diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 9abc9f0..62c4b1a 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b488b01..ac108ca 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5718,7 +5718,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..bb7bad0 100644 +index b191055..e66e77a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5945,7 +5945,7 @@ index b191055..bb7bad0 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +235,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +235,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5968,6 +5968,8 @@ index b191055..bb7bad0 100644 network_port(openhpid, tcp,4743,s0, udp,4743,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) +network_port(openvswitch, tcp,6634,s0) ++network_port(openqa, tcp,9526,s0) ++network_port(openqa_websockets, tcp,9527,s0) +network_port(osapi_compute, tcp, 8774, s0) +network_port(ovsdb, tcp, 6640, s0) network_port(pdps, tcp,1314,s0, udp,1314,s0) @@ -6088,7 +6090,7 @@ index b191055..bb7bad0 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +360,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +362,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6115,7 +6117,7 @@ index b191055..bb7bad0 100644 ######################################## # -@@ -333,6 +409,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +411,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6124,7 +6126,7 @@ index b191055..bb7bad0 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +423,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +425,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -10144,7 +10146,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..549d218 100644 +index cf04cb5..7b76b77 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10211,7 +10213,7 @@ index cf04cb5..549d218 100644 # create child processes in the domain -allow domain self:process { fork sigchld }; -+allow domain self:process { getcap fork getsched signal_perms setrlimit getattr getcap getsched getsession }; ++allow domain self:process { getcap fork getsched signal_perms }; # Use trusted objects in /dev +dev_read_cpu_online(domain) @@ -15451,7 +15453,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..1a164a7 100644 +index 8416beb..f3dd0f6 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15899,7 +15901,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -1878,117 +2085,346 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2085,721 @@ interface(`fs_search_fusefs',` ## ## # @@ -16282,13 +16284,42 @@ index 8416beb..1a164a7 100644 +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. - ## - ## - ## -@@ -2025,6 +2461,87 @@ interface(`fs_read_fusefs_symlinks',` - - ######################################## - ## ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## +## Manage symbolic links on a FUSEFS filesystem. +## +## @@ -16370,14 +16401,38 @@ index 8416beb..1a164a7 100644 + +######################################## +## - ## Get the attributes of an hugetlbfs - ## filesystem. - ## -@@ -2057,12 +2574,66 @@ interface(`fs_list_hugetlbfs',` - type hugetlbfs_t; - ') - -- allow $1 hugetlbfs_t:dir list_dir_perms; ++## Get the attributes of an hugetlbfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:filesystem getattr; ++') ++ ++######################################## ++## ++## List hugetlbfs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ + allow $1 hugetlbfs_t:dir list_dir_perms; +') + @@ -16433,80 +16488,29 @@ index 8416beb..1a164a7 100644 + ') + + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## - ## --## Manage hugetlbfs dirs. ++') ++ ++######################################## ++## +## Manage hugetlbfs files. - ## - ## - ## -@@ -2070,17 +2641,17 @@ interface(`fs_list_hugetlbfs',` - ## - ## - # --interface(`fs_manage_hugetlbfs_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_manage_hugetlbfs_files',` - gen_require(` - type hugetlbfs_t; - ') - -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ + manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## - ## --## Read and write hugetlbfs files. -+## Execute hugetlbfs files. - ## - ## - ## -@@ -2088,12 +2659,13 @@ interface(`fs_manage_hugetlbfs_dirs',` - ## - ## - # --interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_exec_hugetlbfs_files',` - gen_require(` - type hugetlbfs_t; - ') - -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ allow $1 hugetlbfs_t:dir list_dir_perms; -+ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## -@@ -2148,11 +2720,12 @@ interface(`fs_list_inotifyfs',` - ') - - allow $1 inotifyfs_t:dir list_dir_perms; -+ fs_read_anon_inodefs_files($1) - ') - - ######################################## - ## --## Dontaudit List inotifyfs filesystem. -+## Do not audit attempts to list inotifyfs filesystem. - ## - ## - ## -@@ -2297,14 +2870,332 @@ interface(`fs_getattr_iso9660_files',` - type iso9660_t; - ') - -- allow $1 iso9660_t:dir list_dir_perms; -- allow $1 iso9660_t:file getattr; -+ allow $1 iso9660_t:dir list_dir_perms; -+ allow $1 iso9660_t:file getattr; +') + +######################################## +## -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. ++## Execute hugetlbfs files. +## +## +## @@ -16514,38 +16518,36 @@ index 8416beb..1a164a7 100644 +## +## +# -+interface(`fs_read_iso9660_files',` ++interface(`fs_exec_hugetlbfs_files',` + gen_require(` -+ type iso9660_t; ++ type hugetlbfs_t; + ') + -+ allow $1 iso9660_t:dir list_dir_perms; -+ read_files_pattern($1, iso9660_t, iso9660_t) -+ read_lnk_files_pattern($1, iso9660_t, iso9660_t) ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++ exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +') + -+ +######################################## +## -+## Mount kdbus filesystems. ++## Allow the type to associate to hugetlbfs filesystems. +## -+## ++## +## -+## Domain allowed access. ++## The type of the object to be associated. +## +## +# -+interface(`fs_mount_kdbus', ` ++interface(`fs_associate_hugetlbfs',` + gen_require(` -+ type kdbusfs_t; ++ type hugetlbfs_t; + ') + -+ allow $1 kdbusfs_t:filesystem mount; ++ allow $1 hugetlbfs_t:filesystem associate; +') + +######################################## +## -+## Remount kdbus filesystems. ++## Search inotifyfs filesystem. +## +## +## @@ -16553,17 +16555,17 @@ index 8416beb..1a164a7 100644 +## +## +# -+interface(`fs_remount_kdbus', ` ++interface(`fs_search_inotifyfs',` + gen_require(` -+ type kdbusfs_t; ++ type inotifyfs_t; + ') + -+ allow $1 kdbusfs_t:filesystem remount; ++ allow $1 inotifyfs_t:dir search_dir_perms; +') + +######################################## +## -+## Unmount kdbus filesystems. ++## List inotifyfs filesystem. +## +## +## @@ -16571,41 +16573,317 @@ index 8416beb..1a164a7 100644 +## +## +# -+interface(`fs_unmount_kdbus', ` ++interface(`fs_list_inotifyfs',` + gen_require(` -+ type kdbusfs_t; ++ type inotifyfs_t; + ') + -+ allow $1 kdbusfs_t:filesystem unmount; ++ allow $1 inotifyfs_t:dir list_dir_perms; ++ fs_read_anon_inodefs_files($1) +') + +######################################## +## -+## Get attributes of kdbus filesystems. ++## Do not audit attempts to list inotifyfs filesystem. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`fs_getattr_kdbus',` ++interface(`fs_dontaudit_list_inotifyfs',` + gen_require(` -+ type kdbusfs_t; ++ type inotifyfs_t; + ') + -+ allow $1 kdbusfs_t:filesystem getattr; ++ dontaudit $1 inotifyfs_t:dir list_dir_perms; +') + +######################################## +## -+## Search kdbusfs directories. ++## Create an object in a hugetlbfs filesystem, with a private ++## type using a type transition. +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`fs_hugetlbfs_filetrans',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $2 hugetlbfs_t:filesystem associate; ++ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Mount an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_mount_iso9660_fs',` + gen_require(` +- type fusefs_t; ++ type iso9660_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; ++ allow $1 iso9660_t:filesystem mount; + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. ++## Remount an iso9660 filesystem, which ++## is usually used on CDs. This allows ++## some mount options to be changed. + ## + ## + ## +@@ -2014,19 +2807,18 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## + ## + # +-interface(`fs_read_fusefs_symlinks',` ++interface(`fs_remount_iso9660_fs',` + gen_require(` +- type fusefs_t; ++ type iso9660_t; + ') + +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 iso9660_t:filesystem remount; + ') + + ######################################## + ## +-## Get the attributes of an hugetlbfs +-## filesystem. ++## Unmount an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +@@ -2034,35 +2826,38 @@ interface(`fs_read_fusefs_symlinks',` + ## + ## + # +-interface(`fs_getattr_hugetlbfs',` ++interface(`fs_unmount_iso9660_fs',` + gen_require(` +- type hugetlbfs_t; ++ type iso9660_t; + ') + +- allow $1 hugetlbfs_t:filesystem getattr; ++ allow $1 iso9660_t:filesystem unmount; + ') + + ######################################## + ## +-## List hugetlbfs. ++## Get the attributes of an iso9660 ++## filesystem, which is usually used on CDs. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_list_hugetlbfs',` ++interface(`fs_getattr_iso9660_fs',` + gen_require(` +- type hugetlbfs_t; ++ type iso9660_t; + ') + +- allow $1 hugetlbfs_t:dir list_dir_perms; ++ allow $1 iso9660_t:filesystem getattr; + ') + + ######################################## + ## +-## Manage hugetlbfs dirs. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +@@ -2070,17 +2865,19 @@ interface(`fs_list_hugetlbfs',` + ## + ## + # +-interface(`fs_manage_hugetlbfs_dirs',` ++interface(`fs_getattr_iso9660_files',` + gen_require(` +- type hugetlbfs_t; ++ type iso9660_t; + ') + +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 iso9660_t:dir list_dir_perms; ++ allow $1 iso9660_t:file getattr; + ') + + ######################################## + ## +-## Read and write hugetlbfs files. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +@@ -2088,35 +2885,38 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## + ## + # +-interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_read_iso9660_files',` + gen_require(` +- type hugetlbfs_t; ++ type iso9660_t; + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 iso9660_t:dir list_dir_perms; ++ read_files_pattern($1, iso9660_t, iso9660_t) ++ read_lnk_files_pattern($1, iso9660_t, iso9660_t) + ') + ++ + ######################################## + ## +-## Allow the type to associate to hugetlbfs filesystems. ++## Mount kdbus filesystems. + ## +-## ++## + ## +-## The type of the object to be associated. ++## Domain allowed access. + ## + ## + # +-interface(`fs_associate_hugetlbfs',` ++interface(`fs_mount_kdbus', ` + gen_require(` +- type hugetlbfs_t; ++ type kdbusfs_t; + ') + +- allow $1 hugetlbfs_t:filesystem associate; ++ allow $1 kdbusfs_t:filesystem mount; + ') + + ######################################## + ## +-## Search inotifyfs filesystem. ++## Remount kdbus filesystems. + ## + ## + ## +@@ -2124,17 +2924,17 @@ interface(`fs_associate_hugetlbfs',` + ## + ## + # +-interface(`fs_search_inotifyfs',` ++interface(`fs_remount_kdbus', ` + gen_require(` +- type inotifyfs_t; ++ type kdbusfs_t; + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; ++ allow $1 kdbusfs_t:filesystem remount; + ') + + ######################################## + ## +-## List inotifyfs filesystem. ++## Unmount kdbus filesystems. + ## + ## + ## +@@ -2142,71 +2942,134 @@ interface(`fs_search_inotifyfs',` + ## + ## + # +-interface(`fs_list_inotifyfs',` ++interface(`fs_unmount_kdbus', ` + gen_require(` +- type inotifyfs_t; ++ type kdbusfs_t; + ') + +- allow $1 inotifyfs_t:dir list_dir_perms; ++ allow $1 kdbusfs_t:filesystem unmount; + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. ++## Get attributes of kdbus filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_list_inotifyfs',` ++interface(`fs_getattr_kdbus',` + gen_require(` +- type inotifyfs_t; ++ type kdbusfs_t; + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; ++ allow $1 kdbusfs_t:filesystem getattr; + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. ++## Search kdbusfs directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`fs_search_kdbus_dirs',` + gen_require(` @@ -16623,10 +16901,12 @@ index 8416beb..1a164a7 100644 +## Relabel kdbusfs directories. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`fs_relabel_kdbus_dirs',` + gen_require(` @@ -16642,10 +16922,12 @@ index 8416beb..1a164a7 100644 +## List kdbusfs directories. +## +## -+## + ## +-## The object class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`fs_list_kdbus_dirs',` + gen_require(` @@ -16681,107 +16963,137 @@ index 8416beb..1a164a7 100644 +## Delete kdbusfs directories. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_delete_kdbus_dirs', ` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## Manage kdbusfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2214,19 +3077,19 @@ interface(`fs_hugetlbfs_filetrans',` + ## + ## + # +-interface(`fs_mount_iso9660_fs',` +interface(`fs_manage_kdbus_dirs',` -+ gen_require(` + gen_require(` +- type iso9660_t; +- ') + type kdbusfs_t; -+ + +- allow $1 iso9660_t:filesystem mount; + ') + manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Read kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2234,18 +3097,21 @@ interface(`fs_mount_iso9660_fs',` + ## + ## + # +-interface(`fs_remount_iso9660_fs',` +interface(`fs_read_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type cgroup_t; + -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem remount; + read_files_pattern($1, kdbusfs_t, kdbusfs_t) + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. +## Write kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2253,38 +3119,61 @@ interface(`fs_remount_iso9660_fs',` + ## + ## + # +-interface(`fs_unmount_iso9660_fs',` +interface(`fs_write_kdbus_files', ` -+ gen_require(` + gen_require(` +- type iso9660_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem unmount; + write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of an iso9660 +-## filesystem, which is usually used on CDs. +## Read and write kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_getattr_iso9660_fs',` +interface(`fs_rw_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type kdbusfs_t; + -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem getattr; + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read files on an iso9660 filesystem, which +-## is usually used on CDs. +## Do not audit attempts to open, +## get attributes, read and write +## cgroup files. @@ -16803,19 +17115,23 @@ index 8416beb..1a164a7 100644 +######################################## +## +## Manage kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2292,19 +3181,21 @@ interface(`fs_getattr_iso9660_fs',` + ## + ## + # +-interface(`fs_getattr_iso9660_files',` +interface(`fs_manage_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type kdbusfs_t; + -+ ') -+ + ') + +- allow $1 iso9660_t:dir list_dir_perms; +- allow $1 iso9660_t:file getattr; + manage_files_pattern($1, kdbusfs_t, kdbusfs_t) + manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) @@ -16851,11 +17167,17 @@ index 8416beb..1a164a7 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3288,24 @@ interface(`fs_getattr_nfs',` +@@ -2356,44 +3246,62 @@ interface(`fs_remount_nfs',` + type nfs_t; + ') - ######################################## - ## -+## Set the attributes of nfs directories. +- allow $1 nfs_t:filesystem remount; ++ allow $1 nfs_t:filesystem remount; ++') ++ ++######################################## ++## ++## Unmount a NFS filesystem. +## +## +## @@ -16863,19 +17185,59 @@ index 8416beb..1a164a7 100644 +## +## +# -+interface(`fs_setattr_nfs_dirs',` ++interface(`fs_unmount_nfs',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:dir setattr; -+') -+ -+######################################## -+## - ## Search directories on a NFS filesystem. ++ allow $1 nfs_t:filesystem unmount; + ') + + ######################################## + ## +-## Unmount a NFS filesystem. ++## Get the attributes of a NFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_unmount_nfs',` ++interface(`fs_getattr_nfs',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:filesystem unmount; ++ allow $1 nfs_t:filesystem getattr; + ') + + ######################################## + ## +-## Get the attributes of a NFS filesystem. ++## Set the attributes of nfs directories. ## ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_getattr_nfs',` ++interface(`fs_setattr_nfs_dirs',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:filesystem getattr; ++ allow $1 nfs_t:dir setattr; + ') + + ######################################## @@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -17167,10 +17529,25 @@ index 8416beb..1a164a7 100644 ## ## Read and write NFS server files. ## -@@ -3281,6 +4363,42 @@ interface(`fs_rw_nfsd_fs',` - rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') +@@ -3283,6 +4365,59 @@ interface(`fs_rw_nfsd_fs',` + ######################################## + ## ++## Getattr files on an nsfs filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_nsfs_files',` ++ gen_require(` ++ type nsfs_t; ++ ') ++ ++ getattr_files_pattern($1, nsfs_t, nsfs_t) ++') +####################################### +## +## Read nsfs inodes (e.g. /proc/pid/ns/uts) @@ -17207,10 +17584,12 @@ index 8416beb..1a164a7 100644 + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + - ######################################## - ## ++######################################## ++## ## Allow the type to associate to ramfs filesystems. -@@ -3392,7 +4510,7 @@ interface(`fs_search_ramfs',` + ## + ## +@@ -3392,7 +4527,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17219,7 +17598,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3429,7 +4547,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4564,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17228,7 +17607,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3447,7 +4565,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4582,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17237,7 +17616,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3779,6 +4897,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4914,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17262,7 +17641,7 @@ index 8416beb..1a164a7 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +4951,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4968,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17287,7 +17666,7 @@ index 8416beb..1a164a7 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +4993,76 @@ interface(`fs_getattr_tmpfs',` +@@ -3839,39 +5010,76 @@ interface(`fs_getattr_tmpfs',` ## ## ## @@ -17373,7 +17752,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3879,36 +5070,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5087,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -17417,7 +17796,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3916,35 +5106,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5123,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -17461,7 +17840,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3952,17 +5143,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5160,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -17482,7 +17861,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -3970,31 +5161,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5178,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -17520,7 +17899,7 @@ index 8416beb..1a164a7 100644 ') ######################################## -@@ -4105,7 +5295,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5312,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -17529,7 +17908,7 @@ index 8416beb..1a164a7 100644 ') ######################################## -@@ -4165,6 +5355,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5372,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -17554,7 +17933,7 @@ index 8416beb..1a164a7 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5410,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5427,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -17563,7 +17942,7 @@ index 8416beb..1a164a7 100644 ## ## ## -@@ -4221,6 +5429,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5446,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -17624,7 +18003,7 @@ index 8416beb..1a164a7 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5540,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5557,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -17669,7 +18048,7 @@ index 8416beb..1a164a7 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5597,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5614,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -17695,7 +18074,7 @@ index 8416beb..1a164a7 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5726,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5743,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -17721,7 +18100,7 @@ index 8416beb..1a164a7 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5841,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5858,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -17730,7 +18109,7 @@ index 8416beb..1a164a7 100644 ') ######################################## -@@ -4549,7 +5889,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5906,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -17739,7 +18118,7 @@ index 8416beb..1a164a7 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5936,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5953,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -17766,7 +18145,7 @@ index 8416beb..1a164a7 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6031,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6048,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -17792,7 +18171,7 @@ index 8416beb..1a164a7 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6291,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6308,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -24884,7 +25263,7 @@ index 76d9f66..5c271ce 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..3ad1b1f 100644 +index fe0c682..60003bc 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -25231,12 +25610,12 @@ index fe0c682..3ad1b1f 100644 - # transition back to normal privs upon exec - fs_cifs_domtrans($1_ssh_agent_t, $3) - ') -- ++ userdom_home_manager($1_ssh_agent_t) + - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) - ') -+ userdom_home_manager($1_ssh_agent_t) - +- - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) @@ -25251,7 +25630,7 @@ index fe0c682..3ad1b1f 100644 - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; - ') ++') + +###################################### +## @@ -25269,7 +25648,7 @@ index fe0c682..3ad1b1f 100644 + ') + + allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; -+') + ') + ######################################## ## @@ -25360,7 +25739,7 @@ index fe0c682..3ad1b1f 100644 ## Read ssh home directory content ## ## -@@ -701,6 +758,50 @@ interface(`ssh_domtrans_keygen',` +@@ -701,6 +758,68 @@ interface(`ssh_domtrans_keygen',` ######################################## ## @@ -25408,10 +25787,28 @@ index fe0c682..3ad1b1f 100644 + +######################################## +## ++## Getattr ssh server keys ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`ssh_getattr_server_keys',` ++ gen_require(` ++ type sshd_key_t; ++ ') ++ ++ allow $1 sshd_key_t:file getattr_file_perms; ++') ++ ++######################################## ++## ## Read ssh server keys ## ## -@@ -714,7 +815,26 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -714,7 +833,26 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -25439,7 +25836,7 @@ index fe0c682..3ad1b1f 100644 ') ###################################### -@@ -754,3 +874,151 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +892,151 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -26429,7 +26826,7 @@ index 8274418..12a5645 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..7d0c3c3 100644 +index 6bf0ecc..e6be63a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -27402,7 +27799,7 @@ index 6bf0ecc..7d0c3c3 100644 ') ######################################## -@@ -1111,8 +1412,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1412,28 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -27411,10 +27808,28 @@ index 6bf0ecc..7d0c3c3 100644 domtrans_pattern($1, xserver_exec_t, xserver_t) + + allow xserver_t $1:process getpgid; ++') ++ ++######################################## ++## ++## Allow execute the X server. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`xserver_exec',` ++ gen_require(` ++ type xserver_exec_t; ++ ') ++ ++ can_exec($1, xserver_exec_t) ') ######################################## -@@ -1210,6 +1513,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -27440,7 +27855,7 @@ index 6bf0ecc..7d0c3c3 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1548,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -27467,7 +27882,7 @@ index 6bf0ecc..7d0c3c3 100644 ') ######################################## -@@ -1251,7 +1593,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -27476,7 +27891,7 @@ index 6bf0ecc..7d0c3c3 100644 ## ## ## -@@ -1261,13 +1603,27 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -27505,7 +27920,7 @@ index 6bf0ecc..7d0c3c3 100644 ') ######################################## -@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1658,662 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -33720,7 +34135,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..4eb70c7 100644 +index 17eda24..528f36a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -34015,7 +34430,7 @@ index 17eda24..4eb70c7 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,243 @@ ifdef(`distro_gentoo',` +@@ -186,29 +323,247 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -34056,16 +34471,15 @@ index 17eda24..4eb70c7 100644 +optional_policy(` + kdump_read_crash(init_t) + kdump_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) + gnome_manage_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) +') @@ -34073,9 +34487,10 @@ index 17eda24..4eb70c7 100644 +optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) @@ -34231,9 +34646,9 @@ index 17eda24..4eb70c7 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + consolekit_manage_log(init_t) +') + @@ -34265,10 +34680,14 @@ index 17eda24..4eb70c7 100644 + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) ++') ++ ++optional_policy(` ++ ssh_getattr_server_keys(init_t) ') optional_policy(` -@@ -216,7 +567,30 @@ optional_policy(` +@@ -216,7 +571,30 @@ optional_policy(` ') optional_policy(` @@ -34300,7 +34719,7 @@ index 17eda24..4eb70c7 100644 ') ######################################## -@@ -225,9 +599,9 @@ optional_policy(` +@@ -225,9 +603,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -34312,7 +34731,7 @@ index 17eda24..4eb70c7 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +632,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +636,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -34329,7 +34748,7 @@ index 17eda24..4eb70c7 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +657,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +661,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -34372,7 +34791,7 @@ index 17eda24..4eb70c7 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +694,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +698,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -34384,7 +34803,7 @@ index 17eda24..4eb70c7 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +706,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +710,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -34395,7 +34814,7 @@ index 17eda24..4eb70c7 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +717,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +721,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -34405,7 +34824,7 @@ index 17eda24..4eb70c7 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +726,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +730,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -34413,7 +34832,7 @@ index 17eda24..4eb70c7 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +733,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +737,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -34421,7 +34840,7 @@ index 17eda24..4eb70c7 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +741,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +745,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -34439,7 +34858,7 @@ index 17eda24..4eb70c7 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +759,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +763,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -34453,7 +34872,7 @@ index 17eda24..4eb70c7 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +774,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +778,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -34467,7 +34886,7 @@ index 17eda24..4eb70c7 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +787,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +791,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -34478,7 +34897,7 @@ index 17eda24..4eb70c7 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +800,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +804,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -34486,7 +34905,7 @@ index 17eda24..4eb70c7 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +819,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +823,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -34510,7 +34929,7 @@ index 17eda24..4eb70c7 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +852,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +856,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -34518,7 +34937,7 @@ index 17eda24..4eb70c7 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +886,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +890,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -34529,7 +34948,7 @@ index 17eda24..4eb70c7 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +910,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +914,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -34538,7 +34957,7 @@ index 17eda24..4eb70c7 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +925,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +929,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -34546,7 +34965,7 @@ index 17eda24..4eb70c7 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +946,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +950,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -34554,7 +34973,7 @@ index 17eda24..4eb70c7 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +956,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +960,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -34599,7 +35018,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -559,14 +1001,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1005,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -34631,7 +35050,7 @@ index 17eda24..4eb70c7 100644 ') ') -@@ -577,6 +1036,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1040,39 @@ ifdef(`distro_suse',` ') ') @@ -34671,7 +35090,7 @@ index 17eda24..4eb70c7 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1081,8 @@ optional_policy(` +@@ -589,6 +1085,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -34680,7 +35099,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -610,6 +1104,7 @@ optional_policy(` +@@ -610,6 +1108,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -34688,7 +35107,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -626,6 +1121,17 @@ optional_policy(` +@@ -626,6 +1125,17 @@ optional_policy(` ') optional_policy(` @@ -34706,7 +35125,7 @@ index 17eda24..4eb70c7 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1148,13 @@ optional_policy(` +@@ -642,9 +1152,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -34720,7 +35139,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -657,15 +1167,11 @@ optional_policy(` +@@ -657,15 +1171,11 @@ optional_policy(` ') optional_policy(` @@ -34738,7 +35157,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -686,6 +1192,15 @@ optional_policy(` +@@ -686,6 +1196,15 @@ optional_policy(` ') optional_policy(` @@ -34754,7 +35173,7 @@ index 17eda24..4eb70c7 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1241,7 @@ optional_policy(` +@@ -726,6 +1245,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -34762,7 +35181,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -743,7 +1259,13 @@ optional_policy(` +@@ -743,7 +1263,13 @@ optional_policy(` ') optional_policy(` @@ -34777,7 +35196,7 @@ index 17eda24..4eb70c7 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1288,10 @@ optional_policy(` +@@ -766,6 +1292,10 @@ optional_policy(` ') optional_policy(` @@ -34788,7 +35207,7 @@ index 17eda24..4eb70c7 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1301,20 @@ optional_policy(` +@@ -775,10 +1305,20 @@ optional_policy(` ') optional_policy(` @@ -34809,7 +35228,7 @@ index 17eda24..4eb70c7 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1323,10 @@ optional_policy(` +@@ -787,6 +1327,10 @@ optional_policy(` ') optional_policy(` @@ -34820,7 +35239,7 @@ index 17eda24..4eb70c7 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1348,6 @@ optional_policy(` +@@ -808,8 +1352,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -34829,7 +35248,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -818,6 +1356,10 @@ optional_policy(` +@@ -818,6 +1360,10 @@ optional_policy(` ') optional_policy(` @@ -34840,7 +35259,7 @@ index 17eda24..4eb70c7 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1369,12 @@ optional_policy(` +@@ -827,10 +1373,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -34853,7 +35272,7 @@ index 17eda24..4eb70c7 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1401,60 @@ optional_policy(` +@@ -857,21 +1405,60 @@ optional_policy(` ') optional_policy(` @@ -34915,7 +35334,7 @@ index 17eda24..4eb70c7 100644 ') optional_policy(` -@@ -887,6 +1470,10 @@ optional_policy(` +@@ -887,6 +1474,10 @@ optional_policy(` ') optional_policy(` @@ -34926,7 +35345,7 @@ index 17eda24..4eb70c7 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1484,218 @@ optional_policy(` +@@ -897,3 +1488,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 81a1fe2..b31e8a4 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..5ad038c 100644 +index eb50f07..11582eb 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -839,9 +839,9 @@ index eb50f07..5ad038c 100644 +logging_read_syslog_pid(abrt_t) + +auth_use_nsswitch(abrt_t) - -+init_read_utmp(abrt_t) + ++init_read_utmp(abrt_t) + +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) @@ -1044,7 +1044,7 @@ index eb50f07..5ad038c 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +468,71 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +468,76 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1109,6 +1109,7 @@ index eb50f07..5ad038c 100644 +fs_getattr_all_fs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) +fs_list_pstorefs(abrt_dump_oops_t) ++fs_getattr_nsfs_files(abrt_dump_oops_t) + +selinux_compute_create_context(abrt_dump_oops_t) @@ -1117,10 +1118,14 @@ index eb50f07..5ad038c 100644 +logging_send_syslog_msg(abrt_dump_oops_t) + +init_read_var_lib_files(abrt_dump_oops_t) ++ ++optional_policy(` ++ xserver_exec(abrt_dump_oops_t) ++') ####################################### # -@@ -404,25 +540,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +545,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1183,7 +1188,7 @@ index eb50f07..5ad038c 100644 ') ####################################### -@@ -430,10 +601,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +606,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -28320,7 +28325,7 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index c62c567..2d9e254 100644 +index c62c567..a74f123 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,7 +2,7 @@ @@ -28401,7 +28406,7 @@ index c62c567..2d9e254 100644 ## ## ## -@@ -51,18 +93,37 @@ interface(`firewalld_dbus_chat',` +@@ -51,18 +93,55 @@ interface(`firewalld_dbus_chat',` ## ## # @@ -28413,12 +28418,10 @@ index c62c567..2d9e254 100644 - dontaudit $1 firewalld_tmp_t:file { read write }; + dontaudit $1 firewalld_tmp_t:file write; - ') - - ######################################## - ## --## All of the rules required to --## administrate an firewalld environment. ++') ++ ++######################################## ++## +## Read firewalld PID files. +## +## @@ -28438,12 +28441,32 @@ index c62c567..2d9e254 100644 + +######################################## +## ++## Dontaudit read and write leaked firewalld file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`firewalld_dontaudit_leaks',` ++ gen_require(` ++ type firewalld_tmpfs_t; ++ ') ++ ++ dontaudit $1 firewalld_tmpfs_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an firewalld environment. +## All of the rules required to administrate +## an firewalld environment ## ## ## -@@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` +@@ -79,14 +158,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` interface(`firewalld_admin',` gen_require(` type firewalld_t, firewalld_initrc_exec_t; @@ -28465,7 +28488,7 @@ index c62c567..2d9e254 100644 domain_system_change_exemption($1) role_transition $2 firewalld_initrc_exec_t system_r; allow $2 system_r; -@@ -97,6 +162,9 @@ interface(`firewalld_admin',` +@@ -97,6 +180,9 @@ interface(`firewalld_admin',` logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) @@ -29656,13 +29679,15 @@ index 36838c2..8bfc879 100644 -') diff --git a/fwupd.fc b/fwupd.fc new file mode 100644 -index 0000000..1f13f70 +index 0000000..859dc40 --- /dev/null +++ b/fwupd.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ +/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0) +/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0) + ++/etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0) ++ +/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) + +/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) @@ -29936,10 +29961,10 @@ index 0000000..c4d2c2d +') diff --git a/fwupd.te b/fwupd.te new file mode 100644 -index 0000000..53ba6cd +index 0000000..3dd3dc8 --- /dev/null +++ b/fwupd.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,60 @@ +policy_module(fwupd, 1.0.0) + +######################################## @@ -29954,6 +29979,9 @@ index 0000000..53ba6cd +type fwupd_cache_t; +files_type(fwupd_cache_t) + ++type fwupd_cert_t; ++miscfiles_cert_type(fwupd_cert_t) ++ +type fwupd_var_lib_t; +files_type(fwupd_var_lib_t) + @@ -29973,6 +30001,10 @@ index 0000000..53ba6cd +manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t) +files_var_filetrans(fwupd_t, fwupd_cache_t, { dir }) + ++allow fwupd_t fwupd_cert_t:dir list_dir_perms; ++read_files_pattern(fwupd_t, fwupd_cert_t, fwupd_cert_t) ++read_lnk_files_pattern(fwupd_t, fwupd_cert_t, fwupd_cert_t) ++ +manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) +manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) +manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) @@ -29989,6 +30021,9 @@ index 0000000..53ba6cd + +optional_policy(` + dbus_system_domain(fwupd_t,fwupd_exec_t) ++ optional_policy(` ++ policykit_dbus_chat(fwupd_t) ++ ') +') diff --git a/games.if b/games.if index e2a3e0d..50ebd40 100644 @@ -74520,7 +74555,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..8ccefd5 100644 +index d616ca3..e4fc9c0 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -74649,13 +74684,14 @@ index d616ca3..8ccefd5 100644 manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -+manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) - files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) - +-files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) +- -can_exec(pppd_t, pppd_exec_t) - -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -- ++manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) ++files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file sock_file }) + allow pppd_t pptp_t:process signal; +# for SSP @@ -75040,7 +75076,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index 8e26216..d59dc50 100644 +index 8e26216..98068fc 100644 --- a/prelink.te +++ b/prelink.te @@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0) @@ -75186,7 +75222,8 @@ index 8e26216..d59dc50 100644 optional_policy(` allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; +- allow prelink_cron_system_t self:process { setsched setfscreate signal }; ++ allow prelink_cron_system_t self:process { setsched setfscreate signal setrlimit }; allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; - allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; + allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; @@ -107315,22 +107352,23 @@ index 9b95c3e..a892845 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index de35e5f..51f2763 100644 +index de35e5f..91cac11 100644 --- a/ulogd.te +++ b/ulogd.te -@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t) +@@ -29,8 +29,11 @@ logging_log_file(ulogd_var_log_t) allow ulogd_t self:capability { net_admin setuid setgid sys_nice }; allow ulogd_t self:process setsched; allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; allow ulogd_t self:netlink_socket create_socket_perms; -allow ulogd_t self:tcp_socket create_stream_socket_perms; ++allow ulogd_t self:netlink_netfilter_socket create_socket_perms; +allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; +allow ulogd_t self:udp_socket create_socket_perms; read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) +@@ -42,10 +45,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) diff --git a/selinux-policy.spec b/selinux-policy.spec index b76d5d8..7574896 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 169%{?dist} +Release: 170%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,24 @@ exit 0 %endif %changelog +* Wed Feb 10 2016 Lukas Vrabec 3.13.1-170 +- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334 +- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426 +- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533 +- Add interface to dontaudit leaked files from firewalld +- fwupd needs to dbus chat with policykit +- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531 +- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967 +- Allow prelink_cron_system_t domain set resource limits. BZ(1190364) +- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666) +- Fix wrong name for openqa_websockets tcp port. +- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 +- Add interface ssh_getattr_server_keys() interface. rhbz#1299106 +- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312 +- Add interface fs_getattr_nsfs_files() +- Add interface xserver_exec(). +- Revert "Allow all domains some process flags."BZ(1190364) + * Wed Feb 03 2016 Lukas Vrabec 3.13.1-169 - Allow openvswitch domain capability sys_rawio. - Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)"