetrans($1, tty_device_t, chr_file, tty33) ++ dev_filetrans($1, tty_device_t, chr_file, tty34) ++ dev_filetrans($1, tty_device_t, chr_file, tty35) ++ dev_filetrans($1, tty_device_t, chr_file, tty36) ++ dev_filetrans($1, tty_device_t, chr_file, tty37) ++ dev_filetrans($1, tty_device_t, chr_file, tty38) ++ dev_filetrans($1, tty_device_t, chr_file, tty39) ++ dev_filetrans($1, tty_device_t, chr_file, tty40) ++ dev_filetrans($1, tty_device_t, chr_file, tty41) ++ dev_filetrans($1, tty_device_t, chr_file, tty42) ++ dev_filetrans($1, tty_device_t, chr_file, tty43) ++ dev_filetrans($1, tty_device_t, chr_file, tty44) ++ dev_filetrans($1, tty_device_t, chr_file, tty45) ++ dev_filetrans($1, tty_device_t, chr_file, tty46) ++ dev_filetrans($1, tty_device_t, chr_file, tty47) ++ dev_filetrans($1, tty_device_t, chr_file, tty48) ++ dev_filetrans($1, tty_device_t, chr_file, tty49) ++ dev_filetrans($1, tty_device_t, chr_file, tty50) ++ dev_filetrans($1, tty_device_t, chr_file, tty51) ++ dev_filetrans($1, tty_device_t, chr_file, tty52) ++ dev_filetrans($1, tty_device_t, chr_file, tty53) ++ dev_filetrans($1, tty_device_t, chr_file, tty54) ++ dev_filetrans($1, tty_device_t, chr_file, tty55) ++ dev_filetrans($1, tty_device_t, chr_file, tty56) ++ dev_filetrans($1, tty_device_t, chr_file, tty57) ++ dev_filetrans($1, tty_device_t, chr_file, tty58) ++ dev_filetrans($1, tty_device_t, chr_file, tty59) ++ dev_filetrans($1, tty_device_t, chr_file, tty60) ++ dev_filetrans($1, tty_device_t, chr_file, tty61) ++ dev_filetrans($1, tty_device_t, chr_file, tty62) ++ dev_filetrans($1, tty_device_t, chr_file, tty63) ++ dev_filetrans($1, tty_device_t, chr_file, tty64) ++ dev_filetrans($1, tty_device_t, chr_file, tty65) ++ dev_filetrans($1, tty_device_t, chr_file, tty66) ++ dev_filetrans($1, tty_device_t, chr_file, tty67) ++ dev_filetrans($1, tty_device_t, chr_file, tty68) ++ dev_filetrans($1, tty_device_t, chr_file, tty69) ++ dev_filetrans($1, tty_device_t, chr_file, tty70) ++ dev_filetrans($1, tty_device_t, chr_file, tty71) ++ dev_filetrans($1, tty_device_t, chr_file, tty72) ++ dev_filetrans($1, tty_device_t, chr_file, tty73) ++ dev_filetrans($1, tty_device_t, chr_file, tty74) ++ dev_filetrans($1, tty_device_t, chr_file, tty75) ++ dev_filetrans($1, tty_device_t, chr_file, tty76) ++ dev_filetrans($1, tty_device_t, chr_file, tty77) ++ dev_filetrans($1, tty_device_t, chr_file, tty78) ++ dev_filetrans($1, tty_device_t, chr_file, tty79) ++ dev_filetrans($1, tty_device_t, chr_file, tty80) ++ dev_filetrans($1, tty_device_t, chr_file, tty81) ++ dev_filetrans($1, tty_device_t, chr_file, tty82) ++ dev_filetrans($1, tty_device_t, chr_file, tty83) ++ dev_filetrans($1, tty_device_t, chr_file, tty84) ++ dev_filetrans($1, tty_device_t, chr_file, tty85) ++ dev_filetrans($1, tty_device_t, chr_file, tty86) ++ dev_filetrans($1, tty_device_t, chr_file, tty87) ++ dev_filetrans($1, tty_device_t, chr_file, tty88) ++ dev_filetrans($1, tty_device_t, chr_file, tty89) ++ dev_filetrans($1, tty_device_t, chr_file, tty90) ++ dev_filetrans($1, tty_device_t, chr_file, tty91) ++ dev_filetrans($1, tty_device_t, chr_file, tty92) ++ dev_filetrans($1, tty_device_t, chr_file, tty93) ++ dev_filetrans($1, tty_device_t, chr_file, tty94) ++ dev_filetrans($1, tty_device_t, chr_file, tty95) ++ dev_filetrans($1, tty_device_t, chr_file, tty96) ++ dev_filetrans($1, tty_device_t, chr_file, tty97) ++ dev_filetrans($1, tty_device_t, chr_file, tty98) ++ dev_filetrans($1, tty_device_t, chr_file, tty99) ++ dev_filetrans($1, tty_device_t, chr_file, pty) ++ dev_filetrans($1, tty_device_t, chr_file, pty0) ++ dev_filetrans($1, tty_device_t, chr_file, pty1) ++ dev_filetrans($1, tty_device_t, chr_file, pty2) ++ dev_filetrans($1, tty_device_t, chr_file, pty3) ++ dev_filetrans($1, tty_device_t, chr_file, pty4) ++ dev_filetrans($1, tty_device_t, chr_file, pty5) ++ dev_filetrans($1, tty_device_t, chr_file, pty6) ++ dev_filetrans($1, tty_device_t, chr_file, pty7) ++ dev_filetrans($1, tty_device_t, chr_file, pty8) ++ dev_filetrans($1, tty_device_t, chr_file, pty9) ++ dev_filetrans($1, tty_device_t, chr_file, pty10) ++ dev_filetrans($1, tty_device_t, chr_file, pty11) ++ dev_filetrans($1, tty_device_t, chr_file, pty12) ++ dev_filetrans($1, tty_device_t, chr_file, pty13) ++ dev_filetrans($1, tty_device_t, chr_file, pty14) ++ dev_filetrans($1, tty_device_t, chr_file, pty15) ++ dev_filetrans($1, tty_device_t, chr_file, pty16) ++ dev_filetrans($1, tty_device_t, chr_file, pty17) ++ dev_filetrans($1, tty_device_t, chr_file, pty18) ++ dev_filetrans($1, tty_device_t, chr_file, pty19) ++ dev_filetrans($1, tty_device_t, chr_file, pty20) ++ dev_filetrans($1, tty_device_t, chr_file, pty21) ++ dev_filetrans($1, tty_device_t, chr_file, pty22) ++ dev_filetrans($1, tty_device_t, chr_file, pty23) ++ dev_filetrans($1, tty_device_t, chr_file, pty24) ++ dev_filetrans($1, tty_device_t, chr_file, pty25) ++ dev_filetrans($1, tty_device_t, chr_file, pty26) ++ dev_filetrans($1, tty_device_t, chr_file, pty27) ++ dev_filetrans($1, tty_device_t, chr_file, pty28) ++ dev_filetrans($1, tty_device_t, chr_file, pty29) ++ dev_filetrans($1, tty_device_t, chr_file, pty30) ++ dev_filetrans($1, tty_device_t, chr_file, pty31) ++ dev_filetrans($1, tty_device_t, chr_file, pty32) ++ dev_filetrans($1, tty_device_t, chr_file, pty33) ++ dev_filetrans($1, tty_device_t, chr_file, pty34) ++ dev_filetrans($1, tty_device_t, chr_file, pty35) ++ dev_filetrans($1, tty_device_t, chr_file, pty36) ++ dev_filetrans($1, tty_device_t, chr_file, pty37) ++ dev_filetrans($1, tty_device_t, chr_file, pty38) ++ dev_filetrans($1, tty_device_t, chr_file, pty39) ++ dev_filetrans($1, tty_device_t, chr_file, pty40) ++ dev_filetrans($1, tty_device_t, chr_file, pty41) ++ dev_filetrans($1, tty_device_t, chr_file, pty42) ++ dev_filetrans($1, tty_device_t, chr_file, pty43) ++ dev_filetrans($1, tty_device_t, chr_file, pty44) ++ dev_filetrans($1, tty_device_t, chr_file, pty45) ++ dev_filetrans($1, tty_device_t, chr_file, pty46) ++ dev_filetrans($1, tty_device_t, chr_file, pty47) ++ dev_filetrans($1, tty_device_t, chr_file, pty48) ++ dev_filetrans($1, tty_device_t, chr_file, pty49) ++ dev_filetrans($1, tty_device_t, chr_file, pty50) ++ dev_filetrans($1, tty_device_t, chr_file, pty51) ++ dev_filetrans($1, tty_device_t, chr_file, pty52) ++ dev_filetrans($1, tty_device_t, chr_file, pty53) ++ dev_filetrans($1, tty_device_t, chr_file, pty54) ++ dev_filetrans($1, tty_device_t, chr_file, pty55) ++ dev_filetrans($1, tty_device_t, chr_file, pty56) ++ dev_filetrans($1, tty_device_t, chr_file, pty57) ++ dev_filetrans($1, tty_device_t, chr_file, pty58) ++ dev_filetrans($1, tty_device_t, chr_file, pty59) ++ dev_filetrans($1, tty_device_t, chr_file, pty60) ++ dev_filetrans($1, tty_device_t, chr_file, pty61) ++ dev_filetrans($1, tty_device_t, chr_file, pty62) ++ dev_filetrans($1, tty_device_t, chr_file, pty63) ++ dev_filetrans($1, tty_device_t, chr_file, pty64) ++ dev_filetrans($1, tty_device_t, chr_file, pty65) ++ dev_filetrans($1, tty_device_t, chr_file, pty66) ++ dev_filetrans($1, tty_device_t, chr_file, pty67) ++ dev_filetrans($1, tty_device_t, chr_file, pty68) ++ dev_filetrans($1, tty_device_t, chr_file, pty69) ++ dev_filetrans($1, tty_device_t, chr_file, pty70) ++ dev_filetrans($1, tty_device_t, chr_file, pty71) ++ dev_filetrans($1, tty_device_t, chr_file, pty72) ++ dev_filetrans($1, tty_device_t, chr_file, pty73) ++ dev_filetrans($1, tty_device_t, chr_file, pty74) ++ dev_filetrans($1, tty_device_t, chr_file, pty75) ++ dev_filetrans($1, tty_device_t, chr_file, pty76) ++ dev_filetrans($1, tty_device_t, chr_file, pty77) ++ dev_filetrans($1, tty_device_t, chr_file, pty78) ++ dev_filetrans($1, tty_device_t, chr_file, pty79) ++ dev_filetrans($1, tty_device_t, chr_file, pty80) ++ dev_filetrans($1, tty_device_t, chr_file, pty81) ++ dev_filetrans($1, tty_device_t, chr_file, pty82) ++ dev_filetrans($1, tty_device_t, chr_file, pty83) ++ dev_filetrans($1, tty_device_t, chr_file, pty84) ++ dev_filetrans($1, tty_device_t, chr_file, pty85) ++ dev_filetrans($1, tty_device_t, chr_file, pty86) ++ dev_filetrans($1, tty_device_t, chr_file, pty87) ++ dev_filetrans($1, tty_device_t, chr_file, pty88) ++ dev_filetrans($1, tty_device_t, chr_file, pty89) ++ dev_filetrans($1, tty_device_t, chr_file, pty90) ++ dev_filetrans($1, tty_device_t, chr_file, pty91) ++ dev_filetrans($1, tty_device_t, chr_file, pty92) ++ dev_filetrans($1, tty_device_t, chr_file, pty93) ++ dev_filetrans($1, tty_device_t, chr_file, pty94) ++ dev_filetrans($1, tty_device_t, chr_file, pty95) ++ dev_filetrans($1, tty_device_t, chr_file, pty96) ++ dev_filetrans($1, tty_device_t, chr_file, pty97) ++ dev_filetrans($1, tty_device_t, chr_file, pty98) ++ dev_filetrans($1, tty_device_t, chr_file, pty99) ++ dev_filetrans($1, tty_device_t, chr_file, adb0) ++ dev_filetrans($1, tty_device_t, chr_file, adb1) ++ dev_filetrans($1, tty_device_t, chr_file, adb2) ++ dev_filetrans($1, tty_device_t, chr_file, adb3) ++ dev_filetrans($1, tty_device_t, chr_file, adb4) ++ dev_filetrans($1, tty_device_t, chr_file, adb5) ++ dev_filetrans($1, tty_device_t, chr_file, adb6) ++ dev_filetrans($1, tty_device_t, chr_file, adb7) ++ dev_filetrans($1, tty_device_t, chr_file, adb8) ++ dev_filetrans($1, tty_device_t, chr_file, adb9) ++ dev_filetrans($1, tty_device_t, chr_file, capi0) ++ dev_filetrans($1, tty_device_t, chr_file, capi1) ++ dev_filetrans($1, tty_device_t, chr_file, capi2) ++ dev_filetrans($1, tty_device_t, chr_file, capi3) ++ dev_filetrans($1, tty_device_t, chr_file, capi4) ++ dev_filetrans($1, tty_device_t, chr_file, capi5) ++ dev_filetrans($1, tty_device_t, chr_file, capi6) ++ dev_filetrans($1, tty_device_t, chr_file, capi7) ++ dev_filetrans($1, tty_device_t, chr_file, capi8) ++ dev_filetrans($1, tty_device_t, chr_file, capi9) ++ dev_filetrans($1, console_device_t, chr_file, console) ++ dev_filetrans($1, tty_device_t, chr_file, cu0) ++ dev_filetrans($1, tty_device_t, chr_file, cu1) ++ dev_filetrans($1, tty_device_t, chr_file, cu2) ++ dev_filetrans($1, tty_device_t, chr_file, cu3) ++ dev_filetrans($1, tty_device_t, chr_file, cu4) ++ dev_filetrans($1, tty_device_t, chr_file, cu5) ++ dev_filetrans($1, tty_device_t, chr_file, cu6) ++ dev_filetrans($1, tty_device_t, chr_file, cu7) ++ dev_filetrans($1, tty_device_t, chr_file, cu8) ++ dev_filetrans($1, tty_device_t, chr_file, cu9) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri0) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri1) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri2) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri3) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri4) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri5) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri6) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri7) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri8) ++ dev_filetrans($1, tty_device_t, chr_file, dcbri9) ++ dev_filetrans($1, tty_device_t, chr_file, hvc0) ++ dev_filetrans($1, tty_device_t, chr_file, hvc1) ++ dev_filetrans($1, tty_device_t, chr_file, hvc2) ++ dev_filetrans($1, tty_device_t, chr_file, hvc3) ++ dev_filetrans($1, tty_device_t, chr_file, hvc4) ++ dev_filetrans($1, tty_device_t, chr_file, hvc5) ++ dev_filetrans($1, tty_device_t, chr_file, hvc6) ++ dev_filetrans($1, tty_device_t, chr_file, hvc7) ++ dev_filetrans($1, tty_device_t, chr_file, hvc8) ++ dev_filetrans($1, tty_device_t, chr_file, hvc9) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi0) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi1) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi2) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi3) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi4) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi5) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi6) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi7) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi8) ++ dev_filetrans($1, tty_device_t, chr_file, hvsi9) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm0) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm1) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm2) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm3) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm4) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm5) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm6) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm7) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm8) ++ dev_filetrans($1, tty_device_t, chr_file, ircomm9) ++ dev_filetrans($1, tty_device_t, chr_file, isdn0) ++ dev_filetrans($1, tty_device_t, chr_file, isdn1) ++ dev_filetrans($1, tty_device_t, chr_file, isdn2) ++ dev_filetrans($1, tty_device_t, chr_file, isdn3) ++ dev_filetrans($1, tty_device_t, chr_file, isdn4) ++ dev_filetrans($1, tty_device_t, chr_file, isdn5) ++ dev_filetrans($1, tty_device_t, chr_file, isdn6) ++ dev_filetrans($1, tty_device_t, chr_file, isdn7) ++ dev_filetrans($1, tty_device_t, chr_file, isdn8) ++ dev_filetrans($1, tty_device_t, chr_file, isdn9) ++ dev_filetrans($1, ptmx_t, chr_file, ptmx) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm0) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm1) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm2) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm3) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm4) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm5) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm6) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm7) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm8) ++ dev_filetrans($1, tty_device_t, chr_file, rfcomm9) ++ dev_filetrans($1, tty_device_t, chr_file, slamr0) ++ dev_filetrans($1, tty_device_t, chr_file, slamr1) ++ dev_filetrans($1, tty_device_t, chr_file, slamr2) ++ dev_filetrans($1, tty_device_t, chr_file, slamr3) ++ dev_filetrans($1, tty_device_t, chr_file, slamr4) ++ dev_filetrans($1, tty_device_t, chr_file, slamr5) ++ dev_filetrans($1, tty_device_t, chr_file, slamr6) ++ dev_filetrans($1, tty_device_t, chr_file, slamr7) ++ dev_filetrans($1, tty_device_t, chr_file, slamr8) ++ dev_filetrans($1, tty_device_t, chr_file, slamr9) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG0) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG1) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG2) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG3) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG4) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG5) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG6) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG7) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG8) ++ dev_filetrans($1, tty_device_t, chr_file, ttySG9) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p0) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p1) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p2) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p3) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p4) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p5) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p6) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p7) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p8) ++ dev_filetrans($1, virtio_device_t, chr_file, vport0p9) ++ dev_filetrans($1, devpts_t, dir, pts) ++ dev_filetrans($1, tty_device_t, chr_file, xvc0) ++ dev_filetrans($1, tty_device_t, chr_file, xvc1) ++ dev_filetrans($1, tty_device_t, chr_file, xvc2) ++ dev_filetrans($1, tty_device_t, chr_file, xvc3) ++ dev_filetrans($1, tty_device_t, chr_file, xvc4) ++ dev_filetrans($1, tty_device_t, chr_file, xvc5) ++ dev_filetrans($1, tty_device_t, chr_file, xvc6) ++ dev_filetrans($1, tty_device_t, chr_file, xvc7) ++ dev_filetrans($1, tty_device_t, chr_file, xvc8) ++ dev_filetrans($1, tty_device_t, chr_file, xvc9) ++') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 361692e..0f09fb5 100644 --- a/policy/modules/kernel/terminal.te @@ -15028,10 +16405,10 @@ index 2be17d2..7ccb554 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..6b0999e 100644 +index 4a8d146..4d02bae 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,41 @@ ifndef(`enable_mls',` +@@ -24,20 +24,56 @@ ifndef(`enable_mls',` # # Local policy # @@ -15043,6 +16420,10 @@ index 4a8d146..6b0999e 100644 + +files_read_kernel_modules(sysadm_t) + ++dev_filetrans_all_named_dev(sysadm_t) ++storage_filetrans_all_named_dev(sysadm_t) ++term_filetrans_all_named_dev(sysadm_t) ++ mls_process_read_up(sysadm_t) +mls_file_read_to_clearance(sysadm_t) +mls_process_write_to_clearance(sysadm_t) @@ -15061,6 +16442,12 @@ index 4a8d146..6b0999e 100644 +init_script_role_transition(sysadm_r) + +miscfiles_read_hwdata(sysadm_t) ++ ++sysnet_etc_filetrans_config(sysadm_t, resolv.conf) ++sysnet_etc_filetrans_config(sysadm_t, denyhosts) ++sysnet_etc_filetrans_config(sysadm_t, hosts) ++sysnet_etc_filetrans_config(sysadm_t, ethers) ++sysnet_etc_filetrans_config(sysadm_t, yp.conf) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) @@ -15070,10 +16457,15 @@ index 4a8d146..6b0999e 100644 +userdom_manage_user_tmp_symlinks(sysadm_t) +userdom_manage_user_tmp_chr_files(sysadm_t) +userdom_manage_user_tmp_blk_files(sysadm_t) ++ ++optional_policy(` ++ ssh_user_home_dir_filetrans(sysadm_t) ++ ssh_admin_home_dir_filetrans(sysadm_t) ++') ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +76,7 @@ ifndef(`enable_mls',` +@@ -55,6 +91,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -15081,7 +16473,7 @@ index 4a8d146..6b0999e 100644 ') tunable_policy(`allow_ptrace',` -@@ -69,7 +91,6 @@ optional_policy(` +@@ -69,7 +106,6 @@ optional_policy(` apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -15089,7 +16481,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -98,6 +119,10 @@ optional_policy(` +@@ -98,6 +134,10 @@ optional_policy(` ') optional_policy(` @@ -15100,7 +16492,7 @@ index 4a8d146..6b0999e 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -114,7 +139,7 @@ optional_policy(` +@@ -114,7 +154,7 @@ optional_policy(` ') optional_policy(` @@ -15109,7 +16501,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -124,6 +149,10 @@ optional_policy(` +@@ -124,6 +164,10 @@ optional_policy(` ') optional_policy(` @@ -15120,7 +16512,7 @@ index 4a8d146..6b0999e 100644 ddcprobe_run(sysadm_t, sysadm_r) ') -@@ -163,6 +192,13 @@ optional_policy(` +@@ -163,6 +207,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -15134,7 +16526,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -170,15 +206,15 @@ optional_policy(` +@@ -170,15 +221,15 @@ optional_policy(` ') optional_policy(` @@ -15153,7 +16545,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -198,18 +234,12 @@ optional_policy(` +@@ -198,18 +249,12 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -15174,7 +16566,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -225,6 +255,10 @@ optional_policy(` +@@ -225,6 +270,10 @@ optional_policy(` ') optional_policy(` @@ -15185,7 +16577,7 @@ index 4a8d146..6b0999e 100644 netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -253,7 +287,7 @@ optional_policy(` +@@ -253,7 +302,7 @@ optional_policy(` ') optional_policy(` @@ -15194,7 +16586,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -265,20 +299,14 @@ optional_policy(` +@@ -265,20 +314,14 @@ optional_policy(` ') optional_policy(` @@ -15216,7 +16608,7 @@ index 4a8d146..6b0999e 100644 optional_policy(` rsync_exec(sysadm_t) -@@ -307,7 +335,7 @@ optional_policy(` +@@ -307,7 +350,7 @@ optional_policy(` ') optional_policy(` @@ -15225,7 +16617,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -332,10 +360,6 @@ optional_policy(` +@@ -332,10 +375,6 @@ optional_policy(` ') optional_policy(` @@ -15236,7 +16628,7 @@ index 4a8d146..6b0999e 100644 tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -343,19 +367,15 @@ optional_policy(` +@@ -343,19 +382,15 @@ optional_policy(` ') optional_policy(` @@ -15258,7 +16650,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -367,17 +387,14 @@ optional_policy(` +@@ -367,17 +402,14 @@ optional_policy(` ') optional_policy(` @@ -15278,7 +16670,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -389,7 +406,7 @@ optional_policy(` +@@ -389,7 +421,7 @@ optional_policy(` ') optional_policy(` @@ -15287,7 +16679,7 @@ index 4a8d146..6b0999e 100644 ') optional_policy(` -@@ -404,8 +421,15 @@ optional_policy(` +@@ -404,8 +436,15 @@ optional_policy(` yam_run(sysadm_t, sysadm_r) ') @@ -15303,7 +16695,7 @@ index 4a8d146..6b0999e 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -452,5 +476,60 @@ ifndef(`distro_redhat',` +@@ -452,5 +491,60 @@ ifndef(`distro_redhat',` optional_policy(` java_role(sysadm_r, sysadm_t) ') @@ -16074,10 +17466,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..805d0ea +index 0000000..33c88a7 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,503 @@ +@@ -0,0 +1,519 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -16166,6 +17558,21 @@ index 0000000..805d0ea +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + ++dev_filetrans_all_named_dev(unconfined_t) ++storage_filetrans_all_named_dev(unconfined_t) ++term_filetrans_all_named_dev(unconfined_t) ++ ++sysnet_etc_filetrans_config(unconfined_t, resolv.conf) ++sysnet_etc_filetrans_config(unconfined_t, denyhosts) ++sysnet_etc_filetrans_config(unconfined_t, hosts) ++sysnet_etc_filetrans_config(unconfined_t, ethers) ++sysnet_etc_filetrans_config(unconfined_t, yp.conf) ++ ++optional_policy(` ++ ssh_user_home_dir_filetrans(unconfined_t) ++ ssh_admin_home_dir_filetrans(unconfined_t) ++') ++ +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) +mls_file_write_all_levels(unconfined_t) @@ -16310,6 +17717,7 @@ index 0000000..805d0ea + +optional_policy(` + apache_run_helper(unconfined_t, unconfined_r) ++ apache_filetrans_home_content(unconfined_t) +') + +optional_policy(` @@ -17919,7 +19327,7 @@ index 9e39aa5..ec27284 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..09c61a0 100644 +index 6480167..a729492 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -18100,16 +19508,17 @@ index 6480167..09c61a0 100644 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -248,6 +244,8 @@ interface(`apache_role',` +@@ -248,6 +244,9 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + apache_exec_modules($2) ++ apache_filetrans_home_content($2) + tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) -@@ -317,6 +315,25 @@ interface(`apache_domtrans',` +@@ -317,6 +316,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -18135,7 +19544,7 @@ index 6480167..09c61a0 100644 ####################################### ## ## Send a generic signal to apache. -@@ -405,7 +422,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -405,7 +423,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -18144,7 +19553,7 @@ index 6480167..09c61a0 100644 ') ######################################## -@@ -487,7 +504,7 @@ interface(`apache_setattr_cache_dirs',` +@@ -487,7 +505,7 @@ interface(`apache_setattr_cache_dirs',` type httpd_cache_t; ') @@ -18153,7 +19562,7 @@ index 6480167..09c61a0 100644 ') ######################################## -@@ -531,6 +548,25 @@ interface(`apache_rw_cache_files',` +@@ -531,6 +549,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -18179,7 +19588,7 @@ index 6480167..09c61a0 100644 ## Apache cache. ## ## -@@ -549,6 +585,26 @@ interface(`apache_delete_cache_files',` +@@ -549,6 +586,26 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -18206,7 +19615,7 @@ index 6480167..09c61a0 100644 ## Allow the specified domain to read ## apache configuration files. ## -@@ -699,7 +755,7 @@ interface(`apache_dontaudit_append_log',` +@@ -699,7 +756,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') @@ -18215,7 +19624,7 @@ index 6480167..09c61a0 100644 ') ######################################## -@@ -745,6 +801,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -745,6 +802,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -18241,7 +19650,7 @@ index 6480167..09c61a0 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -761,6 +836,7 @@ interface(`apache_list_modules',` +@@ -761,6 +837,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -18249,7 +19658,7 @@ index 6480167..09c61a0 100644 ') ######################################## -@@ -819,6 +895,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +896,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -18257,7 +19666,7 @@ index 6480167..09c61a0 100644 files_search_var($1) ') -@@ -846,6 +923,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +924,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -18332,7 +19741,7 @@ index 6480167..09c61a0 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1007,11 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1008,11 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -18345,7 +19754,7 @@ index 6480167..09c61a0 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1071,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -18357,7 +19766,7 @@ index 6480167..09c61a0 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1101,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -18366,7 +19775,7 @@ index 6480167..09c61a0 100644 ') ######################################## -@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1242,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -18392,7 +19801,7 @@ index 6480167..09c61a0 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1277,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -18401,7 +19810,7 @@ index 6480167..09c61a0 100644 ') ######################################## -@@ -1170,17 +1339,14 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1340,14 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -18423,7 +19832,7 @@ index 6480167..09c61a0 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1357,10 @@ interface(`apache_admin',` +@@ -1191,10 +1358,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -18436,7 +19845,7 @@ index 6480167..09c61a0 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1371,43 @@ interface(`apache_admin',` +@@ -1205,14 +1372,63 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -18484,6 +19893,26 @@ index 6480167..09c61a0 100644 + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; + dontaudit $1 httpd_tmp_t:file { read write }; ++') ++ ++######################################## ++## ++## Transition to apache named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_filetrans_home_content',` ++ gen_require(` ++ type httpd_user_content_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, public_html) ++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, www) ++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 3136c6a..1bf05a6 100644 @@ -29218,7 +30647,7 @@ index 3525d24..923e979 100644 /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..65fdeb0 100644 +index 604f67b..f5de0a2 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -29299,15 +30728,20 @@ index 604f67b..65fdeb0 100644 kerberos_read_keytab($2) kerberos_use($2) -@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',` +@@ -289,6 +307,12 @@ interface(`kerberos_manage_host_rcache',` seutil_read_file_contexts($1) ++<<<<<<< HEAD ++ files_rw_tmp_dirs($1) ++||||||| merged common ancestors ++======= + files_rw_generic_tmp_dir($1) ++>>>>>>> fc09d81ec7c51e42fe3d0ce894bc530645f46456 allow $1 krb5_host_rcache_t:file manage_file_perms; files_search_tmp($1) ') -@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',` +@@ -296,28 +320,6 @@ interface(`kerberos_manage_host_rcache',` ######################################## ## @@ -29336,7 +30770,7 @@ index 604f67b..65fdeb0 100644 ## All of the rules required to administrate ## an kerberos environment ## -@@ -338,9 +335,8 @@ interface(`kerberos_admin',` +@@ -338,9 +340,8 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; @@ -29347,7 +30781,7 @@ index 604f67b..65fdeb0 100644 ') allow $1 kadmind_t:process { ptrace signal_perms }; -@@ -378,3 +374,41 @@ interface(`kerberos_admin',` +@@ -378,3 +379,41 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -42774,7 +44208,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..68ad7a7 100644 +index 22adaca..e064fd6 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -43090,7 +44524,7 @@ index 22adaca..68ad7a7 100644 ') ###################################### -@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +794,59 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -43112,6 +44546,44 @@ index 22adaca..68ad7a7 100644 + + allow $1 sshd_t:process signull; +') ++ ++######################################## ++## ++## Create .sshd directory in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_admin_home_dir_filetrans',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, .ssh) ++') ++ ++######################################## ++## ++## Create .sshd directory in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_user_home_dir_filetrans',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, .ssh) ++') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2dad3c8..c71bdb9 100644 --- a/policy/modules/services/ssh.te @@ -44623,7 +46095,7 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..6546d6e 100644 +index 2124b6a..1b33cbb 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -1,4 +1,5 @@ @@ -44633,7 +46105,7 @@ index 2124b6a..6546d6e 100644 HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -13,17 +14,25 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -44656,6 +46128,12 @@ index 2124b6a..6546d6e 100644 +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ ++# support for AEOLUS project ++/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) ++/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) ++/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 7c5d8d8..b961fd7 100644 --- a/policy/modules/services/virt.if @@ -48292,10 +49770,10 @@ index c26ecf5..b906c48 100644 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 -index 0000000..56cb5af +index 0000000..72059b2 --- /dev/null +++ b/policy/modules/services/zarafa.fc -@@ -0,0 +1,27 @@ +@@ -0,0 +1,29 @@ + +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + @@ -48311,6 +49789,8 @@ index 0000000..56cb5af + +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) + ++/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++ +/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) @@ -48453,10 +49933,10 @@ index 0000000..8a909f5 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..6b80580 +index 0000000..fec9997 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,127 @@ +@@ -0,0 +1,141 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -48476,6 +49956,12 @@ index 0000000..6b80580 +type zarafa_deliver_tmp_t; +files_tmp_file(zarafa_deliver_tmp_t) + ++type zarafa_server_tmp_t; ++files_tmp_file(zarafa_server_tmp_t) ++ ++type zarafa_var_lib_t; ++files_tmp_file(zarafa_var_lib_t) ++ +type zarafa_etc_t; +files_config_file(zarafa_etc_t) + @@ -48500,7 +49986,15 @@ index 0000000..6b80580 +# + +allow zarafa_server_t self:capability { chown kill net_bind_service }; -+allow zarafa_server_t self:process { setrlimit signal }; ++allow zarafa_server_t self:process setrlimit; ++ ++manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) ++manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) ++files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) ++ ++manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) ++manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) ++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) + +corenet_tcp_bind_zarafa_port(zarafa_server_t) + @@ -48525,7 +50019,6 @@ index 0000000..6b80580 +# + +allow zarafa_spooler_t self:capability { chown kill }; -+allow zarafa_spooler_t self:process signal; + +can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) + @@ -48537,7 +50030,7 @@ index 0000000..6b80580 +# + +allow zarafa_gateway_t self:capability { chown kill }; -+allow zarafa_gateway_t self:process { setrlimit signal }; ++allow zarafa_gateway_t self:process setrlimit; + +corenet_tcp_bind_pop_port(zarafa_gateway_t) + @@ -48564,6 +50057,7 @@ index 0000000..6b80580 + +# bad permission on /etc/zarafa +allow zarafa_domain self:capability { dac_override setgid setuid }; ++allow zarafa_domain self:process signal; +allow zarafa_domain self:fifo_file rw_fifo_file_perms; +allow zarafa_domain self:tcp_socket create_stream_socket_perms; +allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; @@ -50544,7 +52038,7 @@ index cc83689..e83c909 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..0bdb8d8 100644 +index ea29513..44cd32f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -51058,8 +52552,14 @@ index ea29513..0bdb8d8 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -524,6 +727,23 @@ ifdef(`distro_redhat',` +@@ -522,8 +725,29 @@ ifdef(`distro_redhat',` + ') + optional_policy(` ++ abrt_manage_pid_files(initrc_t) ++ ') ++ ++ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) @@ -51082,7 +52582,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -531,10 +751,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +755,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -51100,7 +52600,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -549,6 +776,39 @@ ifdef(`distro_suse',` +@@ -549,6 +780,39 @@ ifdef(`distro_suse',` ') ') @@ -51140,7 +52640,7 @@ index ea29513..0bdb8d8 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +821,8 @@ optional_policy(` +@@ -561,6 +825,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -51149,7 +52649,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -577,6 +839,7 @@ optional_policy(` +@@ -577,6 +843,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -51157,7 +52657,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -589,6 +852,11 @@ optional_policy(` +@@ -589,6 +856,11 @@ optional_policy(` ') optional_policy(` @@ -51169,7 +52669,7 @@ index ea29513..0bdb8d8 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +873,13 @@ optional_policy(` +@@ -605,9 +877,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -51183,7 +52683,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -649,6 +921,11 @@ optional_policy(` +@@ -649,6 +925,11 @@ optional_policy(` ') optional_policy(` @@ -51195,7 +52695,7 @@ index ea29513..0bdb8d8 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +983,13 @@ optional_policy(` +@@ -706,7 +987,13 @@ optional_policy(` ') optional_policy(` @@ -51209,7 +52709,7 @@ index ea29513..0bdb8d8 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1012,10 @@ optional_policy(` +@@ -729,6 +1016,10 @@ optional_policy(` ') optional_policy(` @@ -51220,7 +52720,7 @@ index ea29513..0bdb8d8 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1025,20 @@ optional_policy(` +@@ -738,10 +1029,20 @@ optional_policy(` ') optional_policy(` @@ -51241,7 +52741,7 @@ index ea29513..0bdb8d8 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1047,10 @@ optional_policy(` +@@ -750,6 +1051,10 @@ optional_policy(` ') optional_policy(` @@ -51252,7 +52752,7 @@ index ea29513..0bdb8d8 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1072,6 @@ optional_policy(` +@@ -771,8 +1076,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -51261,7 +52761,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -781,14 +1080,21 @@ optional_policy(` +@@ -781,14 +1084,21 @@ optional_policy(` ') optional_policy(` @@ -51283,7 +52783,7 @@ index ea29513..0bdb8d8 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1106,6 @@ optional_policy(` +@@ -800,7 +1110,6 @@ optional_policy(` ') optional_policy(` @@ -51291,7 +52791,7 @@ index ea29513..0bdb8d8 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1115,19 @@ optional_policy(` +@@ -810,11 +1119,19 @@ optional_policy(` ') optional_policy(` @@ -51312,7 +52812,7 @@ index ea29513..0bdb8d8 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1137,25 @@ optional_policy(` +@@ -824,6 +1141,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -51338,7 +52838,7 @@ index ea29513..0bdb8d8 100644 ') optional_policy(` -@@ -849,3 +1181,42 @@ optional_policy(` +@@ -849,3 +1185,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -52956,7 +54456,7 @@ index c7cfb62..ee89659 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..f610462 100644 +index 9b5a9ed..a3a66a2 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -19,6 +19,11 @@ type auditd_log_t; @@ -53115,7 +54615,7 @@ index 9b5a9ed..f610462 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +455,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -412,7 +455,11 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -53123,9 +54623,11 @@ index 9b5a9ed..f610462 100644 +# relating to systemd-kmsg-syslogd +dev_write_kmsg(syslogd_t) ++domain_read_all_domains_state(syslogd_t) domain_use_interactive_fds(syslogd_t) -@@ -432,6 +478,7 @@ term_write_console(syslogd_t) + files_read_etc_files(syslogd_t) +@@ -432,6 +479,7 @@ term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -53133,7 +54635,7 @@ index 9b5a9ed..f610462 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -480,6 +527,10 @@ optional_policy(` +@@ -480,6 +528,10 @@ optional_policy(` ') optional_policy(` @@ -53144,7 +54646,7 @@ index 9b5a9ed..f610462 100644 postgresql_stream_connect(syslogd_t) ') -@@ -488,6 +539,10 @@ optional_policy(` +@@ -488,6 +540,10 @@ optional_policy(` ') optional_policy(` @@ -55503,7 +57005,7 @@ index 694fd94..334e80e 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index ff80d0a..7f1a21c 100644 +index ff80d0a..ec91ad9 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` @@ -55620,6 +57122,15 @@ index ff80d0a..7f1a21c 100644 ## Read network config files. ## ## +@@ -405,7 +498,7 @@ interface(`sysnet_etc_filetrans_config',` + type net_conf_t; + ') + +- files_etc_filetrans($1, net_conf_t, file) ++ files_etc_filetrans($1, net_conf_t, file, $2) + ') + + ####################################### @@ -426,6 +519,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; @@ -57596,7 +59107,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..791d89f 100644 +index 28b88de..5ea0ea4 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -57761,7 +59272,7 @@ index 28b88de..791d89f 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +149,17 @@ template(`userdom_base_user_template',` +@@ -116,6 +149,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -57770,7 +59281,6 @@ index 28b88de..791d89f 100644 + fs_list_cgroup_dirs($1_usertype) + ') + -+ + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) @@ -57779,7 +59289,7 @@ index 28b88de..791d89f 100644 ') ####################################### -@@ -149,6 +193,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +192,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -57788,7 +59298,7 @@ index 28b88de..791d89f 100644 ############################## # # Domain access to home dir -@@ -166,27 +212,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +211,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -57816,7 +59326,7 @@ index 28b88de..791d89f 100644 ') ####################################### -@@ -218,8 +243,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +242,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -57828,7 +59338,7 @@ index 28b88de..791d89f 100644 ############################## # # Domain access to home dir -@@ -228,17 +256,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +255,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -57860,7 +59370,7 @@ index 28b88de..791d89f 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +278,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +277,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -57890,7 +59400,7 @@ index 28b88de..791d89f 100644 ') ') -@@ -289,6 +319,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +318,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -57899,7 +59409,7 @@ index 28b88de..791d89f 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +329,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +328,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -57945,7 +59455,7 @@ index 28b88de..791d89f 100644 ') ####################################### -@@ -316,6 +387,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +386,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -57953,7 +59463,7 @@ index 28b88de..791d89f 100644 files_search_tmp($1) ') -@@ -350,6 +422,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +421,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -57962,7 +59472,7 @@ index 28b88de..791d89f 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +434,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +433,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -58031,7 +59541,7 @@ index 28b88de..791d89f 100644 ') ####################################### -@@ -430,6 +499,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +498,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -58039,7 +59549,7 @@ index 28b88de..791d89f 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +560,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +559,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -58048,7 +59558,7 @@ index 28b88de..791d89f 100644 ############################## # -@@ -500,73 +570,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +569,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -58070,27 +59580,27 @@ index 28b88de..791d89f 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -58114,10 +59624,10 @@ index 28b88de..791d89f 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) -+ -+ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) ++ application_getattr_socket($1_usertype) ++ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -58169,7 +59679,7 @@ index 28b88de..791d89f 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +652,122 @@ template(`userdom_common_user_template',` +@@ -574,67 +651,122 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -58183,23 +59693,23 @@ index 28b88de..791d89f 100644 # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ canna_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ canna_stream_connect($1_usertype) ++ colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ chrome_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ colord_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -58215,49 +59725,49 @@ index 28b88de..791d89f 100644 + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ ') ++ ++ optional_policy(` ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) - ') -+ -+ optional_policy(` -+ kde_dbus_chat_backlighthelper($1_usertype) -+ ') -+ -+ optional_policy(` -+ modemmanager_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) -+ ') + ') + + optional_policy(` + vpn_dbus_chat($1_usertype) @@ -58310,7 +59820,7 @@ index 28b88de..791d89f 100644 ') optional_policy(` -@@ -650,41 +783,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +782,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -58342,51 +59852,53 @@ index 28b88de..791d89f 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ seunshare_role_template($1, $1_r, $1_t) - ') -+ -+ optional_policy(` + slrnpull_search_spool($1_usertype) -+ ') + ') + ') ####################################### -@@ -712,13 +854,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +853,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) ++ ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -58394,9 +59906,7 @@ index 28b88de..791d89f 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -58404,7 +59914,7 @@ index 28b88de..791d89f 100644 userdom_change_password_template($1) -@@ -736,72 +891,70 @@ template(`userdom_login_user_template', ` +@@ -736,72 +890,70 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -58471,10 +59981,10 @@ index 28b88de..791d89f 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) -+ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -58512,7 +60022,7 @@ index 28b88de..791d89f 100644 ') ') -@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +985,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -58522,7 +60032,7 @@ index 28b88de..791d89f 100644 ############################## # # Local policy -@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1029,113 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -58593,40 +60103,40 @@ index 28b88de..791d89f 100644 + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat($1_t) -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) - ') ++ ') + + optional_policy(` ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ++ ') + + optional_policy(` +- consolekit_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat($1_t) + fprintd_dbus_chat($1_t) -+ ') + ') + ') + + optional_policy(` +- java_role($1_r, $1_t) ++ openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` -+ openoffice_role_template($1, $1_r, $1_usertype) ++ policykit_role($1_r, $1_usertype) + ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) + pulseaudio_role($1_r, $1_usertype) + ') + @@ -58647,7 +60157,7 @@ index 28b88de..791d89f 100644 ') ') -@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1170,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -58656,7 +60166,7 @@ index 28b88de..791d89f 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1179,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -58726,16 +60236,13 @@ index 28b88de..791d89f 100644 + + optional_policy(` + gpg_role($1_r, $1_usertype) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) ++ ') ++ ++ optional_policy(` + gnomeclock_dbus_chat($1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + gpm_stream_connect($1_usertype) + ') + @@ -58758,19 +60265,22 @@ index 28b88de..791d89f 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) + postfix_run_postdrop($1_t, $1_r) -+ ') -+ + ') + + # Run pppd in pppd_t by default for user -+ optional_policy(` + optional_policy(` +- setroubleshoot_stream_connect($1_t) + ppp_run_cond($1_t, $1_r) ') ') -@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1291,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -58779,7 +60289,7 @@ index 28b88de..791d89f 100644 ') ############################## -@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1318,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -58787,7 +60297,7 @@ index 28b88de..791d89f 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1327,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -58797,7 +60307,7 @@ index 28b88de..791d89f 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1344,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -58805,7 +60315,7 @@ index 28b88de..791d89f 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1362,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -58819,7 +60329,7 @@ index 28b88de..791d89f 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1380,21 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1379,21 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -58842,7 +60352,7 @@ index 28b88de..791d89f 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1405,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -58854,7 +60364,7 @@ index 28b88de..791d89f 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1477,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -58863,7 +60373,7 @@ index 28b88de..791d89f 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1491,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -58871,7 +60381,7 @@ index 28b88de..791d89f 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1507,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -58879,7 +60389,7 @@ index 28b88de..791d89f 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1550,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -58917,7 +60427,7 @@ index 28b88de..791d89f 100644 ubac_constrained($1) ') -@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1692,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -58925,7 +60435,7 @@ index 28b88de..791d89f 100644 files_search_home($1) ') -@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1739,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -58940,7 +60450,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1762,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -58952,7 +60462,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1823,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -58965,7 +60475,7 @@ index 28b88de..791d89f 100644 ## ## ## -@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,22 +1834,58 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -58988,6 +60498,7 @@ index 28b88de..791d89f 100644 +## Relabel user home files. ## -## +-##

+## +##

+## Domain allowed access. @@ -59028,10 +60539,11 @@ index 28b88de..791d89f 100644 +## user home directory. +## +## - ##

++##

## Do a domain transition to the specified ## domain when executing a program in the -@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ## user home directory. +@@ -1589,6 +1933,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -59040,7 +60552,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1949,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -59055,7 +60567,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1997,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ##

@@ -59081,7 +60593,7 @@ index 28b88de..791d89f 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2067,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -59114,7 +60626,7 @@ index 28b88de..791d89f 100644 ## Do not audit attempts to read user home files. ##
## -@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2103,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -59132,7 +60644,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2169,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -59157,7 +60669,7 @@ index 28b88de..791d89f 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2218,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -59167,7 +60679,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2234,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -59181,18 +60693,19 @@ index 28b88de..791d89f 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -2008,7 +2410,7 @@ interface(`userdom_user_home_dir_filetrans',` + ## Do not audit attempts to execute user home files. +@@ -2008,7 +2409,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -59201,7 +60714,7 @@ index 28b88de..791d89f 100644 files_search_home($1) ') -@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2583,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -59210,7 +60723,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2836,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -59226,7 +60739,7 @@ index 28b88de..791d89f 100644 ## ## ## -@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2864,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -59253,7 +60766,7 @@ index 28b88de..791d89f 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2955,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2954,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -59278,7 +60791,7 @@ index 28b88de..791d89f 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +2991,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +2990,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -59321,7 +60834,7 @@ index 28b88de..791d89f 100644 ## ## ## -@@ -2614,14 +3027,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3026,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -59359,7 +60872,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -2815,7 +3247,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3246,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -59368,7 +60881,7 @@ index 28b88de..791d89f 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3263,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3262,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -59384,7 +60897,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -2917,7 +3351,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3350,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -59393,7 +60906,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -2972,7 +3406,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3405,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -59440,7 +60953,7 @@ index 28b88de..791d89f 100644 ') ######################################## -@@ -3009,6 +3481,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3480,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -59448,7 +60961,7 @@ index 28b88de..791d89f 100644 kernel_search_proc($1) ') -@@ -3087,6 +3560,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3559,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -59473,7 +60986,7 @@ index 28b88de..791d89f 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3630,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3629,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -60533,7 +62046,7 @@ index 28b88de..791d89f 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index df29ca1..2a5c03d 100644 +index df29ca1..059cac0 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0) @@ -60586,7 +62099,7 @@ index df29ca1..2a5c03d 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,54 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +98,59 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -60643,6 +62156,11 @@ index df29ca1..2a5c03d 100644 + +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; ++ ++optional_policy(` ++ ssh_admin_home_dir_filetrans(userdomain) ++') ++ diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index a865da7..0818ff0 100644 --- a/policy/modules/system/xen.fc @@ -60919,6 +62437,19 @@ index 4350ba0..c8b1d3b 100644 - unconfined_domain(xend_t) - ') ') +diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt +index bdd500c..4719351 100644 +--- a/policy/support/file_patterns.spt ++++ b/policy/support/file_patterns.spt +@@ -535,7 +535,7 @@ define(`filetrans_add_pattern',` + + define(`filetrans_pattern',` + allow $1 $2:dir rw_dir_perms; +- type_transition $1 $2:$4 $3; ++ type_transition $1 $2:$4 $3 $5; + ') + + define(`admin_pattern',` diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index 22ca011..df6b5de 100644 --- a/policy/support/misc_patterns.spt diff --git a/selinux-policy.spec b/selinux-policy.spec index dbbe4dd..c4f8ec1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 15.1%{?dist} +Release: 16.1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -474,9 +474,17 @@ exit 0 %endif %changelog -* Fri Apr 15 2011 Dan Walsh 3.9.16-15.1 +* Tue Apr 19 2011 Dan Walsh 3.9.16-16.1 - Add filename transitions +* Tue Apr 19 2011 Miroslav Grepl 3.9.16-16 +- Fixes for zarafa policy +- Add support for AEOLUS project +- Change labeling of fping6 +- Allow plymountd to send signals to init +- Allow initrc_t domain to manage abrt pid files +- Virt_admin should be allowed to manage images and processes + * Fri Apr 15 2011 Miroslav Grepl 3.9.16-15 - xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdctl