diff --git a/policy-F16.patch b/policy-F16.patch index 6d0be41..e988fad 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -58126,10 +58126,18 @@ index 1308871..c994c93 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index bf24160..4d0bdca 100644 +index bf24160..8bbcc13 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors -@@ -393,6 +393,10 @@ class system +@@ -329,6 +329,7 @@ class process + execheap + setkeycreate + setsockcreate ++ ptrace_child + } + + +@@ -393,6 +394,10 @@ class system syslog_mod syslog_console module_request @@ -58140,7 +58148,7 @@ index bf24160..4d0bdca 100644 } # -@@ -862,3 +866,20 @@ inherits database +@@ -862,3 +867,20 @@ inherits database implement execute } @@ -67293,7 +67301,7 @@ index fbb5c5a..ce9aee0 100644 ') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..71b15ca 100644 +index 2e9318b..ab6f730 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3) @@ -67476,7 +67484,7 @@ index 2e9318b..71b15ca 100644 can_exec(mozilla_plugin_t, mozilla_exec_t) kernel_read_kernel_sysctls(mozilla_plugin_t) -@@ -331,22 +360,32 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -331,22 +360,33 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -67491,6 +67499,7 @@ index 2e9318b..71b15ca 100644 +corenet_tcp_connect_flash_port(mozilla_plugin_t) +corenet_tcp_connect_ftp_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) ++corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) @@ -67515,7 +67524,7 @@ index 2e9318b..71b15ca 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -355,6 +394,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -355,6 +395,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -67523,7 +67532,7 @@ index 2e9318b..71b15ca 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -362,15 +402,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -362,15 +403,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -67545,7 +67554,7 @@ index 2e9318b..71b15ca 100644 logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -383,35 +429,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -383,35 +430,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -67593,7 +67602,7 @@ index 2e9318b..71b15ca 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -421,24 +459,33 @@ optional_policy(` +@@ -421,24 +460,33 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -67631,7 +67640,7 @@ index 2e9318b..71b15ca 100644 ') optional_policy(` -@@ -446,10 +493,105 @@ optional_policy(` +@@ -446,10 +494,105 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -84791,7 +84800,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..9ea7f1f 100644 +index 30861ec..bb97cc2 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -84878,7 +84887,7 @@ index 30861ec..9ea7f1f 100644 + +# Support abrt-watch log + -+type abrt_watch_log_t; ++type abrt_watch_log_t, abrt_domain; +type abrt_watch_log_exec_t; +init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) + @@ -86758,7 +86767,7 @@ index 6480167..c453e35 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..8ce80e7 100644 +index 3136c6a..dff387e 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,136 +18,268 @@ policy_module(apache, 2.2.1) @@ -87039,7 +87048,7 @@ index 3136c6a..8ce80e7 100644 -## Allow httpd to run gpg -##
+##-+## Allow httpd to access cifs file systems ++## Allow httpd to access FUSE file systems +##
+## +gen_tunable(httpd_use_fusefs, false) @@ -90107,24 +90116,28 @@ index 215b86b..d7c4d98 100644 ') diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc new file mode 100644 -index 0000000..c095160 +index 0000000..e59e51b --- /dev/null +++ b/policy/modules/services/boinc.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,12 @@ + -+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + -+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) ++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) + -+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) ++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) ++ ++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++ ++/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if new file mode 100644 -index 0000000..9fe3f9e +index 0000000..6d7e034 --- /dev/null +++ b/policy/modules/services/boinc.if -@@ -0,0 +1,154 @@ +@@ -0,0 +1,189 @@ +##-+## Allow confined virtual guests to manage nfs files ++## Allow sanlock to manage nfs files +##
+##-+## Allow confined virtual guests to manage cifs files ++## Allow sanlock to manage cifs files +##
+##